[apple/security.git] / OSX / libsecurity_asn1 / lib / certExtensionTemplates.c

/*
 * Copyright (c) 2003-2006,2008,2010-2012 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 * 
 * certExtensionTemplates.cpp - libnssasn1 structs and templates for cert and 
 *                              CRL extensions
 *
 */
 
#include "certExtensionTemplates.h"
#include "SecAsn1Templates.h"
#include <stddef.h>

/* Basic Constraints */
const SecAsn1Template kSecAsn1BasicConstraintsTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_BasicConstraints) },
    { SEC_ASN1_BOOLEAN | SEC_ASN1_OPTIONAL, 
	  offsetof(NSS_BasicConstraints,cA) },
    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL,
	  offsetof(NSS_BasicConstraints, pathLenConstraint) },
    { 0, }
};

/* Authority Key Identifier */

/* signed integer - SEC_ASN1_SIGNED_INT state gets lost
 * in SEC_ASN1_CONTEXT_SPECIFIC processing */
const SecAsn1Template kSecAsn1SignedIntegerTemplate[] = {
    { SEC_ASN1_INTEGER | SEC_ASN1_SIGNED_INT, 0, NULL, sizeof(SecAsn1Item) }
};

const SecAsn1Template kSecAsn1AuthorityKeyIdTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_AuthorityKeyId) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
	  SEC_ASN1_POINTER | 0, 
	  offsetof(NSS_AuthorityKeyId,keyIdentifier),
	  kSecAsn1OctetStringTemplate },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
	                      SEC_ASN1_CONTEXT_SPECIFIC | 1, 
	  offsetof(NSS_AuthorityKeyId,genNames), 
	  kSecAsn1GeneralNamesTemplate },
	/* serial number is SIGNED integer */
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
	  offsetof(NSS_AuthorityKeyId,serialNumber), 
	  kSecAsn1SignedIntegerTemplate},
	{ 0 }
};

/* Certificate policies */
const SecAsn1Template kSecAsn1PolicyQualifierTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_PolicyQualifierInfo) },
    { SEC_ASN1_OBJECT_ID,  
	  offsetof(NSS_PolicyQualifierInfo,policyQualifierId) },
	{ SEC_ASN1_ANY, offsetof(NSS_PolicyQualifierInfo, qualifier) },
	{ 0 }
};

const SecAsn1Template kSecAsn1PolicyInformationTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_PolicyInformation) },
    { SEC_ASN1_OBJECT_ID,  
	  offsetof(NSS_PolicyInformation,certPolicyId) },
	{ SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL,
	  offsetof(NSS_PolicyInformation,policyQualifiers),
	  kSecAsn1PolicyQualifierTemplate },
	{ 0 }
};

const SecAsn1Template kSecAsn1CertPoliciesTemplate[] = {
	{ SEC_ASN1_SEQUENCE_OF,
	  offsetof(NSS_CertPolicies,policies),
	  kSecAsn1PolicyInformationTemplate },
	{ 0 }
};

/* CRL Distribution Points */

/*
 * NOTE WELL: RFC2459, and all the documentation I can find, claims that
 * the tag for the DistributionPointName option (tag 0) of a 
 * DistributionPoint is IMPLICIT and context-specific. However this
 * is IMPOSSIBLE - since the underlying type (DistributionPointName)
 * also relies upon context-specific tags to resolve a CHOICE. 
 * The real world indicates that the tag for the DistributionPoint option
 * is indeed EXPLICIT. Examination of many certs' cRLDistributionPoints
 * extensions shows this, and the NSS reference code also specifies
 * an EXPLICIT tag for this field. 
 */
const SecAsn1Template kSecAsn1DistributionPointTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_DistributionPoint) },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
	  SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
	  offsetof(NSS_DistributionPoint,distPointName), 
	  kSecAsn1PointerToAnyTemplate },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
	  offsetof(NSS_DistributionPoint,reasons), kSecAsn1BitStringTemplate},
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
						  SEC_ASN1_CONSTRUCTED | 2,
	  offsetof(NSS_DistributionPoint, crlIssuer), 
	  kSecAsn1GeneralNamesTemplate
	},
	{ 0 }
};

const SecAsn1Template kSecAsn1CRLDistributionPointsTemplate[] = {
	{ SEC_ASN1_SEQUENCE_OF,
	  offsetof(NSS_CRLDistributionPoints,distPoints),
	  kSecAsn1DistributionPointTemplate },
	{ 0 }
};


/*
 * These are the context-specific targets of the DistributionPointName
 * option.
 */
const SecAsn1Template kSecAsn1DistPointFullNameTemplate[] = {
    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
	offsetof (NSS_GeneralNames,names), kSecAsn1GeneralNamesTemplate}
};

const SecAsn1Template kSecAsn1DistPointRDNTemplate[] = {
    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, 
	offsetof (NSS_RDN,atvs), kSecAsn1RDNTemplate}
};
	 
/*
 * Issuing distribution points
 *
 * Although the spec says that the DistributionPointName element
 * is context-specific, it must be explicit because the underlying
 * type - a DistributionPointName - also relies on a context-specific
 * tags to resolve a CHOICE.
 */

/* kludge: ASN decoder doesn't handle 
 * SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER
 * very well... */
static const SecAsn1Template kSecAsn1OptBooleanTemplate[] = {
    { SEC_ASN1_BOOLEAN | SEC_ASN1_OPTIONAL, 0, NULL, sizeof(SecAsn1Item) }
};

static const SecAsn1Template kSecAsn1OptBitStringTemplate[] = {
    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL, 0, NULL, sizeof(SecAsn1Item) }
};

const SecAsn1Template kSecAsn1IssuingDistributionPointTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_IssuingDistributionPoint) },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
	  SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
	  offsetof(NSS_IssuingDistributionPoint,distPointName), 
	  kSecAsn1PointerToAnyTemplate },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 1,
	  offsetof(NSS_IssuingDistributionPoint,onlyUserCerts), 
	  kSecAsn1OptBooleanTemplate},
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 2,
	  offsetof(NSS_IssuingDistributionPoint,onlyCACerts), 
	  kSecAsn1OptBooleanTemplate},
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 3,
	  offsetof(NSS_IssuingDistributionPoint,onlySomeReasons), 
	  kSecAsn1OptBitStringTemplate},
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 4,
	  offsetof(NSS_IssuingDistributionPoint,indirectCRL), 
	  kSecAsn1OptBooleanTemplate},
	{ 0 }
};


/* 
 * Authority Information Access and Subject Information Access.
 */
const SecAsn1Template kSecAsn1AccessDescriptionTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_AccessDescription) },
    { SEC_ASN1_OBJECT_ID,  
	  offsetof(NSS_AccessDescription,accessMethod) },
	/* 
	 * NSS encoder just can't handle direct inline of an NSS_GeneralName here.
	 */
    { SEC_ASN1_ANY,
      offsetof(NSS_AccessDescription, encodedAccessLocation) },
	{ 0 }
};

const SecAsn1Template kSecAsn1AuthorityInfoAccessTemplate[] = {
    { SEC_ASN1_SEQUENCE_OF, 
	  offsetof(NSS_AuthorityInfoAccess,accessDescriptions), 
	  kSecAsn1AccessDescriptionTemplate, 
	  sizeof(NSS_AuthorityInfoAccess) }
};

/*
 * Qualified Certificate Statements templates.
 *
 * This is the NSS_QC_Statement.info when NSS_QC_Statement.statementId
 * is CSSMOID_OID_QCS_SYNTAX_V2.
 */
const SecAsn1Template kSecAsn1SemanticsInformationTemplate[] = {
    { SEC_ASN1_SEQUENCE,
		0, NULL, sizeof(NSS_SemanticsInformation) },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER,
		offsetof(NSS_SemanticsInformation,semanticsIdentifier), 
		kSecAsn1ObjectIDTemplate },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER,
		offsetof(NSS_SemanticsInformation, nameRegistrationAuthorities), 
		kSecAsn1GeneralNamesTemplate },
	{ 0 }
};
		
const SecAsn1Template kSecAsn1QC_StatementTemplate[] = {
    { SEC_ASN1_SEQUENCE,
		0, NULL, sizeof(NSS_QC_Statement) },
    { SEC_ASN1_OBJECT_ID,  
		offsetof(NSS_QC_Statement,statementId) },
    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
		offsetof(NSS_QC_Statement, info) },
	{ 0 }
};

const SecAsn1Template kSecAsn1QC_StatementsTemplate[] = {
    { SEC_ASN1_SEQUENCE_OF, 
		offsetof(NSS_QC_Statements,qcStatements), 
		kSecAsn1QC_StatementTemplate, 
		sizeof(NSS_QC_Statements) }
};

/*
 * NameConstraints templates
 */
const SecAsn1Template kSecAsn1GeneralSubtreeTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_GeneralSubtree) },
	{ SEC_ASN1_SEQUENCE,
	  offsetof(NSS_GeneralSubtree,base), 
	  kSecAsn1GeneralNamesTemplate },	
	{ SEC_ASN1_INTEGER,
	  offsetof(NSS_GeneralSubtree,minimum) },
	{ SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL,
	  offsetof(NSS_GeneralSubtree,maximum) },
    { 0, }
};

const SecAsn1Template kSecAsn1GeneralSubtreesTemplate[] = {
	{ SEC_ASN1_SEQUENCE_OF,
	  offsetof(NSS_GeneralSubtrees,subtrees),
	  kSecAsn1GeneralSubtreeTemplate },
	{ 0 }
};

const SecAsn1Template kSecAsn1NameConstraintsTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_NameConstraints) },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
	  SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
	  offsetof(NSS_NameConstraints,permittedSubtrees), 
	  kSecAsn1GeneralSubtreesTemplate },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
	  SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1,
	  offsetof(NSS_NameConstraints,excludedSubtrees), 
	  kSecAsn1GeneralSubtreesTemplate },
	{ 0 }
};

/*
 * PolicyMappings templates
 */
const SecAsn1Template kSecAsn1PolicyMappingTemplate[] = {
    { SEC_ASN1_SEQUENCE,
		0, NULL, sizeof(NSS_PolicyMapping) },
    { SEC_ASN1_OBJECT_ID,  
		offsetof(NSS_PolicyMapping,issuerDomainPolicy) },
    { SEC_ASN1_OBJECT_ID,  
		offsetof(NSS_PolicyMapping,subjectDomainPolicy) },
	{ 0 }
};

const SecAsn1Template kSecAsn1PolicyMappingsTemplate[] = {
	{ SEC_ASN1_SEQUENCE_OF,
	  offsetof(NSS_PolicyMappings,policyMappings),
	  kSecAsn1PolicyMappingTemplate },
	{ 0 }
};

/*
 * PolicyConstraints templates
 */
const SecAsn1Template kSecAsn1PolicyConstraintsTemplate[] = {
    { SEC_ASN1_SEQUENCE,
	  0, NULL, sizeof(NSS_PolicyConstraints) },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
	  SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
	  offsetof(NSS_PolicyConstraints,requireExplicitPolicy) },
	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
	  SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1,
	  offsetof(NSS_PolicyConstraints,inhibitPolicyMapping) },
	{ 0 }
};
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2003-2006,2008,2010-2012 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*
	23	* certExtensionTemplates.cpp - libnssasn1 structs and templates for cert and
	24	* CRL extensions
	25	*
	26	*/
	27
	28	#include "certExtensionTemplates.h"
	29	#include "SecAsn1Templates.h"
	30	#include <stddef.h>
	31
	32	/* Basic Constraints */
	33	const SecAsn1Template kSecAsn1BasicConstraintsTemplate[] = {
	34	{ SEC_ASN1_SEQUENCE,
	35	0, NULL, sizeof(NSS_BasicConstraints) },
	36	{ SEC_ASN1_BOOLEAN \| SEC_ASN1_OPTIONAL,
	37	offsetof(NSS_BasicConstraints,cA) },
	38	{ SEC_ASN1_INTEGER \| SEC_ASN1_OPTIONAL,
	39	offsetof(NSS_BasicConstraints, pathLenConstraint) },
	40	{ 0, }
	41	};
	42
	43	/* Authority Key Identifier */
	44
	45	/* signed integer - SEC_ASN1_SIGNED_INT state gets lost
	46	* in SEC_ASN1_CONTEXT_SPECIFIC processing */
	47	const SecAsn1Template kSecAsn1SignedIntegerTemplate[] = {
	48	{ SEC_ASN1_INTEGER \| SEC_ASN1_SIGNED_INT, 0, NULL, sizeof(SecAsn1Item) }
	49	};
	50
	51	const SecAsn1Template kSecAsn1AuthorityKeyIdTemplate[] = {
	52	{ SEC_ASN1_SEQUENCE,
	53	0, NULL, sizeof(NSS_AuthorityKeyId) },
	54	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \|
	55	SEC_ASN1_POINTER \| 0,
	56	offsetof(NSS_AuthorityKeyId,keyIdentifier),
	57	kSecAsn1OctetStringTemplate },
	58	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONSTRUCTED \|
	59	SEC_ASN1_CONTEXT_SPECIFIC \| 1,
	60	offsetof(NSS_AuthorityKeyId,genNames),
	61	kSecAsn1GeneralNamesTemplate },
	62	/* serial number is SIGNED integer */
	63	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \| 2,
	64	offsetof(NSS_AuthorityKeyId,serialNumber),
	65	kSecAsn1SignedIntegerTemplate},
	66	{ 0 }
67	};
68
69	/* Certificate policies */
70	const SecAsn1Template kSecAsn1PolicyQualifierTemplate[] = {
71	{ SEC_ASN1_SEQUENCE,
72	0, NULL, sizeof(NSS_PolicyQualifierInfo) },
73	{ SEC_ASN1_OBJECT_ID,
74	offsetof(NSS_PolicyQualifierInfo,policyQualifierId) },
75	{ SEC_ASN1_ANY, offsetof(NSS_PolicyQualifierInfo, qualifier) },
76	{ 0 }
77	};
78
79	const SecAsn1Template kSecAsn1PolicyInformationTemplate[] = {
80	{ SEC_ASN1_SEQUENCE,
81	0, NULL, sizeof(NSS_PolicyInformation) },
82	{ SEC_ASN1_OBJECT_ID,
83	offsetof(NSS_PolicyInformation,certPolicyId) },
84	{ SEC_ASN1_SEQUENCE_OF \| SEC_ASN1_OPTIONAL,
85	offsetof(NSS_PolicyInformation,policyQualifiers),
86	kSecAsn1PolicyQualifierTemplate },
87	{ 0 }
88	};
89
90	const SecAsn1Template kSecAsn1CertPoliciesTemplate[] = {
91	{ SEC_ASN1_SEQUENCE_OF,
92	offsetof(NSS_CertPolicies,policies),
93	kSecAsn1PolicyInformationTemplate },
94	{ 0 }
95	};
96
97	/* CRL Distribution Points */
98
99	/*
100	* NOTE WELL: RFC2459, and all the documentation I can find, claims that
101	* the tag for the DistributionPointName option (tag 0) of a
102	* DistributionPoint is IMPLICIT and context-specific. However this
103	* is IMPOSSIBLE - since the underlying type (DistributionPointName)
104	* also relies upon context-specific tags to resolve a CHOICE.
105	* The real world indicates that the tag for the DistributionPoint option
106	* is indeed EXPLICIT. Examination of many certs' cRLDistributionPoints
107	* extensions shows this, and the NSS reference code also specifies
108	* an EXPLICIT tag for this field.
109	*/
110	const SecAsn1Template kSecAsn1DistributionPointTemplate[] = {
111	{ SEC_ASN1_SEQUENCE,
112	0, NULL, sizeof(NSS_DistributionPoint) },
113	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \|
114	SEC_ASN1_CONSTRUCTED \| SEC_ASN1_EXPLICIT \| 0,
115	offsetof(NSS_DistributionPoint,distPointName),
116	kSecAsn1PointerToAnyTemplate },
117	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \| 1,
118	offsetof(NSS_DistributionPoint,reasons), kSecAsn1BitStringTemplate},
119	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \|
120	SEC_ASN1_CONSTRUCTED \| 2,
121	offsetof(NSS_DistributionPoint, crlIssuer),
122	kSecAsn1GeneralNamesTemplate
123	},
124	{ 0 }
125	};
126
127	const SecAsn1Template kSecAsn1CRLDistributionPointsTemplate[] = {
128	{ SEC_ASN1_SEQUENCE_OF,
129	offsetof(NSS_CRLDistributionPoints,distPoints),
130	kSecAsn1DistributionPointTemplate },
131	{ 0 }
132	};
133
134
135	/*
136	* These are the context-specific targets of the DistributionPointName
137	* option.
138	*/
139	const SecAsn1Template kSecAsn1DistPointFullNameTemplate[] = {
140	{SEC_ASN1_CONTEXT_SPECIFIC \| SEC_ASN1_CONSTRUCTED \| 0,
141	offsetof (NSS_GeneralNames,names), kSecAsn1GeneralNamesTemplate}
142	};
143
144	const SecAsn1Template kSecAsn1DistPointRDNTemplate[] = {
145	{SEC_ASN1_CONTEXT_SPECIFIC \| SEC_ASN1_CONSTRUCTED \| 1,
146	offsetof (NSS_RDN,atvs), kSecAsn1RDNTemplate}
147	};
148
149	/*
150	* Issuing distribution points
151	*
152	* Although the spec says that the DistributionPointName element
153	* is context-specific, it must be explicit because the underlying
154	* type - a DistributionPointName - also relies on a context-specific
155	* tags to resolve a CHOICE.
156	*/
157
158	/* kludge: ASN decoder doesn't handle
159	* SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \| SEC_ASN1_POINTER
160	* very well... */
161	static const SecAsn1Template kSecAsn1OptBooleanTemplate[] = {
162	{ SEC_ASN1_BOOLEAN \| SEC_ASN1_OPTIONAL, 0, NULL, sizeof(SecAsn1Item) }
163	};
164
165	static const SecAsn1Template kSecAsn1OptBitStringTemplate[] = {
166	{ SEC_ASN1_BIT_STRING \| SEC_ASN1_OPTIONAL, 0, NULL, sizeof(SecAsn1Item) }
167	};
168
169	const SecAsn1Template kSecAsn1IssuingDistributionPointTemplate[] = {
170	{ SEC_ASN1_SEQUENCE,
171	0, NULL, sizeof(NSS_IssuingDistributionPoint) },
172	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \|
173	SEC_ASN1_CONSTRUCTED \| SEC_ASN1_EXPLICIT \| 0,
174	offsetof(NSS_IssuingDistributionPoint,distPointName),
175	kSecAsn1PointerToAnyTemplate },
176	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \| SEC_ASN1_POINTER \| 1,
177	offsetof(NSS_IssuingDistributionPoint,onlyUserCerts),
178	kSecAsn1OptBooleanTemplate},
179	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \| SEC_ASN1_POINTER \| 2,
180	offsetof(NSS_IssuingDistributionPoint,onlyCACerts),
181	kSecAsn1OptBooleanTemplate},
182	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \| SEC_ASN1_POINTER \| 3,
183	offsetof(NSS_IssuingDistributionPoint,onlySomeReasons),
184	kSecAsn1OptBitStringTemplate},
185	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \| SEC_ASN1_POINTER \| 4,
186	offsetof(NSS_IssuingDistributionPoint,indirectCRL),
187	kSecAsn1OptBooleanTemplate},
188	{ 0 }
189	};
190
191
192	/*
193	* Authority Information Access and Subject Information Access.
194	*/
195	const SecAsn1Template kSecAsn1AccessDescriptionTemplate[] = {
196	{ SEC_ASN1_SEQUENCE,
197	0, NULL, sizeof(NSS_AccessDescription) },
198	{ SEC_ASN1_OBJECT_ID,
199	offsetof(NSS_AccessDescription,accessMethod) },
200	/*
201	* NSS encoder just can't handle direct inline of an NSS_GeneralName here.
202	*/
203	{ SEC_ASN1_ANY,
204	offsetof(NSS_AccessDescription, encodedAccessLocation) },
205	{ 0 }
206	};
207
208	const SecAsn1Template kSecAsn1AuthorityInfoAccessTemplate[] = {
209	{ SEC_ASN1_SEQUENCE_OF,
210	offsetof(NSS_AuthorityInfoAccess,accessDescriptions),
211	kSecAsn1AccessDescriptionTemplate,
212	sizeof(NSS_AuthorityInfoAccess) }
213	};
214
215	/*
216	* Qualified Certificate Statements templates.
217	*
218	* This is the NSS_QC_Statement.info when NSS_QC_Statement.statementId
219	* is CSSMOID_OID_QCS_SYNTAX_V2.
220	*/
221	const SecAsn1Template kSecAsn1SemanticsInformationTemplate[] = {
222	{ SEC_ASN1_SEQUENCE,
223	0, NULL, sizeof(NSS_SemanticsInformation) },
224	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_POINTER,
225	offsetof(NSS_SemanticsInformation,semanticsIdentifier),
226	kSecAsn1ObjectIDTemplate },
227	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_POINTER,
228	offsetof(NSS_SemanticsInformation, nameRegistrationAuthorities),
229	kSecAsn1GeneralNamesTemplate },
230	{ 0 }
231	};
232
233	const SecAsn1Template kSecAsn1QC_StatementTemplate[] = {
234	{ SEC_ASN1_SEQUENCE,
235	0, NULL, sizeof(NSS_QC_Statement) },
236	{ SEC_ASN1_OBJECT_ID,
237	offsetof(NSS_QC_Statement,statementId) },
238	{ SEC_ASN1_ANY \| SEC_ASN1_OPTIONAL,
239	offsetof(NSS_QC_Statement, info) },
240	{ 0 }
241	};
242
243	const SecAsn1Template kSecAsn1QC_StatementsTemplate[] = {
244	{ SEC_ASN1_SEQUENCE_OF,
245	offsetof(NSS_QC_Statements,qcStatements),
246	kSecAsn1QC_StatementTemplate,
247	sizeof(NSS_QC_Statements) }
248	};
249
250	/*
251	* NameConstraints templates
252	*/
253	const SecAsn1Template kSecAsn1GeneralSubtreeTemplate[] = {
254	{ SEC_ASN1_SEQUENCE,
255	0, NULL, sizeof(NSS_GeneralSubtree) },
256	{ SEC_ASN1_SEQUENCE,
257	offsetof(NSS_GeneralSubtree,base),
258	kSecAsn1GeneralNamesTemplate },
259	{ SEC_ASN1_INTEGER,
260	offsetof(NSS_GeneralSubtree,minimum) },
261	{ SEC_ASN1_INTEGER \| SEC_ASN1_OPTIONAL,
262	offsetof(NSS_GeneralSubtree,maximum) },
263	{ 0, }
264	};
265
266	const SecAsn1Template kSecAsn1GeneralSubtreesTemplate[] = {
267	{ SEC_ASN1_SEQUENCE_OF,
268	offsetof(NSS_GeneralSubtrees,subtrees),
269	kSecAsn1GeneralSubtreeTemplate },
270	{ 0 }
271	};
272
273	const SecAsn1Template kSecAsn1NameConstraintsTemplate[] = {
274	{ SEC_ASN1_SEQUENCE,
275	0, NULL, sizeof(NSS_NameConstraints) },
276	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \|
277	SEC_ASN1_CONSTRUCTED \| SEC_ASN1_EXPLICIT \| 0,
278	offsetof(NSS_NameConstraints,permittedSubtrees),
279	kSecAsn1GeneralSubtreesTemplate },
280	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \|
281	SEC_ASN1_CONSTRUCTED \| SEC_ASN1_EXPLICIT \| 1,
282	offsetof(NSS_NameConstraints,excludedSubtrees),
283	kSecAsn1GeneralSubtreesTemplate },
284	{ 0 }
285	};
286
287	/*
288	* PolicyMappings templates
289	*/
290	const SecAsn1Template kSecAsn1PolicyMappingTemplate[] = {
291	{ SEC_ASN1_SEQUENCE,
292	0, NULL, sizeof(NSS_PolicyMapping) },
293	{ SEC_ASN1_OBJECT_ID,
294	offsetof(NSS_PolicyMapping,issuerDomainPolicy) },
295	{ SEC_ASN1_OBJECT_ID,
296	offsetof(NSS_PolicyMapping,subjectDomainPolicy) },
297	{ 0 }
298	};
299
300	const SecAsn1Template kSecAsn1PolicyMappingsTemplate[] = {
301	{ SEC_ASN1_SEQUENCE_OF,
302	offsetof(NSS_PolicyMappings,policyMappings),
303	kSecAsn1PolicyMappingTemplate },
304	{ 0 }
305	};
306
307	/*
308	* PolicyConstraints templates
309	*/
310	const SecAsn1Template kSecAsn1PolicyConstraintsTemplate[] = {
311	{ SEC_ASN1_SEQUENCE,
312	0, NULL, sizeof(NSS_PolicyConstraints) },
313	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \|
314	SEC_ASN1_CONSTRUCTED \| SEC_ASN1_EXPLICIT \| 0,
315	offsetof(NSS_PolicyConstraints,requireExplicitPolicy) },
316	{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \|
317	SEC_ASN1_CONSTRUCTED \| SEC_ASN1_EXPLICIT \| 1,
318	offsetof(NSS_PolicyConstraints,inhibitPolicyMapping) },
319	{ 0 }
320	};
321
322