Source code

Revision control

Copy as Markdown

Other Tools

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* This file defines the public API for libpkix. These are the top-level
* functions in the library. They perform the primary operations of this
* library: building and validating chains of X.509 certificates.
*
*/
#ifndef _PKIX_H
#define _PKIX_H
#include "pkixt.h"
#include "pkix_util.h"
#include "pkix_results.h"
#include "pkix_certstore.h"
#include "pkix_certsel.h"
#include "pkix_crlsel.h"
#include "pkix_checker.h"
#include "pkix_revchecker.h"
#include "pkix_pl_system.h"
#include "pkix_pl_pki.h"
#include "pkix_params.h"
#ifdef __cplusplus
extern "C" {
#endif
/* General
*
* Please refer to the libpkix Programmer's Guide for detailed information
* about how to use the libpkix library. Certain key warnings and notices from
* that document are repeated here for emphasis.
*
* All identifiers in this file (and all public identifiers defined in
* libpkix) begin with "PKIX_". Private identifiers only intended for use
* within the library begin with "pkix_".
*
* A function returns NULL upon success, and a PKIX_Error pointer upon failure.
*
* Unless otherwise noted, for all accessor (gettor) functions that return a
* PKIX_PL_Object pointer, callers should assume that this pointer refers to a
* shared object. Therefore, the caller should treat this shared object as
* read-only and should not modify this shared object. When done using the
* shared object, the caller should release the reference to the object by
* using the PKIX_PL_Object_DecRef function.
*
* While a function is executing, if its arguments (or anything referred to by
* its arguments) are modified, free'd, or destroyed, the function's behavior
* is undefined.
*
*/
/*
* FUNCTION: PKIX_Initialize
* DESCRIPTION:
*
* No PKIX_* types and functions should be used before this function is called
* and returns successfully. This function should only be called once. If it
* is called more than once, the behavior is undefined.
*
* NSS applications are expected to call NSS_Init, and need not know that
* NSS will call this function (with "platformInitNeeded" set to PKIX_FALSE).
* PKIX applications are expected instead to call this function with
* "platformInitNeeded" set to PKIX_TRUE.
*
* This function initializes data structures critical to the operation of
* libpkix. It also ensures that the API version (major.minor) desired by the
* caller (the "desiredMajorVersion", "minDesiredMinorVersion", and
* "maxDesiredMinorVersion") is compatible with the API version supported by
* the library. As such, the library must support the "desiredMajorVersion"
* of the API and must support a minor version that falls between
* "minDesiredMinorVersion" and "maxDesiredMinorVersion", inclusive. If
* compatibility exists, the function returns NULL and stores the library's
* actual minor version at "pActualMinorVersion" (which may be greater than
* "desiredMinorVersion"). If no compatibility exists, the function returns a
* PKIX_Error pointer. If the caller wishes to specify that the largest
* minor version available should be used, then maxDesiredMinorVersion should
* be set to the macro PKIX_MAX_MINOR_VERSION (defined in pkixt.h).
*
* PARAMETERS:
* "platformInitNeeded"
* Boolean indicating whether the platform layer initialization code
* has previously been run, or should be called from this function.
* "desiredMajorVersion"
* The major version of the libpkix API the application wishes to use.
* "minDesiredMinorVersion"
* The minimum minor version of the libpkix API the application wishes
* to use.
* "maxDesiredMinorVersion"
* The maximum minor version of the libpkix API the application wishes
* to use.
* "pActualMinorVersion"
* Address where PKIX_UInt32 will be stored. Must be non-NULL.
* "pPlContext"
* Address at which platform-specific context pointer is stored. Must
* be non-NULL.
* THREAD SAFETY:
* Not Thread Safe
* RETURNS:
* Returns NULL if the function succeeds.
* Returns an Initialize Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_Initialize(
PKIX_Boolean platformInitNeeded,
PKIX_UInt32 desiredMajorVersion,
PKIX_UInt32 minDesiredMinorVersion,
PKIX_UInt32 maxDesiredMinorVersion,
PKIX_UInt32 *pActualMinorVersion,
void **pPlContext);
/*
* FUNCTION: PKIX_Shutdown
* DESCRIPTION:
*
* This function deallocates any memory used by libpkix and shuts down any
* ongoing operations. This function should only be called once. If it is
* called more than once, the behavior is undefined.
*
* No PKIX_* types and functions should be used after this function is called
* and returns successfully.
* PARAMETERS:
* "plContext" - Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_Shutdown(void *plContext);
/*
* FUNCTION: PKIX_ValidateChain
* DESCRIPTION:
*
* This function attempts to validate the CertChain that has been set in the
* ValidateParams pointed to by "params" using an RFC 3280-compliant
* algorithm. If successful, this function returns NULL and stores the
* ValidateResult at "pResult", which holds additional information, such as
* the policy tree and the target's public key. If unsuccessful, an Error is
* returned. Note: This function does not currently support non-blocking I/O.
*
* If "pVerifyTree" is non-NULL, a chain of VerifyNodes is created which
* tracks the results of the validation. That is, either each node in the
* chain has a NULL Error component, or the last node contains an Error
* which indicates why the validation failed.
*
* PARAMETERS:
* "params"
* Address of ValidateParams used to validate CertChain. Must be non-NULL.
* "pResult"
* Address where object pointer will be stored. Must be non-NULL.
* "pVerifyTree"
* Address where a VerifyTree is stored, if non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (See Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Validate Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ValidateChain(
PKIX_ValidateParams *params,
PKIX_ValidateResult **pResult,
PKIX_VerifyNode **pVerifyTree,
void *plContext);
/*
* FUNCTION: PKIX_ValidateChain_NB
* DESCRIPTION:
*
* This function is the equivalent of PKIX_ValidateChain, except that it
* supports non-blocking I/O. When called with "pNBIOContext" pointing to NULL
* it initiates a new chain validation as in PKIX_ValidateChain, ignoring the
* value in all input variables except "params". If forced to suspend
* processing by a WOULDBLOCK return from some operation, such as a CertStore
* request, it stores the platform-dependent I/O context at "pNBIOContext" and
* stores other intermediate variables at "pCertIndex", "pAnchorIndex",
* "pCheckerIndex", "pRevChecking", and "pCheckers".
*
* When called subsequently with that non-NULL value at "pNBIOContext", it
* relies on those intermediate values to be untouched, and it resumes chain
* validation where it left off. Its behavior is undefined if any of the
* intermediate values was not preserved.
*
* PARAMETERS:
* "params"
* Address of ValidateParams used to validate CertChain. Must be non-NULL.
* "pCertIndex"
* The UInt32 value of the index to the Cert chain, indicating which Cert
* is currently being processed.
* "pAnchorIndex"
* The UInt32 value of the index to the Anchor chain, indicating which
* Trust Anchor is currently being processed.
* "pCheckerIndex"
* The UInt32 value of the index to the List of CertChainCheckers,
* indicating which Checker is currently processing.
* "pRevChecking"
* The Boolean flag indicating whether normal checking or revocation
* checking is occurring for the Cert indicated by "pCertIndex".
* "pCheckers"
* The address of the List of CertChainCheckers. Must be non-NULL.
* "pNBIOContext"
* The address of the platform-dependend I/O context. Must be a non-NULL
* pointer to a NULL value for the call to initiate chain validation.
* "pResult"
* Address where ValidateResult object pointer will be stored. Must be
* non-NULL.
* "pVerifyTree"
* Address where a VerifyTree is stored, if non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a VALIDATE Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/PKIX_Error *
PKIX_ValidateChain_NB(
PKIX_ValidateParams *params,
PKIX_UInt32 *pCertIndex,
PKIX_UInt32 *pAnchorIndex,
PKIX_UInt32 *pCheckerIndex,
PKIX_Boolean *pRevChecking,
PKIX_List **pCheckers,
void **pNBIOContext,
PKIX_ValidateResult **pResult,
PKIX_VerifyNode **pVerifyTree,
void *plContext);
/*
* FUNCTION: PKIX_BuildChain
* DESCRIPTION:
*
* If called with a NULL "state", this function attempts to build and validate
* a CertChain according to the ProcessingParams pointed to by "params", using
* an RFC 3280-compliant validation algorithm. If successful, this function
* returns NULL and stores the BuildResult at "pResult", which holds the built
* CertChain, as well as additional information, such as the policy tree and
* the target's public key. If unsuccessful, an Error is returned.
*
* If the chain building is blocked by a CertStore using non-blocking I/O, this
* function stores platform-dependent non-blocking I/O context at
* "pNBIOContext", its state at "pState", and NULL at "pResult". The caller
* may be able to determine, in a platform-dependent way, when the I/O has
* completed. In any case, calling the function again with "pState" containing
* the returned value will allow the chain building to resume.
*
* If chain building is completed, either successfully or unsuccessfully, NULL
* is stored at "pNBIOContext".
*
* If "pVerifyTree" is non-NULL, a tree of VerifyNodes is created which
* tracks the results of the building. That is, each node of the tree either
* has a NULL Error component, or it is a leaf node and it contains an Error
* which indicates why the chain building could not proceed on this branch.
*
* PARAMETERS:
* "params"
* Address of ProcessingParams used to build and validate CertChain.
* Must be non-NULL.
* "pNBIOContext"
* Address where platform-dependent information is store if the build
* is suspended waiting for non-blocking I/O. Must be non-NULL.
* "pState"
* Address of BuildChain state. Must be NULL on initial call, and the
* value previously returned on subsequent calls.
* "pResult"
* Address where object pointer will be stored. Must be non-NULL.
* "pVerifyTree"
* Address where a VerifyTree is stored, if non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (See Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_BuildChain(
PKIX_ProcessingParams *params,
void **pNBIOContext,
void **pState,
PKIX_BuildResult **pResult,
PKIX_VerifyNode **pVerifyNode,
void *plContext);
#ifdef __cplusplus
}
#endif
#endif /* _PKIX_H */