/* -*- Mode: C; tab-width: 8 -*-*/
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _CRMF_H_
#define _CRMF_H_
#include "seccomon.h"
#include "cert.h"
#include "crmft.h"
#include "secoid.h"
#include "secpkcs7.h"
SEC_BEGIN_PROTOS
/*
* FUNCTION: CRMF_EncodeCertReqMsg
* INPUTS:
* inCertReqMsg
* The Certificate Request Message to be encoded.
* fn
* A Callback function that the ASN1 encoder calls whenever
* the encoder wants to write out some DER encoded bytes.
* arg
* An opaque pointer that gets passed to the function fn
* OUTPUT:
* The function fn will be called multiple times. Look at the
* comments in crmft.h where the CRMFEncoderOutputCallback type is
* defined for information on proper behavior of the function fn.
* RETURN:
* SECSuccess if encoding was successful. Any other return value
* indicates an error occurred during encoding.
*/
extern SECStatus
CRMF_EncodeCertReqMsg(CRMFCertReqMsg *inCertReqMsg,
CRMFEncoderOutputCallback fn,
void *arg);
/*
* FUNCTION: CRMF_EncoderCertRequest
* INPUTS:
* inCertReq
* The Certificate Request to be encoded.
* fn
* A Callback function that the ASN1 encoder calls whenever
* the encoder wants to write out some DER encoded bytes.
* arg
* An opaque pointer that gets passed to the function fn.
* OUTPUT:
* The function fn will be called, probably multiple times whenever
* the ASN1 encoder wants to write out DER-encoded bytes. Look at the
* comments in crmft.h where the CRMFEncoderOutputCallback type is
* defined for information on proper behavior of the function fn.
* RETURN:
* SECSuccess if encoding was successful. Any other return value
* indicates an error occurred during encoding.
*/
extern SECStatus CRMF_EncodeCertRequest(CRMFCertRequest *inCertReq,
CRMFEncoderOutputCallback fn,
void *arg);
/*
* FUNCTION: CRMF_EncodeCertReqMessages
* INPUTS:
* inCertReqMsgs
* An array of pointers to the Certificate Request Messages
* to encode. The user must place a NULL pointer in the index
* after the last message to be encoded. When the library runs
* into the NULL pointer, the library assumes there are no more
* messages to encode.
* fn
* A Callback function that the ASN1 encoder calls whenever
* the encoder wants to write out some DER encoded byts.
* arg
* An opaque pointer that gets passed to the function fn.
*
* NOTES:
* The parameter inCertReqMsgs needs to be an array with a NULL pointer
* to signal the end of messages. An array in the form of
* {m1, m2, m3, NULL, m4, ...} will only encode the messages m1, m2, and
* m3. All messages from m4 on will not be looked at by the library.
*
* OUTPUT:
* The function fn will be called, probably multiple times. Look at the
* comments in crmft.h where the CRMFEncoderOutputCallback type is
* defined for information on proper behavior of the function fn.
*
* RETURN:
* SECSuccess if encoding the Certificate Request Messages was successful.
* Any other return value indicates an error occurred while encoding the
* certificate request messages.
*/
extern SECStatus
CRMF_EncodeCertReqMessages(CRMFCertReqMsg **inCertReqMsgs,
CRMFEncoderOutputCallback fn,
void *arg);
/*
* FUNCTION: CRMF_CreateCertReqMsg
* INPUTS:
* NONE
* OUTPUT:
* An empty CRMF Certificate Request Message.
* Before encoding this message, the user must set
* the ProofOfPossession field and the certificate
* request which are necessary for the full message.
* After the user no longer needs this CertReqMsg,
* the user must call CRMF_DestroyCertReqMsg to free
* all memory associated with the Certificate Request
* Message.
* RETURN:
* A pointer to a Certificate Request Message. The user
* must pass the return value of this function to
* CRMF_DestroyCertReqMsg after the Certificate Request
* Message is no longer necessary.
*/
extern CRMFCertReqMsg *CRMF_CreateCertReqMsg(void);
/*
* FUNCTION: CRMF_DestroyCertReqMsg
* INPUTS:
* inCertReqMsg
* The Certificate Request Message to destroy.
* NOTES:
* This function frees all the memory used for the Certificate
* Request Message and all the memory used in making copies of
* fields of elelments of the message, eg. the Proof Of Possession
* filed and the Cetificate Request.
* RETURN:
* SECSuccess if destruction was successful. Any other return value
* indicates an error while trying to free the memory associated
* with inCertReqMsg.
*
*/
extern SECStatus CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg);
/*
* FUNCTION: CRMF_CertReqMsgSetCertRequest
* INPUTS:
* inCertReqMsg
* The Certificate Request Message that the function will set
* the certificate request for.
* inCertReq
* The Certificate Request that will be added to the Certificate
* Request Message.
* NOTES:
* This function will make a copy of the Certificate Request passed in
* and store it as part of the Certificate Request Message. Therefore,
* the user must not call this function until the Certificate Request
* has been fully built and is ready to be encoded.
* RETURN:
* SECSuccess
* If copying the Certificate as a member of the Certificate
* request message was successful.
* Any other return value indicates a failure to copy the Certificate
* Request and make it a part of the Certificate Request Message.
*/
extern SECStatus CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg *inCertReqMsg,
CRMFCertRequest *inCertReq);
/*
* FUNCTION: CRMF_CreateCertRequest
* INPUTS:
* inRequestID
* The ID that will be associated with this certificate request.
* OUTPUTS:
* A certificate request which only has the requestID set.
* NOTES:
* The user must call the function CRMF_DestroyCertRequest when
* the returned value is no longer needed. This is usually the
* case after fully constructing the Certificate Request and then
* calling the function CRMF_CertReqMsgSetCertRequest.
* RETURN:
* A pointer to the new Certificate Request. A NULL return value
* indicates an error in creating the Certificate Request.
*/
extern CRMFCertRequest *CRMF_CreateCertRequest(PRUint32 inRequestID);
/*
* FUNCTION: CRMF_DestroyCertRequest
* INPUTS:
* inCertReq
* The Certificate Request that will be destroyed.
* RETURN:
* SECSuccess
* If freeing the memory associated with the certificate request
* was successful.
* Any other return value indicates an error while trying to free the
* memory.
*/
extern SECStatus CRMF_DestroyCertRequest(CRMFCertRequest *inCertReq);
/*
* FUNCTION: CRMF_CreateCertExtension
* INPUTS:
* id
* The SECOidTag to associate with this CertExtension. This must
* correspond to a valid Certificate Extension, if not the function
* will fail.
* isCritical
* A boolean value stating if the extension value is crtical. PR_TRUE
* means the value is crtical. PR_FALSE indicates the value is not
* critical.
* data
* This is the data associated with the extension. The user of the
* library is responsible for making sure the value passed in is a
* valid interpretation of the certificate extension.
* NOTES:
* Use this function to create CRMFCertExtension Structures which will
* then be passed to CRMF_AddFieldToCertTemplate as part of the
* CRMFCertCreationInfo.extensions The user must call
* CRMF_DestroyCertExtension after the extension has been added to a certifcate
* and the extension is no longer needed.
*
* RETURN:
* A pointer to a newly created CertExtension. A return value of NULL
* indicates the id passed in was an invalid certificate extension.
*/
extern CRMFCertExtension *CRMF_CreateCertExtension(SECOidTag id,
PRBool isCritical,
SECItem *data);
/*
* FUNCTION: CMRF_DestroyCertExtension
* INPUTS:
* inExtension
* The Cert Extension to destroy
* NOTES:
* Destroy a structure allocated by CRMF_CreateCertExtension.
*
* RETURN:
* SECSuccess if freeing the memory associated with the certificate extension
* was successful. Any other error indicates an error while freeing the
* memory.
*/
extern SECStatus CRMF_DestroyCertExtension(CRMFCertExtension *inExtension);
/*
* FUNCTION: CRMF_CertRequestSetTemplateField
* INPUTS:
* inCertReq
* The Certificate Request to operate on.
* inTemplateField
* An enumeration that indicates which field of the Certificate
* template to add.
* data
* A generic pointer that will be type cast according to the
* table under NOTES and used as the key for adding to the
* certificate template;
* NOTES:
*
* Below is a table that tells what type to pass in as data
* depending on the template field one wants to set.
*
* Look in crmft.h for the definition of CRMFCertTemplateField.
*
* In all cases, the library makes copies of the data passed in.
*
* CRMFCertTemplateField Type of data What data means
* --------------------- ------------ ---------------
* crmfVersion long * The version of
* the certificate
* to be created.
*
* crmfSerialNumber long * The serial number
* for the cert to be
* created.
*
* crmfSigningAlg SECAlgorithm * The ASN.1 object ID for
* the algorithm used in encoding
* the certificate.
*
* crmfIssuer CERTName * Certificate Library
* representation of the ASN1 type
* Name from X.509
*
* crmfValidity CRMFValidityCreationInfo * At least one of the two
* fields in the structure must
* be present. A NULL pointer
* in the structure indicates
* that member should not be
* added.
*
* crmfSubject CERTName * Certificate Library
* representation of the ASN1 type
* Name from X.509
*
* crmfPublicKey CERTSubjectPublicKeyInfo * The public key info for the
* certificate being requested.
*
* crmfIssuerUID SECItem * A bit string representation
* of the issuer UID. NOTE: The
* length is the number of bits
* and not the number of bytes.
*
* crmfSubjectUID SECItem* A bit string representation
* of the subject UID. NOTE: The
* length is the number of bits
* and not the number of bytes.
*
* crmfExtension CRMFCertExtCreationInfo * A pointer to the structure
* populated with an array of
* of certificate extensions
* and an integer that tells
* how many elements are in the
* array. Look in crmft.h for
* the definition of
* CRMFCertExtCreationInfo
* RETURN:
* SECSuccess if adding the desired field to the template was successful.
* Any other return value indicates failure when trying to add the field
* to the template.
*
*/
extern SECStatus
CRMF_CertRequestSetTemplateField(CRMFCertRequest *inCertReq,
CRMFCertTemplateField inTemplateField,
void *data);
/*
* FUNCTION: CRMF_CertRequestIsFieldPresent
* INPUTS:
* inCertReq
* The certificate request to operate on.
* inTemplateField
* The enumeration for the template field the user wants to query
* about.
* NOTES:
* This function checks to see if the the field associated with inTemplateField
* enumeration is already present in the certificate request passed in.
*
* RETURN:
* The function returns PR_TRUE if the field associated with inTemplateField
* is already present in the certificate request. If the field is not present
* the function returns PR_FALSE.
*/
extern PRBool
CRMF_CertRequestIsFieldPresent(CRMFCertRequest *inCertReq,
CRMFCertTemplateField inTemplateField);
/*
* FUNCTION: CRMF_CertRequestIsControlPresent
* INPUTS:
* inCertReq
* The certificate request to operate on.
* inControlType
* The type of control to look for.
* NOTES:
* This function looks at the control present in the certificate request
* and returns PR_TRUE iff a control of type inControlType already exists.
* The CRMF draft does not explicitly state that two controls of the same
* type can not exist within the same request. So the library will not
* cause an error if you try to add a control and one of the same type
* already exists. It is up to the application to ensure that multiple
* controls of the same type do not exist, if that is the desired behavior
* by the application.
*
* RETURN:
* The function returns PR_TRUE if a control of type inControlType already
* exists in the certificate request. If a control of type inControlType
* does not exist, the function will return PR_FALSE.
*/
extern PRBool
CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
CRMFControlType inControlType);
/*
* FUNCTION: CRMF_CertRequestSetRegTokenControl
* INPUTS:
* inCertReq
* The Certificate Request to operate on.
* value
* The UTF8 value which will be the Registration Token Control
* for this Certificate Request.
* NOTES:
* The library does no verification that the value passed in is
* a valid UTF8 value. The caller must make sure of this in order
* to get an encoding that is valid. The library will ultimately
* encode this value as it was passed in.
* RETURN:
* SECSucces on successful addition of the Registration Token Control.
* Any other return value indicates an unsuccessful attempt to add the
* control.
*
*/
extern SECStatus CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq,
SECItem *value);
/*
* FUNCTION: CRMF_CertRequestSetAuthenticatorControl
* INPUTS:
* inCertReq
* The Certificate Request to operate on.
* value
* The UTF8 value that will become the Authenticator Control
* for the passed in Certificate Request.
* NOTES:
* The library does no verification that the value passed in is
* a valid UTF8 value. The caller must make sure of this in order
* to get an encoding that is valid. The library will ultimately
* encode this value as it was passed in.
* RETURN:
* SECSucces on successful addition of the Authenticator Control.
* Any other return value indicates an unsuccessful attempt to add the
* control.
*/
extern SECStatus
CRMF_CertRequestSetAuthenticatorControl(CRMFCertRequest *inCertReq,
SECItem *value);
/*
* FUNCTION: CRMF_CreateEncryptedKeyWithencryptedValue
* INPUTS:
* inPrivKey
* This is the private key associated with a certificate that is
* being requested. This structure will eventually wind up as
* a part of the PKIArchiveOptions Control.
* inCACert
* This is the certificate for the CA that will be receiving the
* certificate request for the private key passed in.
* OUTPUT:
* A CRMFEncryptedKey that can ultimately be used as part of the
* PKIArchiveOptions Control.
*
* RETURN:
* A pointer to a CRMFEncyptedKey. A NULL return value indicates an erro
* during the creation of the encrypted key.
*/
extern CRMFEncryptedKey *
CRMF_CreateEncryptedKeyWithEncryptedValue(SECKEYPrivateKey *inPrivKey,
CERTCertificate *inCACert);
/*
* FUNCTION: CRMF_DestroyEncryptedKey
* INPUTS:
* inEncrKey
* The CRMFEncryptedKey to be destroyed.
* NOTES:
* Frees all memory associated with the CRMFEncryptedKey passed in.
* RETURN:
* SECSuccess if freeing the memory was successful. Any other return
* value indicates an error while freeig the memroy.
*/
extern SECStatus CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey);
/*
* FUNCTION: CRMF_CreatePKIArchiveOptions
* INPUTS:
* inType
* An enumeration value indicating which option for
* PKIArchiveOptions to use.
* data
* A pointer that will be type-cast and de-referenced according
* to the table under NOTES.
* NOTES:
* A table listing what should be passed in as data
* ------------------------------------------------
*
* inType data
* ------ ----
* crmfEncryptedPrivateKey CRMFEncryptedKey*
* crmfKeyGenParameters SECItem*(This needs to be an octet string)
* crmfArchiveRemGenPrivKey PRBool*
*
* RETURN:
* A pointer the a CRMFPKIArchiveOptions that can be added to a Certificate
* Request. A NULL pointer indicates an error occurred while creating
* the CRMFPKIArchiveOptions Structure.
*/
extern CRMFPKIArchiveOptions *
CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType inType,
void *data);
/*
* FUNCTION: CRMF_DestroyPKIArchiveOptions
* INPUTS:
* inArchOpt
* A pointer to the CRMFPKIArchiveOptions structure to free.
* NOTES:
* Will free all memory associated with 'inArchOpt'.
* RETURN:
* SECSuccess if successful in freeing the memory used by 'inArchOpt'
* Any other return value indicates an error while freeing the memory.
*/
extern SECStatus
CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOpt);
/*
* FUNCTION: CRMF_CertRequestSetPKIArchiveOptions
* INPUTS:
* inCertReq
* The Certificate Request to add the the options to.
* inOptions
* The Archive Options to add to the Certificate Request.
* NOTES:
* Adds the PKIArchiveOption to the Certificate Request. This is what
* enables Key Escrow to take place through CRMF. The library makes
* its own copy of the information.
* RETURN:
* SECSuccess if successful in adding the ArchiveOptions to the Certificate
* request. Any other return value indicates an error when trying to add
* the Archive Options to the Certificate Request.
*/
extern SECStatus
CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest *inCertReq,
CRMFPKIArchiveOptions *inOptions);
/*
* FUNCTION: CRMF_CertReqMsgGetPOPType
* INPUTS:
* inCertReqMsg
* The Certificate Request Message to operate on.
* NOTES:
* Returns an enumeration value indicating the method of Proof
* of Possession that was used for the passed in Certificate Request
* Message.
* RETURN:
* An enumeration indicating what method for Proof Of Possession is
* being used in this Certificate Request Message. Look in the file
* crmft.h for the definition of CRMFPOPChoice for the possible return
* values.
*/
extern CRMFPOPChoice CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg);
/*
* FUNCTION: CRMF_CertReqMsgSetRAVerifiedPOP
* INPUT:
* InCertReqMsg
* The Certificate Request Message to operate on.
* NOTES:
* This function will set the method of Proof Of Possession to
* crmfRAVerified which means the RA has already verified the
* requester does possess the private key.
* RETURN:
* SECSuccess if adding RAVerified to the message is successful.
* Any other message indicates an error while trying to add RAVerified
* as the Proof of Possession.
*/
extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg);
/*
* FUNCTION: CRMF_CertReqMsgSetSignaturePOP
* INPUT:
* inCertReqMsg
* The Certificate Request Message to add the SignaturePOP to.
* inPrivKey
* The Private Key which corresponds to the the Certificate Request
* Message.
* inPubKey
* The Public Key which corresponds to the Private Key passed in.
* inCertForInput
* A Certificate that in the future may be used to create
* POPOSigningKeyInput.
* fn
* A callback for retrieving a password which may be used in the
* future to generate POPOSigningKeyInput.
* arg
* An opaque pointer that would be passed to fn whenever it is
* called.
* NOTES:
* Adds Proof Of Possession to the CertRequest using the signature field
* of the ProofOfPossession field. NOTE: In order to use this option,
* the certificate template must contain the publicKey at the very minimum.
*
* If you don't want the function to generate POPOSigningKeyInput, then
* make sure the cert template already contains the subject and public key
* values. Currently creating POPOSigningKeyInput is not supported, so
* a Message passed to this function must have the publicKey and the subject
* as part of the template
*
* This will take care of creating the entire POPOSigningKey structure
* that will become part of the message.
*
* inPrivKey is the key to be used in the signing operation when creating
* POPOSigningKey structure. This should be the key corresponding to
* the certificate being requested.
*
* inCertForInput will be used if POPOSigningKeyInput needs to be generated.
* It will be used in generating the authInfo.sender field. If the parameter
* is not passed in then authInfo.publicKeyMAC will be generated instead.
* If passed in, this certificate needs to be a valid certificate.
*
* The last 3 arguments are for future compatibility in case we ever want to
* support generating POPOSigningKeyInput. Pass in NULL for all 3 if you
* definitely don't want the function to even try to generate
* POPOSigningKeyInput. If you try to use POPOSigningKeyInput, the function
* will fail.
*
* RETURN:
* SECSuccess if adding the Signature Proof Of Possession worked.
* Any other return value indicates an error in trying to add
* the Signature Proof Of Possession.
*/
extern SECStatus
CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg *inCertReqMsg,
SECKEYPrivateKey *inPrivKey,
SECKEYPublicKey *inPubKey,
CERTCertificate *inCertForInput,
CRMFMACPasswordCallback fn,
void *arg);
/*
* FUNCTION: CRMF_CertReqMsgSetKeyEnciphermentPOP
* INPUTS:
* inCertReqMsg
* The Certificate Request Message to operate on.
* inKeyChoice
* An enumeration indicating which POPOPrivKey Choice to use
* in constructing the KeyEnciphermentPOP.
* subseqMess
* This parameter must be provided iff inKeyChoice is
* crmfSubsequentMessage. This details how the RA is to respond
* in order to perform Proof Of Possession. Look in crmft.h under
* the definition of CRMFSubseqMessOptions for possible values.
* encPrivKey
* This parameter only needs to be provided if inKeyChoice is
* crmfThisMessage. The item should contain the encrypted private
* key.
*
* NOTES:
* Adds Proof Of Possession using the keyEncipherment field of
* ProofOfPossession.
*
* The function looks at the the inKeyChoice parameter and interprets it in
* in the following manner.
*
* If a parameter is not mentioned under interpretation, the function will not
* look at its value when implementing that case.
*
* inKeyChoice Interpretation
* ----------- --------------
* crmfThisMessage This options requires that the encrypted private key
* be included in the thisMessage field of POPOPrivKey.
* We don't support this yet, so any clients who want
* to use this feature have to implement a wrapping
* function and agree with the server on how to properly
* wrap the key. That encrypted key must be passed in
* as the encPrivKey parameter.
*
* crmfSubequentMessage Must pass in a value for subseqMess. The value must
* be either CRMFEncrCert or CRMFChallengeResp. The
* parameter encPrivKey will not be looked at in this
* case.
*
* crmfDHMAC This is not a valid option for this function. Passing
* in this value will result in the function returning
* SECFailure.
* RETURN:
* SECSuccess if adding KeyEnciphermentPOP was successful. Any other return
* value indicates an error in adding KeyEnciphermentPOP.
*/
extern SECStatus
CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg *inCertReqMsg,
CRMFPOPOPrivKeyChoice inKeyChoice,
CRMFSubseqMessOptions subseqMess,
SECItem *encPrivKey);
/*
* FUNCTION: CRMF_CertReqMsgSetKeyAgreementPOP
* INPUTS:
* inCertReqMsg
* The Certificate Request Message to operate on.
* inKeyChoice
* An enumeration indicating which POPOPrivKey Choice to use
* in constructing the KeyAgreementPOP.
* subseqMess
* This parameter must be provided iff inKeyChoice is
* crmfSubsequentMessage. This details how the RA is to respond
* in order to perform Proof Of Possession. Look in crmft.h under
* the definition of CRMFSubseqMessOptions for possible values.
* encPrivKey
* This parameter only needs to be provided if inKeyChoice is
* crmfThisMessage. The item should contain the encrypted private
* key.
* Adds Proof Of Possession using the keyAgreement field of
* ProofOfPossession.
*
* The function looks at the the inKeyChoice parameter and interprets it in
* in the following manner.
*
* If a parameter is not mentioned under interpretation, the function will not
* look at its value when implementing that case.
*
* inKeyChoice Interpretation
* ----------- --------------
* crmfThisMessage This options requires that the encrypted private key
* be included in the thisMessage field of POPOPrivKey.
* We don't support this yet, so any clients who want
* to use this feature have to implement a wrapping
* function and agree with the server on how to properly
* wrap the key. That encrypted key must be passed in
* as the encPrivKey parameter.
*
* crmfSubequentMessage Must pass in a value for subseqMess. The value must
* be either crmfEncrCert or crmfChallengeResp. The
* parameter encPrivKey will not be looked at in this
* case.
*
* crmfDHMAC This option is not supported.
*/
extern SECStatus
CRMF_CertReqMsgSetKeyAgreementPOP(CRMFCertReqMsg *inCertReqMsg,
CRMFPOPOPrivKeyChoice inKeyChoice,
CRMFSubseqMessOptions subseqMess,
SECItem *encPrivKey);
/*
* FUNCTION: CRMF_CreateCertReqMsgFromDER
* INPUTS:
* buf
* A buffer to the DER-encoded Certificate Request Message.
* len
* The length in bytes of the buffer 'buf'
* NOTES:
* This function passes the buffer to the ASN1 decoder and creates a
* CRMFCertReqMsg structure. Do not try adding any fields to a message
* returned from this function. Specifically adding more Controls or
* Extensions may cause your program to crash.
*
* RETURN:
* A pointer to the Certificate Request Message structure. A NULL return
* value indicates the library was unable to parse the DER.
*/
extern CRMFCertReqMsg *CRMF_CreateCertReqMsgFromDER(const char *buf, long len);
/*
* FUNCTION: CRMF_CreateCertReqMessagesFromDER
* INPUTS:
* buf
* A buffer to the DER-encoded Certificate Request Messages.
* len
* The length in bytes of buf
* NOTES:
* This function passes the buffer to the ASN1 decoder and creates a
* CRMFCertReqMessages structure. Do not try adding any fields to a message
* derived from this function. Specifically adding more Controls or
* Extensions may cause your program to crash.
* The user must call CRMF_DestroyCertReqMessages after the return value is
* no longer needed, ie when all individual messages have been extracted.
*
* RETURN:
* A pointer to the Certificate Request Messages structure. A NULL return
* value indicates the library was unable to parse the DER.
*/
extern CRMFCertReqMessages *
CRMF_CreateCertReqMessagesFromDER(const char *buf, long len);
/*
* FUNCTION: CRMF_DestroyCertReqMessages
* INPUTS
* inCertReqMsgs
* The Messages to destroy.
* RETURN:
* SECSuccess if freeing the memory was done successfully. Any other
* return value indicates an error in freeing up memory.
*/
extern SECStatus
CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs);
/*
* FUNCTION: CRMF_CertReqMessagesGetNumMessages
* INPUTS:
* inCertReqMsgs
* The Request Messages to operate on.
* RETURN:
* The number of messages contained in the in the Request Messages
* strucure.
*/
extern int
CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs);
/*
* FUNCTION: CRMF_CertReqMessagesGetCertReqMsgAtIndex
* INPUTS:
* inReqMsgs
* The Certificate Request Messages to operate on.
* index
* The index of the single message the user wants a copy of.
* NOTES:
* This function returns a copy of the request messages stored at the
* index corresponding to the parameter 'index'. Indexing of the messages
* is done in the same manner as a C array. Meaning the valid index are
* 0...numMessages-1. User must call CRMF_DestroyCertReqMsg when done using
* the return value of this function.
*
* RETURN:
* SECSuccess if copying the message at the requested index was successful.
* Any other return value indicates an invalid index or error while copying
* the single request message.
*/
extern CRMFCertReqMsg *
CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
int index);
/*
* FUNCTION: CRMF_CertReqMsgGetID
* INPUTS:
* inCertReqMsg
* The Certificate Request Message to get the ID from.
* destID
* A pointer to where the library can place the ID of the Message.
* RETURN:
* SECSuccess if the function was able to retrieve the ID and place it
* at *destID. Any other return value indicates an error meaning the value
* in *destId is un-reliable and should not be used by the caller of this
* function.
*
*/
extern SECStatus CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg,
long *destID);
/*
* FUNCTION: CRMF_DoesRequestHaveField
* INPUTS:
* inCertReq
* The Certificate Request to operate on.
* inField
* An enumeration indicating which filed of the certificate template
* to look for.
* NOTES:
* All the fields in a certificate template are optional. This function
* checks to see if the requested field is present. Look in crmft.h at the
* definition of CRMFCertTemplateField for possible values for possible
* querying.
*
* RETURN:
* PR_TRUE iff the field corresponding to 'inField' has been specified as part
* of 'inCertReq'
* PR_FALSE iff the field corresponding to 'inField' has not been speicified
* as part of 'inCertReq'
*
*/
extern PRBool CRMF_DoesRequestHaveField(CRMFCertRequest *inCertReq,
CRMFCertTemplateField inField);
/*
* FUNCTION: CRMF_CertReqMsgGetCertRequest
* INPUTS:
* inCertReqMsg
* The Certificate Request Message to operate on.
* NOTES:
* This function returns a copy of the Certificate Request to the user.
* The user can keep adding to this request and then making it a part
* of another message. After the user no longer wants to use the
* returned request, the user must call CRMF_DestroyCertRequest and
* pass it the request returned by this function.
* RETURN:
* A pointer to a copy of the certificate request contained by the message.
* A NULL return value indicates an error occurred while copying the
* certificate request.
*/
extern CRMFCertRequest *
CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg);
/*
* FUNCTION: CRMF_CertRequestGetCertTemplateVersion
* INPUTS:
* inCertReq
* The Certificate Request to operate on.
* version
* A pointer to where the library can store the version contatined
* in the certificate template within the certifcate request.
* RETURN:
* SECSuccess if the Certificate template contains the version field. In
* this case, *version will hold the value of the certificate template
* version.
* SECFailure indicates that version field was not present as part of
* of the certificate template.
*/
extern SECStatus
CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq,
long *version);
/*
* FUNCTION: CRMF_CertRequestGetCertTemplateSerialNumber
* INPUTS:
* inCertReq
* The certificate request to operate on.
* serialNumber
* A pointer where the library can put the serial number contained
* in the certificate request's certificate template.
* RETURN:
* If a serial number exists in the CertTemplate of the request, the function
* returns SECSuccess and the value at *serialNumber contains the serial
* number.
* If no serial number is present, then the function returns SECFailure and
* the value at *serialNumber is un-changed.
*/
extern SECStatus
CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq,
long *serialNumber);
/*
* FUNCTION: CRMF_CertRequestGetCertTemplateSigningAlg
* INPUT:
* inCertReq
* The Certificate Request to operate on.
* destAlg
* A Pointer to where the library can place a copy of the signing alg
* used in the cert request's cert template.
* RETURN:
* If the signingAlg is present in the CertRequest's CertTemplate, then
* the function returns SECSuccess and places a copy of sigingAlg in
* *destAlg.
* If no signingAlg is present, then the function returns SECFailure and
* the value at *destAlg is un-changed
*/
extern SECStatus
CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
SECAlgorithmID *destAlg);
/*
* FUNCTION: CRMF_CertRequestGetCertTemplateIssuer
* INPUTS:
* inCertReq
* The Certificate Request to operate on.
* destIssuer
* A pointer to where the library can place a copy of the cert
* request's cert template issuer field.
* RETURN:
* If the issuer is present in the cert request cert template, the function
* returns SECSuccess and places a copy of the issuer in *destIssuer.
* If there is no issuer present, the function returns SECFailure and the
* value at *destIssuer is unchanged.
*/
extern SECStatus
CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
CERTName *destIssuer);
/*
* FUNCTION: CRMF_CertRequestGetCertTemplateValidity
* INPUTS:
* inCertReq
* The Certificate Request to operate on.
* destValdity
* A pointer to where the library can place a copy of the validity
* info in the cert request cert template.
* NOTES:
* Pass the pointer to
* RETURN:
* If there is an OptionalValidity field, the function will return SECSuccess
* and place the appropriate values in *destValidity->notBefore and
* *destValidity->notAfter. (Each field is optional, but at least one will
* be present if the function returns SECSuccess)
*
* If there is no OptionalValidity field, the function will return SECFailure
* and the values at *destValidity will be un-changed.
*/
extern SECStatus
CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
CRMFGetValidity *destValidity);
/*
* FUNCTION: CRMF_DestroyGetValidity
* INPUTS:
* inValidity
* A pointer to the memroy to be freed.
* NOTES:
* The function will free the memory allocated by the function
* CRMF_CertRequestGetCertTemplateValidity. That means only memory pointed
* to within the CRMFGetValidity structure. Since
* CRMF_CertRequestGetCertTemplateValidity does not allocate memory for the
* structure passed into it, it will not free it. Meaning this function will
* free the memory at inValidity->notBefore and inValidity->notAfter, but not
* the memory directly at inValdity.
*
* RETURN:
* SECSuccess if freeing the memory was successful. Any other return value
* indicates an error while freeing the memory.
*/
extern SECStatus
CRMF_DestroyGetValidity(CRMFGetValidity *inValidity);
/*
* FUNCTION: CRMF_CertRequestGetCertTemplateSubject
* INPUTS:
* inCertReq
* The Certificate Request to operate on.
* destSubject
* A pointer to where the library can place a copy of the subject
* contained in the request's cert template.
* RETURN:
* If there is a subject in the CertTemplate, then the function returns
* SECSuccess and a copy of the subject is placed in *destSubject.
*
* If there is no subject, the function returns SECFailure and the values at
* *destSubject is unchanged.
*/
extern SECStatus
CRMF_CertRequestGetCertTemplateSubject(CRMFCertRequest *inCertReq,
CERTName *destSubject);
/*
* FUNCTION: CRMF_CertRequestGetCertTemplatePublicKey
* INPUTS:
* inCertReq
* The Cert request to operate on.
* destPublicKey
* A pointer to where the library can place a copy of the request's
* cert template public key.
* RETURN:
* If there is a publicKey parameter in the CertRequest, the function returns
* SECSuccess, and places a copy of the publicKey in *destPublicKey.
*
* If there is no publicKey, the function returns SECFailure and the value
* at *destPublicKey is un-changed.
*/
extern SECStatus
CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest *inCertReq,
CERTSubjectPublicKeyInfo *destPublicKey);
/*
* FUNCTION: CRMF_CertRequestGetCertTemplateIssuerUID
* INPUTS:
* inCertReq
* The Cert request to operate on.
* destIssuerUID
* A pointer to where the library can store a copy of the request's
* cert template destIssuerUID.
*
* NOTES:
* destIssuerUID is a bit string and will be returned in a SECItem as
* a bit string. Meaning the len field contains the number of valid bits as
* opposed to the number of bytes allocated.
*
* RETURN:
* If the CertTemplate has an issuerUID, the function returns SECSuccess and
* places a copy of the issuerUID in *destIssuerUID.
*
* If there is no issuerUID, the function returns SECFailure and the value
* *destIssuerUID is unchanged.
*/
extern SECStatus
CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
SECItem *destIssuerUID);
/*
* FUNCTION: CRMF_CertRequestGetCertTemplateSubjectUID
* inCertReq
* The Cert request to operate on.
* destSubjectUID
* A pointer to where the library can store a copy of the request's
* cert template destIssuerUID.
*
* NOTES:
* destSubjectUID is a bit string and will be returned in a SECItem as
* a bit string. Meaning the len field contains the number of valid bits as
* opposed to the number of bytes allocated.
*
* RETURN:
* If the CertTemplate has an issuerUID, the function returns SECSuccess and
* places a copy of the issuerUID in *destIssuerUID.
*
* If there is no issuerUID, the function returns SECSuccess and the value
* *destIssuerUID is unchanged.
*/
extern SECStatus CRMF_GetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
SECItem *destSubjectUID);
/*
* FUNCTION: CRMF_CertRequestGetNumberOfExtensions
* INPUTS:
* inCertReq
* The cert request to operate on.
* RETURN:
* Returns the number of extensions contained by the Cert Request.
*/
extern int CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq);
/*
* FUNCTION: CRMF_CertRequestGetExtensionAtIndex
* INPUTS:
* inCertReq
* The Certificate request to operate on.
* index
* The index of the extension array whihc the user wants to access.
* NOTES:
* This function retrieves the extension at the index corresponding to the
* parameter "index" indicates. Indexing is done like a C array.
* (0 ... numElements-1)
*
* Call CRMF_DestroyCertExtension when done using the return value.
*
* RETURN:
* A pointer to a copy of the extension at the desired index. A NULL
* return value indicates an invalid index or an error while copying
* the extension.
*/
extern CRMFCertExtension *
CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
int index);
/*
* FUNCTION: CRMF_CertExtensionGetOidTag
* INPUTS:
* inExtension
* The extension to operate on.
* RETURN:
* Returns the SECOidTag associated with the cert extension passed in.
*/
extern SECOidTag CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension);
/*
* FUNCTION: CRMF_CertExtensionGetIsCritical
* INPUT:
* inExt
* The cert extension to operate on.
*
* RETURN:
* PR_TRUE if the extension is critical.
* PR_FALSE if the extension is not critical.
*/
extern PRBool CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt);
/*
* FUNCTION: CRMF_CertExtensionGetValue
* INPUT:
* inExtension
* The extension to operate on.
* NOTES:
* Caller is responsible for freeing the memory associated with the return
* value. Call SECITEM_FreeItem(retVal, PR_TRUE) when done using the return
* value.
*
* RETURN:
* A pointer to an item containig the value for the certificate extension.
* A NULL return value indicates an error in copying the information.
*/
extern SECItem *CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension);
/*
* FUNCTION: CRMF_CertReqMsgGetPOPOSigningKey
* INPUTS:
* inCertReqMsg
* The certificate request message to operate on.
* destKey
* A pointer to where the library can place a pointer to
* a copy of the Proof Of Possession Signing Key used
* by the message.
*
* RETURN:
* Get the POPOSigningKey associated with this CRMFCertReqMsg.
* If the CertReqMsg does not have a pop, the function returns
* SECFailure and the value at *destKey is un-changed..
*
* If the CertReqMsg does have a pop, then the CertReqMsg's
* POPOSigningKey will be placed at *destKey.
*/
extern SECStatus
CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg *inCertReqMsg,
CRMFPOPOSigningKey **destKey);
/*
* FUNCTION: CRMF_DestroyPOPOSigningKey
* INPUTS:
* inKey
* The signing key to free.
*
* RETURN:
* SECSuccess if freeing the memory was successful. Any other return value
* indicates an error while freeing memory.
*/
extern SECStatus CRMF_DestroyPOPOSigningKey(CRMFPOPOSigningKey *inKey);
/*
* FUNCTION: CRMF_POPOSigningKeyGetAlgID
* INPUTS:
* inSignKey
* The Signing Key to operate on.
* RETURN:
* Return the algorithmID used by the CRMFPOPOSigningKey. User must
* call SECOID_DestroyAlgorithmID(destID, PR_TRUE) when done using the
* return value.
*/
extern SECAlgorithmID *
CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey);
/*
* FUNCTION: CRMF_POPOSigningKeyGetSignature
* INPUTS:
* inSignKey
* The Signing Key to operate on.
*
* RETURN:
* Get the actual signature stored away in the CRMFPOPOSigningKey. SECItem
* returned is a BIT STRING, so the len field is the number of bits as opposed
* to the total number of bytes allocatd. User must call
* SECITEM_FreeItem(retVal,PR_TRUE) when done using the return value.
*/
extern SECItem *CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey);
/*
* FUNCTION: CRMF_POPOSigningKeyGetInput
* INPUTS:
* inSignKey
* The Signing Key to operate on.
* NOTES:
* This function will return the der encoded input that was read in while
* decoding. The API does not support this option when creating, so you
* cannot add this field.
*
* RETURN:
* Get the poposkInput that is part of the of the POPOSigningKey. If the
* optional field is not part of the POPOSigningKey, the function returns
* NULL.
*
* If the optional field is part of the POPOSingingKey, the function will
* return a copy of the der encoded poposkInput.
*/
extern SECItem *CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey);
/*
* FUNCTION: CRMF_CertReqMsgGetPOPKeyEncipherment
* INPUTS:
* inCertReqMsg
* The certificate request message to operate on.
* destKey
* A pointer to where the library can place a pointer to a
* copy of the POPOPrivKey representing Key Encipherment
* Proof of Possession.
*NOTES:
* This function gets the POPOPrivKey associated with this CRMFCertReqMsg
* for Key Encipherment.
*
* RETURN:
* If the CertReqMsg did not use Key Encipherment for Proof Of Possession, the
* function returns SECFailure and the value at *destKey is un-changed.
*
* If the CertReqMsg did use Key Encipherment for ProofOfPossession, the
* function returns SECSuccess and places the POPOPrivKey representing the
* Key Encipherment Proof Of Possessin at *destKey.
*/
extern SECStatus
CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg *inCertReqMsg,
CRMFPOPOPrivKey **destKey);
/*
* FUNCTION: CRMF_CertReqMsgGetPOPKeyAgreement
* INPUTS:
* inCertReqMsg
* The certificate request message to operate on.
* destKey
* A pointer to where the library can place a pointer to a
* copy of the POPOPrivKey representing Key Agreement
* Proof of Possession.
* NOTES:
* This function gets the POPOPrivKey associated with this CRMFCertReqMsg for
* Key Agreement.
*
* RETURN:
* If the CertReqMsg used Key Agreement for Proof Of Possession, the
* function returns SECSuccess and the POPOPrivKey for Key Agreement
* is placed at *destKey.
*
* If the CertReqMsg did not use Key Agreement for Proof Of Possession, the
* function return SECFailure and the value at *destKey is unchanged.
*/
extern SECStatus
CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg *inCertReqMsg,
CRMFPOPOPrivKey **destKey);
/*
* FUNCTION: CRMF_DestroyPOPOPrivKey
* INPUTS:
* inPrivKey
* The POPOPrivKey to destroy.
* NOTES:
* Destroy a structure allocated by CRMF_GetPOPKeyEncipherment or
* CRMF_GetPOPKeyAgreement.
*
* RETURN:
* SECSuccess on successful destruction of the POPOPrivKey.
* Any other return value indicates an error in freeing the
* memory.
*/
extern SECStatus CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey);
/*
* FUNCTION: CRMF_POPOPrivKeyGetChoice
* INPUT:
* inKey
* The POPOPrivKey to operate on.
* RETURN:
* Returns which choice was used in constructing the POPPOPrivKey. Look at
* the definition of CRMFPOPOPrivKeyChoice in crmft.h for the possible return
* values.
*/
extern CRMFPOPOPrivKeyChoice CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inKey);
/*
* FUNCTION: CRMF_POPOPrivKeyGetThisMessage
* INPUTS:
* inKey
* The POPOPrivKey to operate on.
* destString
* A pointer to where the library can place a copy of the This Message
* field stored in the POPOPrivKey
*
* RETURN:
* Returns the field thisMessage from the POPOPrivKey.
* If the POPOPrivKey did not use the field thisMessage, the function
* returns SECFailure and the value at *destString is unchanged.
*
* If the POPOPrivKey did use the field thisMessage, the function returns
* SECSuccess and the BIT STRING representing thisMessage is placed
* at *destString. BIT STRING representation means the len field is the
* number of valid bits as opposed to the total number of bytes.
*/
extern SECStatus CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey *inKey,
SECItem *destString);
/*
* FUNCTION: CRMF_POPOPrivKeyGetSubseqMess
* INPUTS:
* inKey
* The POPOPrivKey to operate on.
* destOpt
* A pointer to where the library can place the value of the
* Subsequent Message option used by POPOPrivKey.
*
* RETURN:
* Retrieves the field subsequentMessage from the POPOPrivKey.
* If the POPOPrivKey used the subsequentMessage option, the function
* returns SECSuccess and places the appropriate enumerated value at
* *destMessageOption.
*
* If the POPOPrivKey did not use the subsequenMessage option, the function
* returns SECFailure and the value at *destOpt is un-changed.
*/
extern SECStatus CRMF_POPOPrivKeyGetSubseqMess(CRMFPOPOPrivKey *inKey,
CRMFSubseqMessOptions *destOpt);
/*
* FUNCTION: CRMF_POPOPrivKeyGetDHMAC
* INPUTS:
* inKey
* The POPOPrivKey to operate on.
* destMAC
* A pointer to where the library can place a copy of the dhMAC
* field of the POPOPrivKey.
*
* NOTES:
* Returns the field dhMAC from the POPOPrivKey. The populated SECItem
* is in BIT STRING format.
*
* RETURN:
* If the POPOPrivKey used the dhMAC option, the function returns SECSuccess
* and the BIT STRING for dhMAC will be placed at *destMAC. The len field in
* destMAC (ie destMAC->len) will be the valid number of bits as opposed to
* the number of allocated bytes.
*
* If the POPOPrivKey did not use the dhMAC option, the function returns
* SECFailure and the value at *destMAC is unchanged.
*
*/
extern SECStatus CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey,
SECItem *destMAC);
/*
* FUNCTION: CRMF_CertRequestGetNumControls
* INPUTS:
* inCertReq
* The Certificate Request to operate on.
* RETURN:
* Returns the number of Controls registered with this CertRequest.
*/
extern int CRMF_CertRequestGetNumControls(CRMFCertRequest *inCertReq);
/*
* FUNCTION: CRMF_CertRequestGetControlAtIndex
* INPUTS:
* inCertReq
* The certificate request to operate on.
* index
* The index of the control the user wants a copy of.
* NOTES:
* Function retrieves the Control at located at index. The Controls
* are numbered like a traditional C array (0 ... numElements-1)
*
* RETURN:
* Returns a copy of the control at the index specified. This is a copy
* so the user must call CRMF_DestroyControl after the return value is no
* longer needed. A return value of NULL indicates an error while copying
* the control or that the index was invalid.
*/
extern CRMFControl *
CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq,
int index);
/*
* FUNCTION: CRMF_DestroyControl
* INPUTS:
* inControl
* The Control to destroy.
* NOTES:
* Destroy a CRMFControl allocated by CRMF_GetControlAtIndex.
*
* RETURN:
* SECSuccess if freeing the memory was successful. Any other return
* value indicates an error while freeing the memory.
*/
extern SECStatus CRMF_DestroyControl(CRMFControl *inControl);
/*
* FUNCTION: CRMF_ControlGetControlType
* INPUTS:
* inControl
* The control to operate on.
* NOTES:
* The function returns an enumertion which indicates the type of control
* 'inControl'.
*
* RETURN:
* Look in crmft.h at the definition of the enumerated type CRMFControlType
* for the possible return values.
*/
extern CRMFControlType CRMF_ControlGetControlType(CRMFControl *inControl);
/*
* FUNCTION: CRMF_ControlGetRegTokenControlValue
* INPUTS:
* inControl
* The Control to operate on.
* NOTES:
* The user must call SECITEM_FreeItem passing in the return value
* after the returnvalue is no longer needed.
* RETURN:
* Return the value for a Registration Token Control.
* The SECItem returned should be in UTF8 format. A NULL
* return value indicates there was no Registration Control associated
* with the Control.
* (This library will not verify format. It assumes the client properly
* formatted the strings when adding it or the message decoded was properly
* formatted. The library will just give back the bytes it was given.)
*/
extern SECItem *CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl);
/*
* FUNCTION: CRMF_ControlGetAuthenticatorControlValue
* INPUTS:
* inControl
* The Control to operate on.
* NOTES:
* The user must call SECITEM_FreeItem passing in the return value
* after the returnvalue is no longer needed.
*
* RETURN:
* Return the value for the Authenticator Control.
* The SECItem returned should be in UTF8 format. A NULL
* return value indicates there was no Authenticator Control associated
* with the CRMFControl..
* (This library will not verify format. It assumes the client properly
* formatted the strings when adding it or the message decoded was properly
* formatted. The library will just give back the bytes it was given.)
*/
extern SECItem *CRMF_ControlGetAuthicatorControlValue(CRMFControl *inControl);
/*
* FUNCTION: CRMF_ControlGetPKIArchiveOptions
* INPUTS:inControl
* The Control tooperate on.
* NOTES:
* This function returns a copy of the PKIArchiveOptions. The user must call
* the function CRMF_DestroyPKIArchiveOptions when the return value is no
* longer needed.
*
* RETURN:
* Get the PKIArchiveOptions associated with the Control. A return
* value of NULL indicates the Control was not a PKIArchiveOptions
* Control.
*/
extern CRMFPKIArchiveOptions *
CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl);
/*
* FUNCTION: CMRF_DestroyPKIArchiveOptions
* INPUTS:
* inOptions
* The ArchiveOptions to destroy.
* NOTE:
* Destroy the CRMFPKIArchiveOptions structure.
*
* RETURN:
* SECSuccess if successful in freeing all the memory associated with
* the PKIArchiveOptions. Any other return value indicates an error while
* freeing the PKIArchiveOptions.
*/
extern SECStatus
CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inOptions);
/*
* FUNCTION: CRMF_PKIArchiveOptionsGetOptionType
* INPUTS:
* inOptions
* The PKIArchiveOptions to operate on.
* RETURN:
* Returns the choice used for the PKIArchiveOptions. Look at the definition
* of CRMFPKIArchiveOptionsType in crmft.h for possible return values.
*/
extern CRMFPKIArchiveOptionsType
CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions);
/*
* FUNCTION: CRMF_PKIArchiveOptionsGetEncryptedPrivKey
* INPUTS:
* inOpts
* The PKIArchiveOptions to operate on.
*
* NOTES:
* The user must call CRMF_DestroyEncryptedKey when done using this return
* value.
*
* RETURN:
* Get the encryptedPrivKey field of the PKIArchiveOptions structure.
* A return value of NULL indicates that encryptedPrivKey was not used as
* the choice for this PKIArchiveOptions.
*/
extern CRMFEncryptedKey *
CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts);
/*
* FUNCTION: CRMF_EncryptedKeyGetChoice
* INPUTS:
* inEncrKey
* The EncryptedKey to operate on.
*
* NOTES:
* Get the choice used for representing the EncryptedKey.
*
* RETURN:
* Returns the Choice used in representing the EncryptedKey. Look in
* crmft.h at the definition of CRMFEncryptedKeyChoice for possible return
* values.
*/
extern CRMFEncryptedKeyChoice
CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey);
/*
* FUNCTION: CRMF_EncryptedKeyGetEncryptedValue
* INPUTS:
* inKey
* The EncryptedKey to operate on.
*
* NOTES:
* The user must call CRMF_DestroyEncryptedValue passing in
* CRMF_GetEncryptedValue's return value.
*
* RETURN:
* A pointer to a copy of the EncryptedValue contained as a member of
* the EncryptedKey.
*/
extern CRMFEncryptedValue *
CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inKey);
/*
* FUNCTION: CRMF_DestroyEncryptedValue
* INPUTS:
* inEncrValue
* The EncryptedValue to destroy.
*
* NOTES:
* Free up all memory associated with 'inEncrValue'.
*
* RETURN:
* SECSuccess if freeing up the memory associated with the EncryptedValue
* is successful. Any other return value indicates an error while freeing the
* memory.
*/
extern SECStatus CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue);
/*
* FUNCTION: CRMF_EncryptedValueGetEncValue
* INPUTS:
* inEncValue
* The EncryptedValue to operate on.
* NOTES:
* Function retrieves the encValue from an EncryptedValue structure.
*
* RETURN:
* A poiner to a SECItem containing the encValue of the EncryptedValue
* structure. The return value is in BIT STRING format, meaning the
* len field of the return structure represents the number of valid bits
* as opposed to the allocated number of bytes.
* ANULL return value indicates an error in copying the encValue field.
*/
extern SECItem *CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncValue);
/*
* FUNCTION: CRMF_EncryptedValueGetIntendedAlg
* INPUTS
* inEncValue
* The EncryptedValue to operate on.
* NOTES:
* Retrieve the IntendedAlg field from the EncryptedValue structure.
* Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
* the return value. When present, this alogorithm is the alogrithm for
* which the private key will be used.
*
* RETURN:
* A Copy of the intendedAlg field. A NULL return value indicates the
* optional field was not present in the structure.
*/
extern SECAlgorithmID *
CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue *inEncValue);
/*
* FUNCTION: CRMF_EncryptedValueGetSymmAlg
* INPUTS
* inEncValue
* The EncryptedValue to operate on.
* NOTES:
* Retrieve the symmAlg field from the EncryptedValue structure.
* Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
* the return value. When present, this is algorithm used to
* encrypt the encValue of the EncryptedValue.
*
* RETURN:
* A Copy of the symmAlg field. A NULL return value indicates the
* optional field was not present in the structure.
*/
extern SECAlgorithmID *
CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue *inEncValue);
/*
* FUNCTION: CRMF_EncryptedValueGetKeyAlg
* INPUTS
* inEncValue
* The EncryptedValue to operate on.
* NOTES:
* Retrieve the keyAlg field from the EncryptedValue structure.
* Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
* the return value. When present, this is the algorithm used to encrypt
* the symmetric key in the encSymmKey field of the EncryptedValue structure.
*
* RETURN:
* A Copy of the keyAlg field. A NULL return value indicates the
* optional field was not present in the structure.
*/
extern SECAlgorithmID *
CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue);
/*
* FUNCTION: CRMF_EncryptedValueGetValueHint
* INPUTS:
* inEncValue
* The EncryptedValue to operate on.
*
* NOTES:
* Return a copy of the der-encoded value hint.
* User must call SECITEM_FreeItem(retVal, PR_TRUE) when done using the
* return value. When, present, this is a value that the client which
* originally issued a certificate request can use to reproduce any data
* it wants. The RA does not know how to interpret this data.
*
* RETURN:
* A copy of the valueHint field of the EncryptedValue. A NULL return
* value indicates the optional valueHint field is not present in the
* EncryptedValue.
*/
extern SECItem *
CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue *inEncValue);
/*
* FUNCTION: CRMF_EncrypteValueGetEncSymmKey
* INPUTS:
* inEncValue
* The EncryptedValue to operate on.
*
* NOTES:
* Return a copy of the encSymmKey field. This field is the encrypted
* symmetric key that the client uses in doing Public Key wrap of a private
* key. When present, this is the symmetric key that was used to wrap the
* private key. (The encrypted private key will be stored in encValue
* of the same EncryptedValue structure.) The user must call
* SECITEM_FreeItem(retVal, PR_TRUE) when the return value is no longer
* needed.
*
* RETURN:
* A copy of the optional encSymmKey field of the EncryptedValue structure.
* The return value will be in BIT STRING format, meaning the len field will
* be the number of valid bits as opposed to the number of bytes. A return
* value of NULL means the optional encSymmKey field was not present in
* the EncryptedValue structure.
*/
extern SECItem *
CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue);
/*
* FUNCTION: CRMF_PKIArchiveOptionsGetKeyGenParameters
* INPUTS:
* inOptions
* The PKiArchiveOptions to operate on.
*
* NOTES:
* User must call SECITEM_FreeItem(retVal, PR_TRUE) after the return
* value is no longer needed.
*
* RETURN:
* Get the keyGenParameters field of the PKIArchiveOptions.
* A NULL return value indicates that keyGenParameters was not
* used as the choice for this PKIArchiveOptions.
*
* The SECItem returned is in BIT STRING format (ie, the len field indicates
* number of valid bits as opposed to allocated number of bytes.)
*/
extern SECItem *
CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions);
/*
* FUNCTION: CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey
* INPUTS:
* inOpt
* The PKIArchiveOptions to operate on.
* destVal
* A pointer to where the library can place the value for
* arciveRemGenPrivKey
* RETURN:
* If the PKIArchiveOptions used the archiveRemGenPrivKey field, the
* function returns SECSuccess and fills the value at *destValue with either
* PR_TRUE or PR_FALSE, depending on what the PKIArchiveOptions has as a
* value.
*
* If the PKIArchiveOptions does not use the archiveRemGenPrivKey field, the
* function returns SECFailure and the value at *destValue is unchanged.
*/
extern SECStatus
CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt,
PRBool *destVal);
/* Helper functions that can be used by other libraries. */
/*
* A quick helper function to get the best wrap mechanism.
*/
extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot);
/*
* A helper function to get a randomly generated IV from a mechanism
* type.
*/
extern SECItem *CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType);
SEC_END_PROTOS
#endif /*_CRMF_H_*/