certExtensionTemplates.h   [plain text]

 * Copyright (c) 2003-2006,2008,2010 Apple Inc. All Rights Reserved.
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * certExtensionTemplates.h - libnssasn1 structs and templates for cert and 
 *                            CRL extensions

#include <Security/X509Templates.h>

#ifdef	__cplusplus
extern "C" {

 * Basic Constraints
 * NSS struct  : NSS_BasicConstraints
 * CDSA struct : CE_BasicConstraints
typedef struct {
	SecAsn1Item		cA;					// BOOL
	SecAsn1Item		pathLenConstraint;	// INTEGER optional
} NSS_BasicConstraints;

extern const SecAsn1Template kSecAsn1BasicConstraintsTemplate[];

 * Key Usage
 * NSS struct  : SecAsn1Item, BIT STRING - length in bits
 * CDSA struct : CE_KeyUsage
#define kSecAsn1KeyUsageTemplate		kSecAsn1BitStringTemplate

 * Extended Key Usage
 * NSS struct  : NSS_ExtKeyUsage
 * CDSA struct : CE_ExtendedKeyUsage
typedef struct {
	SecAsn1Oid	**purposes;
} NSS_ExtKeyUsage;
#define kSecAsn1ExtKeyUsageTemplate		kSecAsn1SequenceOfObjectIDTemplate

 * Subject Key Identifier
 * NSS struct  : SecAsn1Item
 * CDSA struct : CE_SubjectKeyID, typedef'd to a SecAsn1Item
#define kSecAsn1SubjectKeyIdTemplate	kSecAsn1OctetStringTemplate

 * Authority Key Identifier
 * NSS struct  : NSS_AuthorityKeyId
 * CDSA struct : CE_AuthorityKeyID
 * All fields are optional.
 * NOTE: due to an anomaly in the encoding module, if the first field
 * of a sequence is optional, it has to be a POINTER type. 
typedef struct {
	SecAsn1Item			*keyIdentifier;		// octet string
	NSS_GeneralNames	genNames;	
	SecAsn1Item			serialNumber;		// integer
} NSS_AuthorityKeyId;

extern const SecAsn1Template kSecAsn1AuthorityKeyIdTemplate[];

 * Certificate policies. 
 * NSS struct  : NSS_CertPolicies
 * CDSA struct : CE_CertPolicies
typedef struct {
	SecAsn1Oid		policyQualifierId;	// CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
	SecAsn1Item		qualifier;			// ASN_ANY, not interpreted here
} NSS_PolicyQualifierInfo;

extern const SecAsn1Template kSecAsn1PolicyQualifierTemplate[];

typedef struct {
	SecAsn1Oid				certPolicyId;
	NSS_PolicyQualifierInfo	**policyQualifiers;	// SEQUENCE OF
} NSS_PolicyInformation;

extern const SecAsn1Template kSecAsn1PolicyInformationTemplate[];

typedef struct {
	NSS_PolicyInformation	**policies;			// SEQUENCE OF
} NSS_CertPolicies;

extern const SecAsn1Template kSecAsn1CertPoliciesTemplate[];

 * netscape-cert-type
 * NSS struct  : SecAsn1Item, BIT STRING - length in bits
 * CDSA struct : CE_NetscapeCertType (a uint16)
#define kSecAsn1NetscapeCertTypeTemplate		kSecAsn1BitStringTemplate

 * CRL Distribution Points. 
 * NSS struct  : NSS_DistributionPoint, NSS_DistributionPoints
 * CDSA struct : CE_CRLDistributionPoint, CE_CRLDistributionPointSyntax

typedef struct {
	SecAsn1Item			*distPointName;		// ASN_ANY, optional
	SecAsn1Item			reasons;			// BIT_STRING, optional
	NSS_GeneralNames	crlIssuer;			// optional
} NSS_DistributionPoint;

typedef struct {
	NSS_DistributionPoint	**distPoints;	// SEQUENCE OF
} NSS_CRLDistributionPoints;

extern const SecAsn1Template kSecAsn1DistributionPointTemplate[];
extern const SecAsn1Template kSecAsn1CRLDistributionPointsTemplate[];

 * Resolving the NSS_DistributionPoint.distributionPoint option
 * involves inspecting the tag of the ASN_ANY and using one of
 * these templates. One the CDSA side the corresponding struct is
 * a CE_DistributionPointName.
 * This one resolves to an NSS_GeneralNames:
extern const SecAsn1Template kSecAsn1DistPointFullNameTemplate[];
 * This one resolves to an NSS_RDN.
extern const SecAsn1Template kSecAsn1DistPointRDNTemplate[];

 * Issuing distribution point.
 * NSS Struct  : NSS_IssuingDistributionPoint
 * CDSA struct : CE_IssuingDistributionPoint
 * All fields optional; default for ASN_BOOLs is false.
typedef struct {
	/* manually decode to a CE_DistributionPointName */
	SecAsn1Item			*distPointName;		// ASN_ANY, optional
	SecAsn1Item			*onlyUserCerts;		// ASN_BOOL
	SecAsn1Item			*onlyCACerts;		// ASN_BOOL
	SecAsn1Item			*onlySomeReasons;	// BIT STRING
	SecAsn1Item			*indirectCRL;		// ASN_BOOL
} NSS_IssuingDistributionPoint;

extern const SecAsn1Template kSecAsn1IssuingDistributionPointTemplate[];

 * Authority Information Access, Subject Information Access.
 * NSS Struct  : NSS_AuthorityInfoAccess
 * CDSA struct : CE_AuthorityInfoAccess
typedef struct {
	SecAsn1Item				accessMethod;
	/* NSS encoder just can't handle direct inline of an NSS_GeneralName here.
	 * After decode and prior to encode this is an encoded GeneralName. 
	SecAsn1Item				encodedAccessLocation;
} NSS_AccessDescription;

typedef struct {
	NSS_AccessDescription	**accessDescriptions;
} NSS_AuthorityInfoAccess;

extern const SecAsn1Template kSecAsn1AccessDescriptionTemplate[];
extern const SecAsn1Template kSecAsn1AuthorityInfoAccessTemplate[];

 * Qualified Certificate Statements support
typedef struct {
	SecAsn1Oid				*semanticsIdentifier;			/* optional */
	NSS_GeneralNames		*nameRegistrationAuthorities;	/* optional */
} NSS_SemanticsInformation;

typedef struct {
	SecAsn1Oid				statementId;
	SecAsn1Item				info;		/* optional, ANY */
} NSS_QC_Statement;

typedef struct {
	NSS_QC_Statement		**qcStatements;
} NSS_QC_Statements; 

extern const SecAsn1Template kSecAsn1SemanticsInformationTemplate[];
extern const SecAsn1Template kSecAsn1QC_StatementTemplate[];
extern const SecAsn1Template kSecAsn1QC_StatementsTemplate[];

 * NameConstraints support
typedef struct {
	NSS_GeneralNames		base;
	SecAsn1Item				minimum;	// INTEGER default=0
	SecAsn1Item				maximum;	// INTEGER optional
} NSS_GeneralSubtree;

typedef struct {
	NSS_GeneralSubtree		**subtrees; // SEQUENCE OF
} NSS_GeneralSubtrees; 

typedef struct {
	NSS_GeneralSubtrees		*permittedSubtrees; // optional
	NSS_GeneralSubtrees		*excludedSubtrees;  // optional
} NSS_NameConstraints; 

extern const SecAsn1Template kSecAsn1NameConstraintsTemplate[];

 * PolicyMappings support
typedef struct {
	SecAsn1Oid				issuerDomainPolicy;
	SecAsn1Oid				subjectDomainPolicy;
} NSS_PolicyMapping;

typedef struct {
	NSS_PolicyMapping		**policyMappings; // SEQUENCE OF
} NSS_PolicyMappings; 

extern const SecAsn1Template kSecAsn1PolicyMappingsTemplate[];

 * PolicyConstraints support
typedef struct {
	SecAsn1Item				requireExplicitPolicy;	// INTEGER optional
	SecAsn1Item				inhibitPolicyMapping;	// INTEGER optional
} NSS_PolicyConstraints;

extern const SecAsn1Template kSecAsn1PolicyConstraintsTemplate[];

 * InhibitAnyPolicy support
#define kSecAsn1InhibitAnyPolicyTemplate	kSecAsn1IntegerTemplate;

#ifdef	__cplusplus