1/* 2 * Copyright (c) 2003-2006,2008,2010 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 * 23 * X509Templates.h - X.509 Certificate and CRL ASN1 templates 24 */ 25 26#ifndef _NSS_X509_TEMPLATES_H_ 27#define _NSS_X509_TEMPLATES_H_ 28 29#include <Security/SecAsn1Types.h> 30#include <Security/nameTemplates.h> 31 32/* 33 * Arrays of SecAsn1Templates are always associated with a specific 34 * C struct. We attempt to use C structs which are defined in CDSA 35 * if at all possible; these always start with the CSSM_ prefix. 36 * Otherwise we define the struct here, with an NSS_ prefix. 37 * In either case, the name of the C struct is listed in comments 38 * along with the extern declaration of the SecAsn1Template array. 39 */ 40 41#ifdef __cplusplus 42extern "C" { 43#endif 44 45// MARK: --- X509 Validity support --- 46 47/* 48 * ASN Class : Validity 49 * C struct : NSS_Validity 50 * 51 * The low-level Time values, which are CHOICE of generalized 52 * time or UTC time, still DER-encoded upon decoding of this object. 53 */ 54/* 55 * The low-level time values are eitehr Generalized Time 56 * (SEC_ASN1_GENERALIZED_TIME) or UTC time (SEC_ASN1_UTC_TIME). 57 */ 58typedef NSS_TaggedItem NSS_Time; 59 60typedef struct { 61 NSS_Time notBefore; 62 NSS_Time notAfter; 63} NSS_Validity; 64 65extern const SecAsn1Template kSecAsn1ValidityTemplate[]; 66 67// MARK: --- Certificate --- 68 69/* 70 * X509 cert extension 71 * ASN Class : Extension 72 * C struct : NSS_CertExtension 73 * 74 * With a nontrivial amount of extension-specific processing, 75 * this maps to a CSSM_X509_EXTENSION. 76 */ 77typedef struct { 78 SecAsn1Item extnId; 79 SecAsn1Item critical; // optional, default = false 80 SecAsn1Item value; // OCTET string whose decoded value is 81 // an id-specific DER-encoded thing 82} NSS_CertExtension; 83 84extern const SecAsn1Template kSecAsn1CertExtensionTemplate[]; 85extern const SecAsn1Template kSecAsn1SequenceOfCertExtensionTemplate[]; 86 87/* 88 * X.509 certificate object (the unsigned form) 89 * 90 * ASN class : TBSCertificate 91 * C struct : NSS_TBSCertificate 92 */ 93typedef struct { 94 SecAsn1Item version; // optional 95 SecAsn1Item serialNumber; 96 SecAsn1AlgId signature; 97 NSS_Name issuer; 98 NSS_Validity validity; 99 NSS_Name subject; 100 SecAsn1PubKeyInfo subjectPublicKeyInfo; 101 SecAsn1Item issuerID; // optional, BITS 102 SecAsn1Item subjectID; // optional, BITS 103 NSS_CertExtension **extensions; // optional 104 105 /* 106 * Additional DER-encoded fields copied (via SEC_ASN1_SAVE) 107 * during decoding. 108 */ 109 SecAsn1Item derIssuer; 110 SecAsn1Item derSubject; 111} NSS_TBSCertificate; 112 113extern const SecAsn1Template kSecAsn1TBSCertificateTemplate[]; 114 115/* 116 * Fully specified signed certificate. 117 * 118 * ASN class : Certificate 119 * C struct : NSS_Certificate 120 */ 121typedef struct { 122 NSS_TBSCertificate tbs; 123 SecAsn1AlgId signatureAlgorithm; 124 SecAsn1Item signature;// BIT STRING, length in bits 125} NSS_Certificate; 126 127extern const SecAsn1Template kSecAsn1SignedCertTemplate[]; 128 129// MARK: --- CRL --- 130 131/* 132 * ASN class : revokedCertificate 133 * C struct : NSS_RevokedCert 134 */ 135typedef struct { 136 SecAsn1Item userCertificate; // serial number 137 NSS_Time revocationDate; 138 NSS_CertExtension **extensions; // optional 139} NSS_RevokedCert; 140 141extern const SecAsn1Template kSecAsn1RevokedCertTemplate[]; 142extern const SecAsn1Template kSecAsn1SequenceOfRevokedCertTemplate[]; 143 144/* 145 * X509 Cert Revocation List (the unsigned form) 146 * ASN class : TBSCertList 147 * C struct : NSS_TBSCrl 148 */ 149typedef struct { 150 SecAsn1Item version; // optional 151 SecAsn1AlgId signature; 152 NSS_Name issuer; 153 NSS_Time thisUpdate; 154 NSS_Time nextUpdate; // optional 155 NSS_RevokedCert **revokedCerts; // optional 156 NSS_CertExtension **extensions; // optional 157 158 /* 159 * Additional DER-encoded fields copied (via SEC_ASN1_SAVE) 160 * during decoding. 161 */ 162 SecAsn1Item derIssuer; 163 164} NSS_TBSCrl; 165 166extern const SecAsn1Template kSecAsn1TBSCrlTemplate[]; 167 168/* 169 * Fully specified signed CRL. 170 * 171 * ASN class : CertificateList 172 * C struct : NSS_CRL 173 */ 174typedef struct { 175 NSS_TBSCrl tbs; 176 SecAsn1AlgId signatureAlgorithm; 177 SecAsn1Item signature;// BIT STRING, length in bits 178} NSS_Crl; 179 180extern const SecAsn1Template kSecAsn1SignedCrlTemplate[]; 181 182/* 183 * signed data - top-level view of a signed Cert or CRL, for 184 * signing and verifying only. Treats the TBS and AlgId portions 185 * as opaque ASN_ANY blobs. 186 */ 187typedef struct { 188 SecAsn1Item tbsBlob; // ANY, DER encoded cert or CRL 189 SecAsn1Item signatureAlgorithm; 190 SecAsn1Item signature;// BIT STRING, length in bits 191} NSS_SignedCertOrCRL; 192 193extern const SecAsn1Template kSecAsn1SignedCertOrCRLTemplate[]; 194 195#ifdef __cplusplus 196} 197#endif 198 199#endif /* _NSS_X509_TEMPLATES_H_ */ 200