diff options
Diffstat (limited to 'security/nss/lib/crmf/crmf.h')
-rw-r--r-- | security/nss/lib/crmf/crmf.h | 1741 |
1 files changed, 1741 insertions, 0 deletions
diff --git a/security/nss/lib/crmf/crmf.h b/security/nss/lib/crmf/crmf.h new file mode 100644 index 000000000..c56e28913 --- /dev/null +++ b/security/nss/lib/crmf/crmf.h @@ -0,0 +1,1741 @@ +/* -*- Mode: C; tab-width: 8 -*-*/ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _CRMF_H_ +#define _CRMF_H_ + +#include "seccomon.h" +#include "cert.h" +#include "crmft.h" +#include "secoid.h" +#include "secpkcs7.h" + +SEC_BEGIN_PROTOS + +/* + * FUNCTION: CRMF_EncodeCertReqMsg + * INPUTS: + * inCertReqMsg + * The Certificate Request Message to be encoded. + * fn + * A Callback function that the ASN1 encoder calls whenever + * the encoder wants to write out some DER encoded bytes. + * arg + * An opaque pointer that gets passed to the function fn + * OUTPUT: + * The function fn will be called multiple times. Look at the + * comments in crmft.h where the CRMFEncoderOutputCallback type is + * defined for information on proper behavior of the function fn. + * RETURN: + * SECSuccess if encoding was successful. Any other return value + * indicates an error occurred during encoding. + */ +extern SECStatus +CRMF_EncodeCertReqMsg(CRMFCertReqMsg *inCertReqMsg, + CRMFEncoderOutputCallback fn, + void *arg); + +/* + * FUNCTION: CRMF_EncoderCertRequest + * INPUTS: + * inCertReq + * The Certificate Request to be encoded. + * fn + * A Callback function that the ASN1 encoder calls whenever + * the encoder wants to write out some DER encoded bytes. + * arg + * An opaque pointer that gets passed to the function fn. + * OUTPUT: + * The function fn will be called, probably multiple times whenever + * the ASN1 encoder wants to write out DER-encoded bytes. Look at the + * comments in crmft.h where the CRMFEncoderOutputCallback type is + * defined for information on proper behavior of the function fn. + * RETURN: + * SECSuccess if encoding was successful. Any other return value + * indicates an error occurred during encoding. + */ +extern SECStatus CRMF_EncodeCertRequest(CRMFCertRequest *inCertReq, + CRMFEncoderOutputCallback fn, + void *arg); +/* + * FUNCTION: CRMF_EncodeCertReqMessages + * INPUTS: + * inCertReqMsgs + * An array of pointers to the Certificate Request Messages + * to encode. The user must place a NULL pointer in the index + * after the last message to be encoded. When the library runs + * into the NULL pointer, the library assumes there are no more + * messages to encode. + * fn + * A Callback function that the ASN1 encoder calls whenever + * the encoder wants to write out some DER encoded byts. + * arg + * An opaque pointer that gets passed to the function fn. + * + * NOTES: + * The parameter inCertReqMsgs needs to be an array with a NULL pointer + * to signal the end of messages. An array in the form of + * {m1, m2, m3, NULL, m4, ...} will only encode the messages m1, m2, and + * m3. All messages from m4 on will not be looked at by the library. + * + * OUTPUT: + * The function fn will be called, probably multiple times. Look at the + * comments in crmft.h where the CRMFEncoderOutputCallback type is + * defined for information on proper behavior of the function fn. + * + * RETURN: + * SECSuccess if encoding the Certificate Request Messages was successful. + * Any other return value indicates an error occurred while encoding the + * certificate request messages. + */ +extern SECStatus +CRMF_EncodeCertReqMessages(CRMFCertReqMsg **inCertReqMsgs, + CRMFEncoderOutputCallback fn, + void *arg); + +/* + * FUNCTION: CRMF_CreateCertReqMsg + * INPUTS: + * NONE + * OUTPUT: + * An empty CRMF Certificate Request Message. + * Before encoding this message, the user must set + * the ProofOfPossession field and the certificate + * request which are necessary for the full message. + * After the user no longer needs this CertReqMsg, + * the user must call CRMF_DestroyCertReqMsg to free + * all memory associated with the Certificate Request + * Message. + * RETURN: + * A pointer to a Certificate Request Message. The user + * must pass the return value of this function to + * CRMF_DestroyCertReqMsg after the Certificate Request + * Message is no longer necessary. + */ +extern CRMFCertReqMsg *CRMF_CreateCertReqMsg(void); + +/* + * FUNCTION: CRMF_DestroyCertReqMsg + * INPUTS: + * inCertReqMsg + * The Certificate Request Message to destroy. + * NOTES: + * This function frees all the memory used for the Certificate + * Request Message and all the memory used in making copies of + * fields of elelments of the message, eg. the Proof Of Possession + * filed and the Cetificate Request. + * RETURN: + * SECSuccess if destruction was successful. Any other return value + * indicates an error while trying to free the memory associated + * with inCertReqMsg. + * + */ +extern SECStatus CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg); + +/* + * FUNCTION: CRMF_CertReqMsgSetCertRequest + * INPUTS: + * inCertReqMsg + * The Certificate Request Message that the function will set + * the certificate request for. + * inCertReq + * The Certificate Request that will be added to the Certificate + * Request Message. + * NOTES: + * This function will make a copy of the Certificate Request passed in + * and store it as part of the Certificate Request Message. Therefore, + * the user must not call this function until the Certificate Request + * has been fully built and is ready to be encoded. + * RETURN: + * SECSuccess + * If copying the Certificate as a member of the Certificate + * request message was successful. + * Any other return value indicates a failure to copy the Certificate + * Request and make it a part of the Certificate Request Message. + */ +extern SECStatus CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg *inCertReqMsg, + CRMFCertRequest *inCertReq); + +/* + * FUNCTION: CRMF_CreateCertRequest + * INPUTS: + * inRequestID + * The ID that will be associated with this certificate request. + * OUTPUTS: + * A certificate request which only has the requestID set. + * NOTES: + * The user must call the function CRMF_DestroyCertRequest when + * the returned value is no longer needed. This is usually the + * case after fully constructing the Certificate Request and then + * calling the function CRMF_CertReqMsgSetCertRequest. + * RETURN: + * A pointer to the new Certificate Request. A NULL return value + * indicates an error in creating the Certificate Request. + */ +extern CRMFCertRequest *CRMF_CreateCertRequest(PRUint32 inRequestID); + +/* + * FUNCTION: CRMF_DestroyCertRequest + * INPUTS: + * inCertReq + * The Certificate Request that will be destroyed. + * RETURN: + * SECSuccess + * If freeing the memory associated with the certificate request + * was successful. + * Any other return value indicates an error while trying to free the + * memory. + */ +extern SECStatus CRMF_DestroyCertRequest(CRMFCertRequest *inCertReq); + +/* + * FUNCTION: CRMF_CreateCertExtension + * INPUTS: + * id + * The SECOidTag to associate with this CertExtension. This must + * correspond to a valid Certificate Extension, if not the function + * will fail. + * isCritical + * A boolean value stating if the extension value is crtical. PR_TRUE + * means the value is crtical. PR_FALSE indicates the value is not + * critical. + * data + * This is the data associated with the extension. The user of the + * library is responsible for making sure the value passed in is a + * valid interpretation of the certificate extension. + * NOTES: + * Use this function to create CRMFCertExtension Structures which will + * then be passed to CRMF_AddFieldToCertTemplate as part of the + * CRMFCertCreationInfo.extensions The user must call + * CRMF_DestroyCertExtension after the extension has been added to a certifcate + * and the extension is no longer needed. + * + * RETURN: + * A pointer to a newly created CertExtension. A return value of NULL + * indicates the id passed in was an invalid certificate extension. + */ +extern CRMFCertExtension *CRMF_CreateCertExtension(SECOidTag id, + PRBool isCritical, + SECItem *data); + +/* + * FUNCTION: CMRF_DestroyCertExtension + * INPUTS: + * inExtension + * The Cert Extension to destroy + * NOTES: + * Destroy a structure allocated by CRMF_CreateCertExtension. + * + * RETURN: + * SECSuccess if freeing the memory associated with the certificate extension + * was successful. Any other error indicates an error while freeing the + * memory. + */ +extern SECStatus CRMF_DestroyCertExtension(CRMFCertExtension *inExtension); + +/* + * FUNCTION: CRMF_CertRequestSetTemplateField + * INPUTS: + * inCertReq + * The Certificate Request to operate on. + * inTemplateField + * An enumeration that indicates which field of the Certificate + * template to add. + * data + * A generic pointer that will be type cast according to the + * table under NOTES and used as the key for adding to the + * certificate template; + * NOTES: + * + * Below is a table that tells what type to pass in as data + * depending on the template field one wants to set. + * + * Look in crmft.h for the definition of CRMFCertTemplateField. + * + * In all cases, the library makes copies of the data passed in. + * + * CRMFCertTemplateField Type of data What data means + * --------------------- ------------ --------------- + * crmfVersion long * The version of + * the certificate + * to be created. + * + * crmfSerialNumber long * The serial number + * for the cert to be + * created. + * + * crmfSigningAlg SECAlgorithm * The ASN.1 object ID for + * the algorithm used in encoding + * the certificate. + * + * crmfIssuer CERTName * Certificate Library + * representation of the ASN1 type + * Name from X.509 + * + * crmfValidity CRMFValidityCreationInfo * At least one of the two + * fields in the structure must + * be present. A NULL pointer + * in the structure indicates + * that member should not be + * added. + * + * crmfSubject CERTName * Certificate Library + * representation of the ASN1 type + * Name from X.509 + * + * crmfPublicKey CERTSubjectPublicKeyInfo * The public key info for the + * certificate being requested. + * + * crmfIssuerUID SECItem * A bit string representation + * of the issuer UID. NOTE: The + * length is the number of bits + * and not the number of bytes. + * + * crmfSubjectUID SECItem* A bit string representation + * of the subject UID. NOTE: The + * length is the number of bits + * and not the number of bytes. + * + * crmfExtension CRMFCertExtCreationInfo * A pointer to the structure + * populated with an array of + * of certificate extensions + * and an integer that tells + * how many elements are in the + * array. Look in crmft.h for + * the definition of + * CRMFCertExtCreationInfo + * RETURN: + * SECSuccess if adding the desired field to the template was successful. + * Any other return value indicates failure when trying to add the field + * to the template. + * + */ +extern SECStatus +CRMF_CertRequestSetTemplateField(CRMFCertRequest *inCertReq, + CRMFCertTemplateField inTemplateField, + void *data); + +/* + * FUNCTION: CRMF_CertRequestIsFieldPresent + * INPUTS: + * inCertReq + * The certificate request to operate on. + * inTemplateField + * The enumeration for the template field the user wants to query + * about. + * NOTES: + * This function checks to see if the the field associated with inTemplateField + * enumeration is already present in the certificate request passed in. + * + * RETURN: + * The function returns PR_TRUE if the field associated with inTemplateField + * is already present in the certificate request. If the field is not present + * the function returns PR_FALSE. + */ +extern PRBool +CRMF_CertRequestIsFieldPresent(CRMFCertRequest *inCertReq, + CRMFCertTemplateField inTemplateField); + +/* + * FUNCTION: CRMF_CertRequestIsControlPresent + * INPUTS: + * inCertReq + * The certificate request to operate on. + * inControlType + * The type of control to look for. + * NOTES: + * This function looks at the control present in the certificate request + * and returns PR_TRUE iff a control of type inControlType already exists. + * The CRMF draft does not explicitly state that two controls of the same + * type can not exist within the same request. So the library will not + * cause an error if you try to add a control and one of the same type + * already exists. It is up to the application to ensure that multiple + * controls of the same type do not exist, if that is the desired behavior + * by the application. + * + * RETURN: + * The function returns PR_TRUE if a control of type inControlType already + * exists in the certificate request. If a control of type inControlType + * does not exist, the function will return PR_FALSE. + */ +extern PRBool +CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq, + CRMFControlType inControlType); + +/* + * FUNCTION: CRMF_CertRequestSetRegTokenControl + * INPUTS: + * inCertReq + * The Certificate Request to operate on. + * value + * The UTF8 value which will be the Registration Token Control + * for this Certificate Request. + * NOTES: + * The library does no verification that the value passed in is + * a valid UTF8 value. The caller must make sure of this in order + * to get an encoding that is valid. The library will ultimately + * encode this value as it was passed in. + * RETURN: + * SECSucces on successful addition of the Registration Token Control. + * Any other return value indicates an unsuccessful attempt to add the + * control. + * + */ +extern SECStatus CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq, + SECItem *value); + +/* + * FUNCTION: CRMF_CertRequestSetAuthenticatorControl + * INPUTS: + * inCertReq + * The Certificate Request to operate on. + * value + * The UTF8 value that will become the Authenticator Control + * for the passed in Certificate Request. + * NOTES: + * The library does no verification that the value passed in is + * a valid UTF8 value. The caller must make sure of this in order + * to get an encoding that is valid. The library will ultimately + * encode this value as it was passed in. + * RETURN: + * SECSucces on successful addition of the Authenticator Control. + * Any other return value indicates an unsuccessful attempt to add the + * control. + */ +extern SECStatus +CRMF_CertRequestSetAuthenticatorControl(CRMFCertRequest *inCertReq, + SECItem *value); + +/* + * FUNCTION: CRMF_CreateEncryptedKeyWithencryptedValue + * INPUTS: + * inPrivKey + * This is the private key associated with a certificate that is + * being requested. This structure will eventually wind up as + * a part of the PKIArchiveOptions Control. + * inCACert + * This is the certificate for the CA that will be receiving the + * certificate request for the private key passed in. + * OUTPUT: + * A CRMFEncryptedKey that can ultimately be used as part of the + * PKIArchiveOptions Control. + * + * RETURN: + * A pointer to a CRMFEncyptedKey. A NULL return value indicates an erro + * during the creation of the encrypted key. + */ +extern CRMFEncryptedKey * +CRMF_CreateEncryptedKeyWithEncryptedValue(SECKEYPrivateKey *inPrivKey, + CERTCertificate *inCACert); + +/* + * FUNCTION: CRMF_DestroyEncryptedKey + * INPUTS: + * inEncrKey + * The CRMFEncryptedKey to be destroyed. + * NOTES: + * Frees all memory associated with the CRMFEncryptedKey passed in. + * RETURN: + * SECSuccess if freeing the memory was successful. Any other return + * value indicates an error while freeig the memroy. + */ +extern SECStatus CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey); + +/* + * FUNCTION: CRMF_CreatePKIArchiveOptions + * INPUTS: + * inType + * An enumeration value indicating which option for + * PKIArchiveOptions to use. + * data + * A pointer that will be type-cast and de-referenced according + * to the table under NOTES. + * NOTES: + * A table listing what should be passed in as data + * ------------------------------------------------ + * + * inType data + * ------ ---- + * crmfEncryptedPrivateKey CRMFEncryptedKey* + * crmfKeyGenParameters SECItem*(This needs to be an octet string) + * crmfArchiveRemGenPrivKey PRBool* + * + * RETURN: + * A pointer the a CRMFPKIArchiveOptions that can be added to a Certificate + * Request. A NULL pointer indicates an error occurred while creating + * the CRMFPKIArchiveOptions Structure. + */ +extern CRMFPKIArchiveOptions * +CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType inType, + void *data); +/* + * FUNCTION: CRMF_DestroyPKIArchiveOptions + * INPUTS: + * inArchOpt + * A pointer to the CRMFPKIArchiveOptions structure to free. + * NOTES: + * Will free all memory associated with 'inArchOpt'. + * RETURN: + * SECSuccess if successful in freeing the memory used by 'inArchOpt' + * Any other return value indicates an error while freeing the memory. + */ +extern SECStatus +CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOpt); + +/* + * FUNCTION: CRMF_CertRequestSetPKIArchiveOptions + * INPUTS: + * inCertReq + * The Certificate Request to add the the options to. + * inOptions + * The Archive Options to add to the Certificate Request. + * NOTES: + * Adds the PKIArchiveOption to the Certificate Request. This is what + * enables Key Escrow to take place through CRMF. The library makes + * its own copy of the information. + * RETURN: + * SECSuccess if successful in adding the ArchiveOptions to the Certificate + * request. Any other return value indicates an error when trying to add + * the Archive Options to the Certificate Request. + */ +extern SECStatus +CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest *inCertReq, + CRMFPKIArchiveOptions *inOptions); + +/* + * FUNCTION: CRMF_CertReqMsgGetPOPType + * INPUTS: + * inCertReqMsg + * The Certificate Request Message to operate on. + * NOTES: + * Returns an enumeration value indicating the method of Proof + * of Possession that was used for the passed in Certificate Request + * Message. + * RETURN: + * An enumeration indicating what method for Proof Of Possession is + * being used in this Certificate Request Message. Look in the file + * crmft.h for the definition of CRMFPOPChoice for the possible return + * values. + */ +extern CRMFPOPChoice CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg); + +/* + * FUNCTION: CRMF_CertReqMsgSetRAVerifiedPOP + * INPUT: + * InCertReqMsg + * The Certificate Request Message to operate on. + * NOTES: + * This function will set the method of Proof Of Possession to + * crmfRAVerified which means the RA has already verified the + * requester does possess the private key. + * RETURN: + * SECSuccess if adding RAVerified to the message is successful. + * Any other message indicates an error while trying to add RAVerified + * as the Proof of Possession. + */ +extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg); + +/* + * FUNCTION: CRMF_CertReqMsgSetSignaturePOP + * INPUT: + * inCertReqMsg + * The Certificate Request Message to add the SignaturePOP to. + * inPrivKey + * The Private Key which corresponds to the the Certificate Request + * Message. + * inPubKey + * The Public Key which corresponds to the Private Key passed in. + * inCertForInput + * A Certificate that in the future may be used to create + * POPOSigningKeyInput. + * fn + * A callback for retrieving a password which may be used in the + * future to generate POPOSigningKeyInput. + * arg + * An opaque pointer that would be passed to fn whenever it is + * called. + * NOTES: + * Adds Proof Of Possession to the CertRequest using the signature field + * of the ProofOfPossession field. NOTE: In order to use this option, + * the certificate template must contain the publicKey at the very minimum. + * + * If you don't want the function to generate POPOSigningKeyInput, then + * make sure the cert template already contains the subject and public key + * values. Currently creating POPOSigningKeyInput is not supported, so + * a Message passed to this function must have the publicKey and the subject + * as part of the template + * + * This will take care of creating the entire POPOSigningKey structure + * that will become part of the message. + * + * inPrivKey is the key to be used in the signing operation when creating + * POPOSigningKey structure. This should be the key corresponding to + * the certificate being requested. + * + * inCertForInput will be used if POPOSigningKeyInput needs to be generated. + * It will be used in generating the authInfo.sender field. If the parameter + * is not passed in then authInfo.publicKeyMAC will be generated instead. + * If passed in, this certificate needs to be a valid certificate. + * + * The last 3 arguments are for future compatibility in case we ever want to + * support generating POPOSigningKeyInput. Pass in NULL for all 3 if you + * definitely don't want the function to even try to generate + * POPOSigningKeyInput. If you try to use POPOSigningKeyInput, the function + * will fail. + * + * RETURN: + * SECSuccess if adding the Signature Proof Of Possession worked. + * Any other return value indicates an error in trying to add + * the Signature Proof Of Possession. + */ +extern SECStatus +CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg *inCertReqMsg, + SECKEYPrivateKey *inPrivKey, + SECKEYPublicKey *inPubKey, + CERTCertificate *inCertForInput, + CRMFMACPasswordCallback fn, + void *arg); + +/* + * FUNCTION: CRMF_CertReqMsgSetKeyEnciphermentPOP + * INPUTS: + * inCertReqMsg + * The Certificate Request Message to operate on. + * inKeyChoice + * An enumeration indicating which POPOPrivKey Choice to use + * in constructing the KeyEnciphermentPOP. + * subseqMess + * This parameter must be provided iff inKeyChoice is + * crmfSubsequentMessage. This details how the RA is to respond + * in order to perform Proof Of Possession. Look in crmft.h under + * the definition of CRMFSubseqMessOptions for possible values. + * encPrivKey + * This parameter only needs to be provided if inKeyChoice is + * crmfThisMessage. The item should contain the encrypted private + * key. + * + * NOTES: + * Adds Proof Of Possession using the keyEncipherment field of + * ProofOfPossession. + * + * The function looks at the the inKeyChoice parameter and interprets it in + * in the following manner. + * + * If a parameter is not mentioned under interpretation, the function will not + * look at its value when implementing that case. + * + * inKeyChoice Interpretation + * ----------- -------------- + * crmfThisMessage This options requires that the encrypted private key + * be included in the thisMessage field of POPOPrivKey. + * We don't support this yet, so any clients who want + * to use this feature have to implement a wrapping + * function and agree with the server on how to properly + * wrap the key. That encrypted key must be passed in + * as the encPrivKey parameter. + * + * crmfSubequentMessage Must pass in a value for subseqMess. The value must + * be either CRMFEncrCert or CRMFChallengeResp. The + * parameter encPrivKey will not be looked at in this + * case. + * + * crmfDHMAC This is not a valid option for this function. Passing + * in this value will result in the function returning + * SECFailure. + * RETURN: + * SECSuccess if adding KeyEnciphermentPOP was successful. Any other return + * value indicates an error in adding KeyEnciphermentPOP. + */ +extern SECStatus +CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg *inCertReqMsg, + CRMFPOPOPrivKeyChoice inKeyChoice, + CRMFSubseqMessOptions subseqMess, + SECItem *encPrivKey); + +/* + * FUNCTION: CRMF_CertReqMsgSetKeyAgreementPOP + * INPUTS: + * inCertReqMsg + * The Certificate Request Message to operate on. + * inKeyChoice + * An enumeration indicating which POPOPrivKey Choice to use + * in constructing the KeyAgreementPOP. + * subseqMess + * This parameter must be provided iff inKeyChoice is + * crmfSubsequentMessage. This details how the RA is to respond + * in order to perform Proof Of Possession. Look in crmft.h under + * the definition of CRMFSubseqMessOptions for possible values. + * encPrivKey + * This parameter only needs to be provided if inKeyChoice is + * crmfThisMessage. The item should contain the encrypted private + * key. + * Adds Proof Of Possession using the keyAgreement field of + * ProofOfPossession. + * + * The function looks at the the inKeyChoice parameter and interprets it in + * in the following manner. + * + * If a parameter is not mentioned under interpretation, the function will not + * look at its value when implementing that case. + * + * inKeyChoice Interpretation + * ----------- -------------- + * crmfThisMessage This options requires that the encrypted private key + * be included in the thisMessage field of POPOPrivKey. + * We don't support this yet, so any clients who want + * to use this feature have to implement a wrapping + * function and agree with the server on how to properly + * wrap the key. That encrypted key must be passed in + * as the encPrivKey parameter. + * + * crmfSubequentMessage Must pass in a value for subseqMess. The value must + * be either crmfEncrCert or crmfChallengeResp. The + * parameter encPrivKey will not be looked at in this + * case. + * + * crmfDHMAC This option is not supported. + */ +extern SECStatus +CRMF_CertReqMsgSetKeyAgreementPOP(CRMFCertReqMsg *inCertReqMsg, + CRMFPOPOPrivKeyChoice inKeyChoice, + CRMFSubseqMessOptions subseqMess, + SECItem *encPrivKey); + +/* + * FUNCTION: CRMF_CreateCertReqMsgFromDER + * INPUTS: + * buf + * A buffer to the DER-encoded Certificate Request Message. + * len + * The length in bytes of the buffer 'buf' + * NOTES: + * This function passes the buffer to the ASN1 decoder and creates a + * CRMFCertReqMsg structure. Do not try adding any fields to a message + * returned from this function. Specifically adding more Controls or + * Extensions may cause your program to crash. + * + * RETURN: + * A pointer to the Certificate Request Message structure. A NULL return + * value indicates the library was unable to parse the DER. + */ +extern CRMFCertReqMsg *CRMF_CreateCertReqMsgFromDER(const char *buf, long len); + +/* + * FUNCTION: CRMF_CreateCertReqMessagesFromDER + * INPUTS: + * buf + * A buffer to the DER-encoded Certificate Request Messages. + * len + * The length in bytes of buf + * NOTES: + * This function passes the buffer to the ASN1 decoder and creates a + * CRMFCertReqMessages structure. Do not try adding any fields to a message + * derived from this function. Specifically adding more Controls or + * Extensions may cause your program to crash. + * The user must call CRMF_DestroyCertReqMessages after the return value is + * no longer needed, ie when all individual messages have been extracted. + * + * RETURN: + * A pointer to the Certificate Request Messages structure. A NULL return + * value indicates the library was unable to parse the DER. + */ +extern CRMFCertReqMessages * +CRMF_CreateCertReqMessagesFromDER(const char *buf, long len); + +/* + * FUNCTION: CRMF_DestroyCertReqMessages + * INPUTS + * inCertReqMsgs + * The Messages to destroy. + * RETURN: + * SECSuccess if freeing the memory was done successfully. Any other + * return value indicates an error in freeing up memory. + */ +extern SECStatus +CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs); + +/* + * FUNCTION: CRMF_CertReqMessagesGetNumMessages + * INPUTS: + * inCertReqMsgs + * The Request Messages to operate on. + * RETURN: + * The number of messages contained in the in the Request Messages + * strucure. + */ +extern int +CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs); + +/* + * FUNCTION: CRMF_CertReqMessagesGetCertReqMsgAtIndex + * INPUTS: + * inReqMsgs + * The Certificate Request Messages to operate on. + * index + * The index of the single message the user wants a copy of. + * NOTES: + * This function returns a copy of the request messages stored at the + * index corresponding to the parameter 'index'. Indexing of the messages + * is done in the same manner as a C array. Meaning the valid index are + * 0...numMessages-1. User must call CRMF_DestroyCertReqMsg when done using + * the return value of this function. + * + * RETURN: + * SECSuccess if copying the message at the requested index was successful. + * Any other return value indicates an invalid index or error while copying + * the single request message. + */ +extern CRMFCertReqMsg * +CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs, + int index); + +/* + * FUNCTION: CRMF_CertReqMsgGetID + * INPUTS: + * inCertReqMsg + * The Certificate Request Message to get the ID from. + * destID + * A pointer to where the library can place the ID of the Message. + * RETURN: + * SECSuccess if the function was able to retrieve the ID and place it + * at *destID. Any other return value indicates an error meaning the value + * in *destId is un-reliable and should not be used by the caller of this + * function. + * + */ +extern SECStatus CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg, + long *destID); + +/* + * FUNCTION: CRMF_DoesRequestHaveField + * INPUTS: + * inCertReq + * The Certificate Request to operate on. + * inField + * An enumeration indicating which filed of the certificate template + * to look for. + * NOTES: + * All the fields in a certificate template are optional. This function + * checks to see if the requested field is present. Look in crmft.h at the + * definition of CRMFCertTemplateField for possible values for possible + * querying. + * + * RETURN: + * PR_TRUE iff the field corresponding to 'inField' has been specified as part + * of 'inCertReq' + * PR_FALSE iff the field corresponding to 'inField' has not been speicified + * as part of 'inCertReq' + * + */ +extern PRBool CRMF_DoesRequestHaveField(CRMFCertRequest *inCertReq, + CRMFCertTemplateField inField); + +/* + * FUNCTION: CRMF_CertReqMsgGetCertRequest + * INPUTS: + * inCertReqMsg + * The Certificate Request Message to operate on. + * NOTES: + * This function returns a copy of the Certificate Request to the user. + * The user can keep adding to this request and then making it a part + * of another message. After the user no longer wants to use the + * returned request, the user must call CRMF_DestroyCertRequest and + * pass it the request returned by this function. + * RETURN: + * A pointer to a copy of the certificate request contained by the message. + * A NULL return value indicates an error occurred while copying the + * certificate request. + */ +extern CRMFCertRequest * +CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg); + +/* + * FUNCTION: CRMF_CertRequestGetCertTemplateVersion + * INPUTS: + * inCertReq + * The Certificate Request to operate on. + * version + * A pointer to where the library can store the version contatined + * in the certificate template within the certifcate request. + * RETURN: + * SECSuccess if the Certificate template contains the version field. In + * this case, *version will hold the value of the certificate template + * version. + * SECFailure indicates that version field was not present as part of + * of the certificate template. + */ +extern SECStatus +CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq, + long *version); + +/* + * FUNCTION: CRMF_CertRequestGetCertTemplateSerialNumber + * INPUTS: + * inCertReq + * The certificate request to operate on. + * serialNumber + * A pointer where the library can put the serial number contained + * in the certificate request's certificate template. + * RETURN: + * If a serial number exists in the CertTemplate of the request, the function + * returns SECSuccess and the value at *serialNumber contains the serial + * number. + * If no serial number is present, then the function returns SECFailure and + * the value at *serialNumber is un-changed. + */ +extern SECStatus +CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq, + long *serialNumber); + +/* + * FUNCTION: CRMF_CertRequestGetCertTemplateSigningAlg + * INPUT: + * inCertReq + * The Certificate Request to operate on. + * destAlg + * A Pointer to where the library can place a copy of the signing alg + * used in the cert request's cert template. + * RETURN: + * If the signingAlg is present in the CertRequest's CertTemplate, then + * the function returns SECSuccess and places a copy of sigingAlg in + * *destAlg. + * If no signingAlg is present, then the function returns SECFailure and + * the value at *destAlg is un-changed + */ +extern SECStatus +CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq, + SECAlgorithmID *destAlg); +/* + * FUNCTION: CRMF_CertRequestGetCertTemplateIssuer + * INPUTS: + * inCertReq + * The Certificate Request to operate on. + * destIssuer + * A pointer to where the library can place a copy of the cert + * request's cert template issuer field. + * RETURN: + * If the issuer is present in the cert request cert template, the function + * returns SECSuccess and places a copy of the issuer in *destIssuer. + * If there is no issuer present, the function returns SECFailure and the + * value at *destIssuer is unchanged. + */ +extern SECStatus +CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq, + CERTName *destIssuer); + +/* + * FUNCTION: CRMF_CertRequestGetCertTemplateValidity + * INPUTS: + * inCertReq + * The Certificate Request to operate on. + * destValdity + * A pointer to where the library can place a copy of the validity + * info in the cert request cert template. + * NOTES: + * Pass the pointer to + * RETURN: + * If there is an OptionalValidity field, the function will return SECSuccess + * and place the appropriate values in *destValidity->notBefore and + * *destValidity->notAfter. (Each field is optional, but at least one will + * be present if the function returns SECSuccess) + * + * If there is no OptionalValidity field, the function will return SECFailure + * and the values at *destValidity will be un-changed. + */ +extern SECStatus +CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq, + CRMFGetValidity *destValidity); +/* + * FUNCTION: CRMF_DestroyGetValidity + * INPUTS: + * inValidity + * A pointer to the memroy to be freed. + * NOTES: + * The function will free the memory allocated by the function + * CRMF_CertRequestGetCertTemplateValidity. That means only memory pointed + * to within the CRMFGetValidity structure. Since + * CRMF_CertRequestGetCertTemplateValidity does not allocate memory for the + * structure passed into it, it will not free it. Meaning this function will + * free the memory at inValidity->notBefore and inValidity->notAfter, but not + * the memory directly at inValdity. + * + * RETURN: + * SECSuccess if freeing the memory was successful. Any other return value + * indicates an error while freeing the memory. + */ +extern SECStatus +CRMF_DestroyGetValidity(CRMFGetValidity *inValidity); + +/* + * FUNCTION: CRMF_CertRequestGetCertTemplateSubject + * INPUTS: + * inCertReq + * The Certificate Request to operate on. + * destSubject + * A pointer to where the library can place a copy of the subject + * contained in the request's cert template. + * RETURN: + * If there is a subject in the CertTemplate, then the function returns + * SECSuccess and a copy of the subject is placed in *destSubject. + * + * If there is no subject, the function returns SECFailure and the values at + * *destSubject is unchanged. + */ +extern SECStatus +CRMF_CertRequestGetCertTemplateSubject(CRMFCertRequest *inCertReq, + CERTName *destSubject); + +/* + * FUNCTION: CRMF_CertRequestGetCertTemplatePublicKey + * INPUTS: + * inCertReq + * The Cert request to operate on. + * destPublicKey + * A pointer to where the library can place a copy of the request's + * cert template public key. + * RETURN: + * If there is a publicKey parameter in the CertRequest, the function returns + * SECSuccess, and places a copy of the publicKey in *destPublicKey. + * + * If there is no publicKey, the function returns SECFailure and the value + * at *destPublicKey is un-changed. + */ +extern SECStatus +CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest *inCertReq, + CERTSubjectPublicKeyInfo *destPublicKey); + +/* + * FUNCTION: CRMF_CertRequestGetCertTemplateIssuerUID + * INPUTS: + * inCertReq + * The Cert request to operate on. + * destIssuerUID + * A pointer to where the library can store a copy of the request's + * cert template destIssuerUID. + * + * NOTES: + * destIssuerUID is a bit string and will be returned in a SECItem as + * a bit string. Meaning the len field contains the number of valid bits as + * opposed to the number of bytes allocated. + * + * RETURN: + * If the CertTemplate has an issuerUID, the function returns SECSuccess and + * places a copy of the issuerUID in *destIssuerUID. + * + * If there is no issuerUID, the function returns SECFailure and the value + * *destIssuerUID is unchanged. + */ +extern SECStatus +CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq, + SECItem *destIssuerUID); + +/* + * FUNCTION: CRMF_CertRequestGetCertTemplateSubjectUID + * inCertReq + * The Cert request to operate on. + * destSubjectUID + * A pointer to where the library can store a copy of the request's + * cert template destIssuerUID. + * + * NOTES: + * destSubjectUID is a bit string and will be returned in a SECItem as + * a bit string. Meaning the len field contains the number of valid bits as + * opposed to the number of bytes allocated. + * + * RETURN: + * If the CertTemplate has an issuerUID, the function returns SECSuccess and + * places a copy of the issuerUID in *destIssuerUID. + * + * If there is no issuerUID, the function returns SECSuccess and the value + * *destIssuerUID is unchanged. + */ +extern SECStatus CRMF_GetCertTemplateSubjectUID(CRMFCertRequest *inCertReq, + SECItem *destSubjectUID); + +/* + * FUNCTION: CRMF_CertRequestGetNumberOfExtensions + * INPUTS: + * inCertReq + * The cert request to operate on. + * RETURN: + * Returns the number of extensions contained by the Cert Request. + */ +extern int CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq); + +/* + * FUNCTION: CRMF_CertRequestGetExtensionAtIndex + * INPUTS: + * inCertReq + * The Certificate request to operate on. + * index + * The index of the extension array whihc the user wants to access. + * NOTES: + * This function retrieves the extension at the index corresponding to the + * parameter "index" indicates. Indexing is done like a C array. + * (0 ... numElements-1) + * + * Call CRMF_DestroyCertExtension when done using the return value. + * + * RETURN: + * A pointer to a copy of the extension at the desired index. A NULL + * return value indicates an invalid index or an error while copying + * the extension. + */ +extern CRMFCertExtension * +CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq, + int index); +/* + * FUNCTION: CRMF_CertExtensionGetOidTag + * INPUTS: + * inExtension + + * The extension to operate on. + * RETURN: + * Returns the SECOidTag associated with the cert extension passed in. + */ +extern SECOidTag CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension); + +/* + * FUNCTION: CRMF_CertExtensionGetIsCritical + * INPUT: + * inExt + * The cert extension to operate on. + * + * RETURN: + * PR_TRUE if the extension is critical. + * PR_FALSE if the extension is not critical. + */ +extern PRBool CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt); + +/* + * FUNCTION: CRMF_CertExtensionGetValue + * INPUT: + * inExtension + * The extension to operate on. + * NOTES: + * Caller is responsible for freeing the memory associated with the return + * value. Call SECITEM_FreeItem(retVal, PR_TRUE) when done using the return + * value. + * + * RETURN: + * A pointer to an item containig the value for the certificate extension. + * A NULL return value indicates an error in copying the information. + */ +extern SECItem *CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension); + +/* + * FUNCTION: CRMF_CertReqMsgGetPOPOSigningKey + * INPUTS: + * inCertReqMsg + * The certificate request message to operate on. + * destKey + * A pointer to where the library can place a pointer to + * a copy of the Proof Of Possession Signing Key used + * by the message. + * + * RETURN: + * Get the POPOSigningKey associated with this CRMFCertReqMsg. + * If the CertReqMsg does not have a pop, the function returns + * SECFailure and the value at *destKey is un-changed.. + * + * If the CertReqMsg does have a pop, then the CertReqMsg's + * POPOSigningKey will be placed at *destKey. + */ +extern SECStatus +CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg *inCertReqMsg, + CRMFPOPOSigningKey **destKey); + +/* + * FUNCTION: CRMF_DestroyPOPOSigningKey + * INPUTS: + * inKey + * The signing key to free. + * + * RETURN: + * SECSuccess if freeing the memory was successful. Any other return value + * indicates an error while freeing memory. + */ +extern SECStatus CRMF_DestroyPOPOSigningKey(CRMFPOPOSigningKey *inKey); + +/* + * FUNCTION: CRMF_POPOSigningKeyGetAlgID + * INPUTS: + * inSignKey + * The Signing Key to operate on. + * RETURN: + * Return the algorithmID used by the CRMFPOPOSigningKey. User must + * call SECOID_DestroyAlgorithmID(destID, PR_TRUE) when done using the + * return value. + */ +extern SECAlgorithmID * +CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey); + +/* + * FUNCTION: CRMF_POPOSigningKeyGetSignature + * INPUTS: + * inSignKey + * The Signing Key to operate on. + * + * RETURN: + * Get the actual signature stored away in the CRMFPOPOSigningKey. SECItem + * returned is a BIT STRING, so the len field is the number of bits as opposed + * to the total number of bytes allocatd. User must call + * SECITEM_FreeItem(retVal,PR_TRUE) when done using the return value. + */ +extern SECItem *CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey); + +/* + * FUNCTION: CRMF_POPOSigningKeyGetInput + * INPUTS: + * inSignKey + * The Signing Key to operate on. + * NOTES: + * This function will return the der encoded input that was read in while + * decoding. The API does not support this option when creating, so you + * cannot add this field. + * + * RETURN: + * Get the poposkInput that is part of the of the POPOSigningKey. If the + * optional field is not part of the POPOSigningKey, the function returns + * NULL. + * + * If the optional field is part of the POPOSingingKey, the function will + * return a copy of the der encoded poposkInput. + */ +extern SECItem *CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey); + +/* + * FUNCTION: CRMF_CertReqMsgGetPOPKeyEncipherment + * INPUTS: + * inCertReqMsg + * The certificate request message to operate on. + * destKey + * A pointer to where the library can place a pointer to a + * copy of the POPOPrivKey representing Key Encipherment + * Proof of Possession. + *NOTES: + * This function gets the POPOPrivKey associated with this CRMFCertReqMsg + * for Key Encipherment. + * + * RETURN: + * If the CertReqMsg did not use Key Encipherment for Proof Of Possession, the + * function returns SECFailure and the value at *destKey is un-changed. + * + * If the CertReqMsg did use Key Encipherment for ProofOfPossession, the + * function returns SECSuccess and places the POPOPrivKey representing the + * Key Encipherment Proof Of Possessin at *destKey. + */ +extern SECStatus +CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg *inCertReqMsg, + CRMFPOPOPrivKey **destKey); + +/* + * FUNCTION: CRMF_CertReqMsgGetPOPKeyAgreement + * INPUTS: + * inCertReqMsg + * The certificate request message to operate on. + * destKey + * A pointer to where the library can place a pointer to a + * copy of the POPOPrivKey representing Key Agreement + * Proof of Possession. + * NOTES: + * This function gets the POPOPrivKey associated with this CRMFCertReqMsg for + * Key Agreement. + * + * RETURN: + * If the CertReqMsg used Key Agreement for Proof Of Possession, the + * function returns SECSuccess and the POPOPrivKey for Key Agreement + * is placed at *destKey. + * + * If the CertReqMsg did not use Key Agreement for Proof Of Possession, the + * function return SECFailure and the value at *destKey is unchanged. + */ +extern SECStatus +CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg *inCertReqMsg, + CRMFPOPOPrivKey **destKey); + +/* + * FUNCTION: CRMF_DestroyPOPOPrivKey + * INPUTS: + * inPrivKey + * The POPOPrivKey to destroy. + * NOTES: + * Destroy a structure allocated by CRMF_GetPOPKeyEncipherment or + * CRMF_GetPOPKeyAgreement. + * + * RETURN: + * SECSuccess on successful destruction of the POPOPrivKey. + * Any other return value indicates an error in freeing the + * memory. + */ +extern SECStatus CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey); + +/* + * FUNCTION: CRMF_POPOPrivKeyGetChoice + * INPUT: + * inKey + * The POPOPrivKey to operate on. + * RETURN: + * Returns which choice was used in constructing the POPPOPrivKey. Look at + * the definition of CRMFPOPOPrivKeyChoice in crmft.h for the possible return + * values. + */ +extern CRMFPOPOPrivKeyChoice CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inKey); + +/* + * FUNCTION: CRMF_POPOPrivKeyGetThisMessage + * INPUTS: + * inKey + * The POPOPrivKey to operate on. + * destString + * A pointer to where the library can place a copy of the This Message + * field stored in the POPOPrivKey + * + * RETURN: + * Returns the field thisMessage from the POPOPrivKey. + * If the POPOPrivKey did not use the field thisMessage, the function + * returns SECFailure and the value at *destString is unchanged. + * + * If the POPOPrivKey did use the field thisMessage, the function returns + * SECSuccess and the BIT STRING representing thisMessage is placed + * at *destString. BIT STRING representation means the len field is the + * number of valid bits as opposed to the total number of bytes. + */ +extern SECStatus CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey *inKey, + SECItem *destString); + +/* + * FUNCTION: CRMF_POPOPrivKeyGetSubseqMess + * INPUTS: + * inKey + * The POPOPrivKey to operate on. + * destOpt + * A pointer to where the library can place the value of the + * Subsequent Message option used by POPOPrivKey. + * + * RETURN: + * Retrieves the field subsequentMessage from the POPOPrivKey. + * If the POPOPrivKey used the subsequentMessage option, the function + * returns SECSuccess and places the appropriate enumerated value at + * *destMessageOption. + * + * If the POPOPrivKey did not use the subsequenMessage option, the function + * returns SECFailure and the value at *destOpt is un-changed. + */ +extern SECStatus CRMF_POPOPrivKeyGetSubseqMess(CRMFPOPOPrivKey *inKey, + CRMFSubseqMessOptions *destOpt); + +/* + * FUNCTION: CRMF_POPOPrivKeyGetDHMAC + * INPUTS: + * inKey + * The POPOPrivKey to operate on. + * destMAC + * A pointer to where the library can place a copy of the dhMAC + * field of the POPOPrivKey. + * + * NOTES: + * Returns the field dhMAC from the POPOPrivKey. The populated SECItem + * is in BIT STRING format. + * + * RETURN: + * If the POPOPrivKey used the dhMAC option, the function returns SECSuccess + * and the BIT STRING for dhMAC will be placed at *destMAC. The len field in + * destMAC (ie destMAC->len) will be the valid number of bits as opposed to + * the number of allocated bytes. + * + * If the POPOPrivKey did not use the dhMAC option, the function returns + * SECFailure and the value at *destMAC is unchanged. + * + */ +extern SECStatus CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey, + SECItem *destMAC); + +/* + * FUNCTION: CRMF_CertRequestGetNumControls + * INPUTS: + * inCertReq + * The Certificate Request to operate on. + * RETURN: + * Returns the number of Controls registered with this CertRequest. + */ +extern int CRMF_CertRequestGetNumControls(CRMFCertRequest *inCertReq); + +/* + * FUNCTION: CRMF_CertRequestGetControlAtIndex + * INPUTS: + * inCertReq + * The certificate request to operate on. + * index + * The index of the control the user wants a copy of. + * NOTES: + * Function retrieves the Control at located at index. The Controls + * are numbered like a traditional C array (0 ... numElements-1) + * + * RETURN: + * Returns a copy of the control at the index specified. This is a copy + * so the user must call CRMF_DestroyControl after the return value is no + * longer needed. A return value of NULL indicates an error while copying + * the control or that the index was invalid. + */ +extern CRMFControl * +CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq, + int index); + +/* + * FUNCTION: CRMF_DestroyControl + * INPUTS: + * inControl + * The Control to destroy. + * NOTES: + * Destroy a CRMFControl allocated by CRMF_GetControlAtIndex. + * + * RETURN: + * SECSuccess if freeing the memory was successful. Any other return + * value indicates an error while freeing the memory. + */ +extern SECStatus CRMF_DestroyControl(CRMFControl *inControl); + +/* + * FUNCTION: CRMF_ControlGetControlType + * INPUTS: + * inControl + * The control to operate on. + * NOTES: + * The function returns an enumertion which indicates the type of control + * 'inControl'. + * + * RETURN: + * Look in crmft.h at the definition of the enumerated type CRMFControlType + * for the possible return values. + */ +extern CRMFControlType CRMF_ControlGetControlType(CRMFControl *inControl); + +/* + * FUNCTION: CRMF_ControlGetRegTokenControlValue + * INPUTS: + * inControl + * The Control to operate on. + * NOTES: + * The user must call SECITEM_FreeItem passing in the return value + * after the returnvalue is no longer needed. + + * RETURN: + * Return the value for a Registration Token Control. + * The SECItem returned should be in UTF8 format. A NULL + * return value indicates there was no Registration Control associated + * with the Control. + * (This library will not verify format. It assumes the client properly + * formatted the strings when adding it or the message decoded was properly + * formatted. The library will just give back the bytes it was given.) + */ +extern SECItem *CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl); + +/* + * FUNCTION: CRMF_ControlGetAuthenticatorControlValue + * INPUTS: + * inControl + * The Control to operate on. + * NOTES: + * The user must call SECITEM_FreeItem passing in the return value + * after the returnvalue is no longer needed. + * + * RETURN: + * Return the value for the Authenticator Control. + * The SECItem returned should be in UTF8 format. A NULL + * return value indicates there was no Authenticator Control associated + * with the CRMFControl.. + * (This library will not verify format. It assumes the client properly + * formatted the strings when adding it or the message decoded was properly + * formatted. The library will just give back the bytes it was given.) + */ +extern SECItem *CRMF_ControlGetAuthicatorControlValue(CRMFControl *inControl); + +/* + * FUNCTION: CRMF_ControlGetPKIArchiveOptions + * INPUTS:inControl + * The Control tooperate on. + * NOTES: + * This function returns a copy of the PKIArchiveOptions. The user must call + * the function CRMF_DestroyPKIArchiveOptions when the return value is no + * longer needed. + * + * RETURN: + * Get the PKIArchiveOptions associated with the Control. A return + * value of NULL indicates the Control was not a PKIArchiveOptions + * Control. + */ +extern CRMFPKIArchiveOptions * +CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl); + +/* + * FUNCTION: CMRF_DestroyPKIArchiveOptions + * INPUTS: + * inOptions + * The ArchiveOptions to destroy. + * NOTE: + * Destroy the CRMFPKIArchiveOptions structure. + * + * RETURN: + * SECSuccess if successful in freeing all the memory associated with + * the PKIArchiveOptions. Any other return value indicates an error while + * freeing the PKIArchiveOptions. + */ +extern SECStatus +CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inOptions); + +/* + * FUNCTION: CRMF_PKIArchiveOptionsGetOptionType + * INPUTS: + * inOptions + * The PKIArchiveOptions to operate on. + * RETURN: + * Returns the choice used for the PKIArchiveOptions. Look at the definition + * of CRMFPKIArchiveOptionsType in crmft.h for possible return values. + */ +extern CRMFPKIArchiveOptionsType +CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions); + +/* + * FUNCTION: CRMF_PKIArchiveOptionsGetEncryptedPrivKey + * INPUTS: + * inOpts + * The PKIArchiveOptions to operate on. + * + * NOTES: + * The user must call CRMF_DestroyEncryptedKey when done using this return + * value. + * + * RETURN: + * Get the encryptedPrivKey field of the PKIArchiveOptions structure. + * A return value of NULL indicates that encryptedPrivKey was not used as + * the choice for this PKIArchiveOptions. + */ +extern CRMFEncryptedKey * +CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts); + +/* + * FUNCTION: CRMF_EncryptedKeyGetChoice + * INPUTS: + * inEncrKey + * The EncryptedKey to operate on. + * + * NOTES: + * Get the choice used for representing the EncryptedKey. + * + * RETURN: + * Returns the Choice used in representing the EncryptedKey. Look in + * crmft.h at the definition of CRMFEncryptedKeyChoice for possible return + * values. + */ +extern CRMFEncryptedKeyChoice +CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey); + +/* + * FUNCTION: CRMF_EncryptedKeyGetEncryptedValue + * INPUTS: + * inKey + * The EncryptedKey to operate on. + * + * NOTES: + * The user must call CRMF_DestroyEncryptedValue passing in + * CRMF_GetEncryptedValue's return value. + * + * RETURN: + * A pointer to a copy of the EncryptedValue contained as a member of + * the EncryptedKey. + */ +extern CRMFEncryptedValue * +CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inKey); + +/* + * FUNCTION: CRMF_DestroyEncryptedValue + * INPUTS: + * inEncrValue + * The EncryptedValue to destroy. + * + * NOTES: + * Free up all memory associated with 'inEncrValue'. + * + * RETURN: + * SECSuccess if freeing up the memory associated with the EncryptedValue + * is successful. Any other return value indicates an error while freeing the + * memory. + */ +extern SECStatus CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue); + +/* + * FUNCTION: CRMF_EncryptedValueGetEncValue + * INPUTS: + * inEncValue + * The EncryptedValue to operate on. + * NOTES: + * Function retrieves the encValue from an EncryptedValue structure. + * + * RETURN: + * A poiner to a SECItem containing the encValue of the EncryptedValue + * structure. The return value is in BIT STRING format, meaning the + * len field of the return structure represents the number of valid bits + * as opposed to the allocated number of bytes. + * ANULL return value indicates an error in copying the encValue field. + */ +extern SECItem *CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncValue); + +/* + * FUNCTION: CRMF_EncryptedValueGetIntendedAlg + * INPUTS + * inEncValue + * The EncryptedValue to operate on. + * NOTES: + * Retrieve the IntendedAlg field from the EncryptedValue structure. + * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using + * the return value. When present, this alogorithm is the alogrithm for + * which the private key will be used. + * + * RETURN: + * A Copy of the intendedAlg field. A NULL return value indicates the + * optional field was not present in the structure. + */ +extern SECAlgorithmID * +CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue *inEncValue); + +/* + * FUNCTION: CRMF_EncryptedValueGetSymmAlg + * INPUTS + * inEncValue + * The EncryptedValue to operate on. + * NOTES: + * Retrieve the symmAlg field from the EncryptedValue structure. + * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using + * the return value. When present, this is algorithm used to + * encrypt the encValue of the EncryptedValue. + * + * RETURN: + * A Copy of the symmAlg field. A NULL return value indicates the + * optional field was not present in the structure. + */ +extern SECAlgorithmID * +CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue *inEncValue); + +/* + * FUNCTION: CRMF_EncryptedValueGetKeyAlg + * INPUTS + * inEncValue + * The EncryptedValue to operate on. + * NOTES: + * Retrieve the keyAlg field from the EncryptedValue structure. + * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using + * the return value. When present, this is the algorithm used to encrypt + * the symmetric key in the encSymmKey field of the EncryptedValue structure. + * + * RETURN: + * A Copy of the keyAlg field. A NULL return value indicates the + * optional field was not present in the structure. + */ +extern SECAlgorithmID * +CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue); + +/* + * FUNCTION: CRMF_EncryptedValueGetValueHint + * INPUTS: + * inEncValue + * The EncryptedValue to operate on. + * + * NOTES: + * Return a copy of the der-encoded value hint. + * User must call SECITEM_FreeItem(retVal, PR_TRUE) when done using the + * return value. When, present, this is a value that the client which + * originally issued a certificate request can use to reproduce any data + * it wants. The RA does not know how to interpret this data. + * + * RETURN: + * A copy of the valueHint field of the EncryptedValue. A NULL return + * value indicates the optional valueHint field is not present in the + * EncryptedValue. + */ +extern SECItem * +CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue *inEncValue); + +/* + * FUNCTION: CRMF_EncrypteValueGetEncSymmKey + * INPUTS: + * inEncValue + * The EncryptedValue to operate on. + * + * NOTES: + * Return a copy of the encSymmKey field. This field is the encrypted + * symmetric key that the client uses in doing Public Key wrap of a private + * key. When present, this is the symmetric key that was used to wrap the + * private key. (The encrypted private key will be stored in encValue + * of the same EncryptedValue structure.) The user must call + * SECITEM_FreeItem(retVal, PR_TRUE) when the return value is no longer + * needed. + * + * RETURN: + * A copy of the optional encSymmKey field of the EncryptedValue structure. + * The return value will be in BIT STRING format, meaning the len field will + * be the number of valid bits as opposed to the number of bytes. A return + * value of NULL means the optional encSymmKey field was not present in + * the EncryptedValue structure. + */ +extern SECItem * +CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue); + +/* + * FUNCTION: CRMF_PKIArchiveOptionsGetKeyGenParameters + * INPUTS: + * inOptions + * The PKiArchiveOptions to operate on. + * + * NOTES: + * User must call SECITEM_FreeItem(retVal, PR_TRUE) after the return + * value is no longer needed. + * + * RETURN: + * Get the keyGenParameters field of the PKIArchiveOptions. + * A NULL return value indicates that keyGenParameters was not + * used as the choice for this PKIArchiveOptions. + * + * The SECItem returned is in BIT STRING format (ie, the len field indicates + * number of valid bits as opposed to allocated number of bytes.) + */ +extern SECItem * +CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions); + +/* + * FUNCTION: CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey + * INPUTS: + * inOpt + * The PKIArchiveOptions to operate on. + * destVal + * A pointer to where the library can place the value for + * arciveRemGenPrivKey + * RETURN: + * If the PKIArchiveOptions used the archiveRemGenPrivKey field, the + * function returns SECSuccess and fills the value at *destValue with either + * PR_TRUE or PR_FALSE, depending on what the PKIArchiveOptions has as a + * value. + * + * If the PKIArchiveOptions does not use the archiveRemGenPrivKey field, the + * function returns SECFailure and the value at *destValue is unchanged. + */ +extern SECStatus +CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt, + PRBool *destVal); + +/* Helper functions that can be used by other libraries. */ +/* + * A quick helper function to get the best wrap mechanism. + */ +extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot); + +/* + * A helper function to get a randomly generated IV from a mechanism + * type. + */ +extern SECItem *CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType); + +SEC_END_PROTOS +#endif /*_CRMF_H_*/ |