OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 #ifndef _SECMODT_H_ | |
5 #define _SECMODT_H_ 1 | |
6 | |
7 #include "nssrwlkt.h" | |
8 #include "nssilckt.h" | |
9 #include "secoid.h" | |
10 #include "secasn1.h" | |
11 #include "pkcs11t.h" | |
12 | |
13 SEC_BEGIN_PROTOS | |
14 | |
15 /* find a better home for these... */ | |
16 extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[]; | |
17 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate) | |
18 extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; | |
19 SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate) | |
20 extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[]; | |
21 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate) | |
22 extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[]; | |
23 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate) | |
24 | |
25 SEC_END_PROTOS | |
26 | |
27 /* PKCS11 needs to be included */ | |
28 typedef struct SECMODModuleStr SECMODModule; | |
29 typedef struct SECMODModuleListStr SECMODModuleList; | |
30 typedef NSSRWLock SECMODListLock; | |
31 typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ | |
32 typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */ | |
33 typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ | |
34 typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ | |
35 typedef struct PK11SlotListStr PK11SlotList; | |
36 typedef struct PK11SlotListElementStr PK11SlotListElement; | |
37 typedef struct PK11RSAGenParamsStr PK11RSAGenParams; | |
38 typedef unsigned long SECMODModuleID; | |
39 typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry; | |
40 typedef struct PK11GenericObjectStr PK11GenericObject; | |
41 typedef void (*PK11FreeDataFunc)(void *); | |
42 | |
43 struct SECMODModuleStr { | |
44 PLArenaPool *arena; | |
45 PRBool internal; /* true of internally linked modules, false | |
46 * for the loaded modules */ | |
47 PRBool loaded; /* Set to true if module has been loaded */ | |
48 PRBool isFIPS; /* Set to true if module is finst internal */ | |
49 char *dllName; /* name of the shared library which implements | |
50 * this module */ | |
51 char *commonName; /* name of the module to display to the user */ | |
52 void *library; /* pointer to the library. opaque. used only by | |
53 * pk11load.c */ | |
54 void *functionList; /* The PKCS #11 function table */ | |
55 PZLock *refLock; /* only used pk11db.c */ | |
56 int refCount; /* Module reference count */ | |
57 PK11SlotInfo **slots; /* array of slot points attached to this mod*/ | |
58 int slotCount; /* count of slot in above array */ | |
59 PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ | |
60 int slotInfoCount; /* count */ | |
61 SECMODModuleID moduleID; /* ID so we can find this module again */ | |
62 PRBool isThreadSafe; | |
63 unsigned long ssl[2]; /* SSL cipher enable flags */ | |
64 char *libraryParams; /* Module specific parameters */ | |
65 void *moduleDBFunc; /* function to return module configuration data*/ | |
66 SECMODModule *parent; /* module that loaded us */ | |
67 PRBool isCritical; /* This module must load successfully */ | |
68 PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ | |
69 PRBool moduleDBOnly; /* this module only has lists of PKCS #11 module
s */ | |
70 int trustOrder; /* order for this module's certificate trust rol
lup */ | |
71 int cipherOrder; /* order for cipher operations */ | |
72 unsigned long evControlMask; /* control the running and shutdown of slot | |
73 * events (SECMOD_WaitForAnyTokenEvent) */ | |
74 CK_VERSION cryptokiVersion; /* version of this library */ | |
75 }; | |
76 | |
77 /* evControlMask flags */ | |
78 /* | |
79 * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent. | |
80 * | |
81 * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in | |
82 * C_WaitForSlotEvent(). | |
83 * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code | |
84 * which polls for token insertion and removal events. | |
85 * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is | |
86 * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent | |
87 * should return immediately to it's caller. | |
88 */ | |
89 #define SECMOD_END_WAIT 0x01 | |
90 #define SECMOD_WAIT_SIMULATED_EVENT 0x02 | |
91 #define SECMOD_WAIT_PKCS11_EVENT 0x04 | |
92 | |
93 struct SECMODModuleListStr { | |
94 SECMODModuleList *next; | |
95 SECMODModule *module; | |
96 }; | |
97 | |
98 struct PK11SlotListStr { | |
99 PK11SlotListElement *head; | |
100 PK11SlotListElement *tail; | |
101 PZLock *lock; | |
102 }; | |
103 | |
104 struct PK11SlotListElementStr { | |
105 PK11SlotListElement *next; | |
106 PK11SlotListElement *prev; | |
107 PK11SlotInfo *slot; | |
108 int refCount; | |
109 }; | |
110 | |
111 struct PK11RSAGenParamsStr { | |
112 int keySizeInBits; | |
113 unsigned long pe; | |
114 }; | |
115 | |
116 typedef enum { | |
117 PK11CertListUnique = 0, /* get one instance of all certs */ | |
118 PK11CertListUser = 1, /* get all instances of user certs */ | |
119 PK11CertListRootUnique = 2, /* get one instance of CA certs without a priva
te key. | |
120 * deprecated. Use PK11CertListCAUnique | |
121 */ | |
122 PK11CertListCA = 3, /* get all instances of CA certs */ | |
123 PK11CertListCAUnique = 4, /* get one instance of CA certs */ | |
124 PK11CertListUserUnique = 5, /* get one instance of user certs */ | |
125 PK11CertListAll = 6 /* get all instances of all certs */ | |
126 } PK11CertListType; | |
127 | |
128 /* | |
129 * Entry into the Array which lists all the legal bits for the default flags | |
130 * in the slot, their definition, and the PKCS #11 mechanism the represent | |
131 * Always Statically allocated. | |
132 */ | |
133 struct PK11DefaultArrayEntryStr { | |
134 char *name; | |
135 unsigned long flag; | |
136 unsigned long mechanism; /* this is a long so we don't include the | |
137 * whole pkcs 11 world to use this header */ | |
138 }; | |
139 | |
140 | |
141 #define SECMOD_RSA_FLAG 0x00000001L | |
142 #define SECMOD_DSA_FLAG 0x00000002L | |
143 #define SECMOD_RC2_FLAG 0x00000004L | |
144 #define SECMOD_RC4_FLAG 0x00000008L | |
145 #define SECMOD_DES_FLAG 0x00000010L | |
146 #define SECMOD_DH_FLAG 0x00000020L | |
147 #define SECMOD_FORTEZZA_FLAG 0x00000040L | |
148 #define SECMOD_RC5_FLAG 0x00000080L | |
149 #define SECMOD_SHA1_FLAG 0x00000100L | |
150 #define SECMOD_MD5_FLAG 0x00000200L | |
151 #define SECMOD_MD2_FLAG 0x00000400L | |
152 #define SECMOD_SSL_FLAG 0x00000800L | |
153 #define SECMOD_TLS_FLAG 0x00001000L | |
154 #define SECMOD_AES_FLAG 0x00002000L | |
155 #define SECMOD_SHA256_FLAG 0x00004000L | |
156 #define SECMOD_SHA512_FLAG 0x00008000L /* also for SHA384 */ | |
157 #define SECMOD_CAMELLIA_FLAG 0x00010000L /* = PUBLIC_MECH_CAMELLIA_FLAG */ | |
158 #define SECMOD_SEED_FLAG 0x00020000L | |
159 /* reserved bit for future, do not use */ | |
160 #define SECMOD_RESERVED_FLAG 0X08000000L | |
161 #define SECMOD_FRIENDLY_FLAG 0x10000000L | |
162 #define SECMOD_RANDOM_FLAG 0x80000000L | |
163 | |
164 /* need to make SECMOD and PK11 prefixes consistant. */ | |
165 #define PK11_OWN_PW_DEFAULTS 0x20000000L | |
166 #define PK11_DISABLE_FLAG 0x40000000L | |
167 | |
168 /* | |
169 * PK11AttrFlags | |
170 * | |
171 * A 32-bit bitmask of PK11_ATTR_XXX flags | |
172 */ | |
173 typedef PRUint32 PK11AttrFlags; | |
174 | |
175 /* | |
176 * PK11_ATTR_XXX | |
177 * | |
178 * The following PK11_ATTR_XXX bitflags are used to specify | |
179 * PKCS #11 object attributes that have Boolean values. Some NSS | |
180 * functions have a "PK11AttrFlags attrFlags" parameter whose value | |
181 * is the logical OR of these bitflags. NSS use these bitflags on | |
182 * private keys or secret keys. Some of these bitflags also apply | |
183 * to the public keys associated with the private keys. | |
184 * | |
185 * For each PKCS #11 object attribute, we need two bitflags to | |
186 * specify not only "true" and "false" but also "default". For | |
187 * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the | |
188 * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add | |
189 * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) } | |
190 * to the template. If PK11_ATTR_PUBLIC is set, we add | |
191 * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) } | |
192 * to the template. If neither flag is set, we don't add any | |
193 * CKA_PRIVATE entry to the template. | |
194 */ | |
195 | |
196 /* | |
197 * Attributes for PKCS #11 storage objects, which include not only | |
198 * keys but also certificates and domain parameters. | |
199 */ | |
200 | |
201 /* | |
202 * PK11_ATTR_TOKEN | |
203 * PK11_ATTR_SESSION | |
204 * | |
205 * These two flags determine whether the object is a token or | |
206 * session object. | |
207 * | |
208 * These two flags are related and cannot both be set. | |
209 * If the PK11_ATTR_TOKEN flag is set, the object is a token | |
210 * object. If the PK11_ATTR_SESSION flag is set, the object is | |
211 * a session object. If neither flag is set, the object is *by | |
212 * default* a session object. | |
213 * | |
214 * These two flags specify the value of the PKCS #11 CKA_TOKEN | |
215 * attribute. | |
216 */ | |
217 #define PK11_ATTR_TOKEN 0x00000001L | |
218 #define PK11_ATTR_SESSION 0x00000002L | |
219 | |
220 /* | |
221 * PK11_ATTR_PRIVATE | |
222 * PK11_ATTR_PUBLIC | |
223 * | |
224 * These two flags determine whether the object is a private or | |
225 * public object. A user may not access a private object until the | |
226 * user has authenticated to the token. | |
227 * | |
228 * These two flags are related and cannot both be set. | |
229 * If the PK11_ATTR_PRIVATE flag is set, the object is a private | |
230 * object. If the PK11_ATTR_PUBLIC flag is set, the object is a | |
231 * public object. If neither flag is set, it is token-specific | |
232 * whether the object is private or public. | |
233 * | |
234 * These two flags specify the value of the PKCS #11 CKA_PRIVATE | |
235 * attribute. NSS only uses this attribute on private and secret | |
236 * keys, so public keys created by NSS get the token-specific | |
237 * default value of the CKA_PRIVATE attribute. | |
238 */ | |
239 #define PK11_ATTR_PRIVATE 0x00000004L | |
240 #define PK11_ATTR_PUBLIC 0x00000008L | |
241 | |
242 /* | |
243 * PK11_ATTR_MODIFIABLE | |
244 * PK11_ATTR_UNMODIFIABLE | |
245 * | |
246 * These two flags determine whether the object is modifiable or | |
247 * read-only. | |
248 * | |
249 * These two flags are related and cannot both be set. | |
250 * If the PK11_ATTR_MODIFIABLE flag is set, the object can be | |
251 * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object | |
252 * is read-only. If neither flag is set, the object is *by default* | |
253 * modifiable. | |
254 * | |
255 * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE | |
256 * attribute. | |
257 */ | |
258 #define PK11_ATTR_MODIFIABLE 0x00000010L | |
259 #define PK11_ATTR_UNMODIFIABLE 0x00000020L | |
260 | |
261 /* Attributes for PKCS #11 key objects. */ | |
262 | |
263 /* | |
264 * PK11_ATTR_SENSITIVE | |
265 * PK11_ATTR_INSENSITIVE | |
266 * | |
267 * These two flags are related and cannot both be set. | |
268 * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive. | |
269 * If the PK11_ATTR_INSENSITIVE flag is set, the key is not | |
270 * sensitive. If neither flag is set, it is token-specific whether | |
271 * the key is sensitive or not. | |
272 * | |
273 * If a key is sensitive, certain attributes of the key cannot be | |
274 * revealed in plaintext outside the token. | |
275 * | |
276 * This flag specifies the value of the PKCS #11 CKA_SENSITIVE | |
277 * attribute. Although the default value of the CKA_SENSITIVE | |
278 * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS | |
279 * tokens set the default value to CK_TRUE because only CK_TRUE | |
280 * is allowed. So in practice the default value of this attribute | |
281 * is token-specific, hence the need for two bitflags. | |
282 */ | |
283 #define PK11_ATTR_SENSITIVE 0x00000040L | |
284 #define PK11_ATTR_INSENSITIVE 0x00000080L | |
285 | |
286 /* | |
287 * PK11_ATTR_EXTRACTABLE | |
288 * PK11_ATTR_UNEXTRACTABLE | |
289 * | |
290 * These two flags are related and cannot both be set. | |
291 * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable | |
292 * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set, | |
293 * the key is not extractable, and certain attributes of the key | |
294 * cannot be revealed in plaintext outside the token (just like a | |
295 * sensitive key). If neither flag is set, it is token-specific | |
296 * whether the key is extractable or not. | |
297 * | |
298 * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE | |
299 * attribute. | |
300 */ | |
301 #define PK11_ATTR_EXTRACTABLE 0x00000100L | |
302 #define PK11_ATTR_UNEXTRACTABLE 0x00000200L | |
303 | |
304 /* Cryptographic module types */ | |
305 #define SECMOD_EXTERNAL 0 /* external module */ | |
306 #define SECMOD_INTERNAL 1 /* internal default module */ | |
307 #define SECMOD_FIPS 2 /* internal fips module */ | |
308 | |
309 /* default module configuration strings */ | |
310 #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2
,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" | |
311 | |
312 #define SECMOD_MAKE_NSS_FLAGS(fips,slot) \ | |
313 "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})" | |
314 | |
315 #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module" | |
316 #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1) | |
317 #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module" | |
318 #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3) | |
319 | |
320 /* | |
321 * What is the origin of a given Key. Normally this doesn't matter, but | |
322 * the fortezza code needs to know if it needs to invoke the SSL3 fortezza | |
323 * hack. | |
324 */ | |
325 typedef enum { | |
326 PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ | |
327 PK11_OriginDerive = 1, /* Key was derived from some other key */ | |
328 PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ | |
329 PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */ | |
330 PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ | |
331 } PK11Origin; | |
332 | |
333 /* PKCS #11 disable reasons */ | |
334 typedef enum { | |
335 PK11_DIS_NONE = 0, | |
336 PK11_DIS_USER_SELECTED = 1, | |
337 PK11_DIS_COULD_NOT_INIT_TOKEN = 2, | |
338 PK11_DIS_TOKEN_VERIFY_FAILED = 3, | |
339 PK11_DIS_TOKEN_NOT_PRESENT = 4 | |
340 } PK11DisableReasons; | |
341 | |
342 /* types of PKCS #11 objects | |
343 * used to identify which NSS data structure is | |
344 * passed to the PK11_Raw* functions. Types map as follows: | |
345 * PK11_TypeGeneric PK11GenericObject * | |
346 * PK11_TypePrivKey SECKEYPrivateKey * | |
347 * PK11_TypePubKey SECKEYPublicKey * | |
348 * PK11_TypeSymKey PK11SymKey * | |
349 * PK11_TypeCert CERTCertificate * (currently not used). | |
350 */ | |
351 typedef enum { | |
352 PK11_TypeGeneric = 0, | |
353 PK11_TypePrivKey = 1, | |
354 PK11_TypePubKey = 2, | |
355 PK11_TypeCert = 3, | |
356 PK11_TypeSymKey = 4 | |
357 } PK11ObjectType; | |
358 | |
359 | |
360 | |
361 /* function pointer type for password callback function. | |
362 * This type is passed in to PK11_SetPasswordFunc() | |
363 */ | |
364 typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry,
void *arg); | |
365 typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *a
rg); | |
366 typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); | |
367 | |
368 /* | |
369 * Special strings the password callback function can return only if | |
370 * the slot is an protected auth path slot. | |
371 */ | |
372 #define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate | |
373 * has already been made, just retry | |
374 * the operation */ | |
375 #define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate | |
376 * has completed. Continue without | |
377 * another call to C_Login */ | |
378 /* All other non-null values mean that that NSS could call C_Login to force | |
379 * the authentication. The following define is to aid applications in | |
380 * documenting that is what it's trying to do */ | |
381 #define PK11_PW_TRY "TRY" /* Default: a prompt has been presented | |
382 * to the user, initiate a C_Login | |
383 * to authenticate the token */ | |
384 | |
385 /* | |
386 * PKCS #11 key structures | |
387 */ | |
388 | |
389 /* | |
390 ** Attributes | |
391 */ | |
392 struct SECKEYAttributeStr { | |
393 SECItem attrType; | |
394 SECItem **attrValue; | |
395 }; | |
396 typedef struct SECKEYAttributeStr SECKEYAttribute; | |
397 | |
398 /* | |
399 ** A PKCS#8 private key info object | |
400 */ | |
401 struct SECKEYPrivateKeyInfoStr { | |
402 PLArenaPool *arena; | |
403 SECItem version; | |
404 SECAlgorithmID algorithm; | |
405 SECItem privateKey; | |
406 SECKEYAttribute **attributes; | |
407 }; | |
408 typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo; | |
409 | |
410 /* | |
411 ** A PKCS#8 private key info object | |
412 */ | |
413 struct SECKEYEncryptedPrivateKeyInfoStr { | |
414 PLArenaPool *arena; | |
415 SECAlgorithmID algorithm; | |
416 SECItem encryptedData; | |
417 }; | |
418 typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo; | |
419 | |
420 /* | |
421 * token removal detection | |
422 */ | |
423 typedef enum { | |
424 PK11TokenNotRemovable = 0, | |
425 PK11TokenPresent = 1, | |
426 PK11TokenChanged = 2, | |
427 PK11TokenRemoved = 3 | |
428 } PK11TokenStatus; | |
429 | |
430 typedef enum { | |
431 PK11TokenRemovedOrChangedEvent = 0, | |
432 PK11TokenPresentEvent = 1 | |
433 } PK11TokenEvent; | |
434 | |
435 /* | |
436 * CRL Import Flags | |
437 */ | |
438 #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000 | |
439 #define CRL_IMPORT_BYPASS_CHECKS 0x00000001 | |
440 | |
441 | |
442 /* | |
443 * Merge Error Log | |
444 */ | |
445 typedef struct PK11MergeLogStr PK11MergeLog; | |
446 typedef struct PK11MergeLogNodeStr PK11MergeLogNode; | |
447 | |
448 /* These need to be global, leave some open fields so we can 'expand' | |
449 * these without breaking binary compatibility */ | |
450 struct PK11MergeLogNodeStr { | |
451 PK11MergeLogNode *next; /* next entry in the list */ | |
452 PK11MergeLogNode *prev; /* last entry in the list */ | |
453 PK11GenericObject *object; /* object that failed */ | |
454 int error; /* what the error was */ | |
455 CK_RV reserved1; | |
456 unsigned long reserved2; /* future flags */ | |
457 unsigned long reserved3; /* future scalar */ | |
458 void *reserved4; /* future pointer */ | |
459 void *reserved5; /* future expansion pointer */ | |
460 }; | |
461 | |
462 struct PK11MergeLogStr { | |
463 PK11MergeLogNode *head; | |
464 PK11MergeLogNode *tail; | |
465 PLArenaPool *arena; | |
466 int version; | |
467 unsigned long reserved1; | |
468 unsigned long reserved2; | |
469 unsigned long reserved3; | |
470 void *reserverd4; | |
471 void *reserverd5; | |
472 }; | |
473 | |
474 | |
475 #endif /*_SECMODT_H_ */ | |
OLD | NEW |