OLD | NEW |
---|---|
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 | 4 |
5 #ifndef _PKCS11N_H_ | 5 #ifndef _PKCS11N_H_ |
6 #define _PKCS11N_H_ | 6 #define _PKCS11N_H_ |
7 | 7 |
8 /* | 8 /* |
9 * pkcs11n.h | 9 * pkcs11n.h |
10 * | 10 * |
(...skipping 10 matching lines...) Expand all Loading... | |
21 * 0x80000001, 0x80000002, etc. area. So I've picked an offset, | 21 * 0x80000001, 0x80000002, etc. area. So I've picked an offset, |
22 * and constructed values for the beginnings of our spaces. | 22 * and constructed values for the beginnings of our spaces. |
23 * | 23 * |
24 * Note that some "historical" Netscape values don't fall within | 24 * Note that some "historical" Netscape values don't fall within |
25 * this range. | 25 * this range. |
26 */ | 26 */ |
27 #define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */ | 27 #define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */ |
28 | 28 |
29 /* | 29 /* |
30 * NSS-defined object classes | 30 * NSS-defined object classes |
31 * | 31 * |
32 */ | 32 */ |
33 #define CKO_NSS (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | 33 #define CKO_NSS (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
34 | 34 |
35 #define CKO_NSS_CRL (CKO_NSS + 1) | 35 #define CKO_NSS_CRL (CKO_NSS + 1) |
36 #define CKO_NSS_SMIME (CKO_NSS + 2) | 36 #define CKO_NSS_SMIME (CKO_NSS + 2) |
37 #define CKO_NSS_TRUST (CKO_NSS + 3) | 37 #define CKO_NSS_TRUST (CKO_NSS + 3) |
38 #define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4) | 38 #define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4) |
39 #define CKO_NSS_NEWSLOT (CKO_NSS + 5) | 39 #define CKO_NSS_NEWSLOT (CKO_NSS + 5) |
40 #define CKO_NSS_DELSLOT (CKO_NSS + 6) | 40 #define CKO_NSS_DELSLOT (CKO_NSS + 6) |
41 | 41 |
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
159 * Output key class: CKO_PRIVATE_KEY | 159 * Output key class: CKO_PRIVATE_KEY |
160 * Parameter type: CK_NSS_JPAKERound1Params | 160 * Parameter type: CK_NSS_JPAKERound1Params |
161 * | 161 * |
162 */ | 162 */ |
163 #define CKM_NSS_JPAKE_ROUND1_SHA1 (CKM_NSS + 7) | 163 #define CKM_NSS_JPAKE_ROUND1_SHA1 (CKM_NSS + 7) |
164 #define CKM_NSS_JPAKE_ROUND1_SHA256 (CKM_NSS + 8) | 164 #define CKM_NSS_JPAKE_ROUND1_SHA256 (CKM_NSS + 8) |
165 #define CKM_NSS_JPAKE_ROUND1_SHA384 (CKM_NSS + 9) | 165 #define CKM_NSS_JPAKE_ROUND1_SHA384 (CKM_NSS + 9) |
166 #define CKM_NSS_JPAKE_ROUND1_SHA512 (CKM_NSS + 10) | 166 #define CKM_NSS_JPAKE_ROUND1_SHA512 (CKM_NSS + 10) |
167 | 167 |
168 /* J-PAKE round 2 key derivation mechanisms. | 168 /* J-PAKE round 2 key derivation mechanisms. |
169 * | 169 * |
170 * Required template attributes: CKA_NSS_JPAKE_PEERID | 170 * Required template attributes: CKA_NSS_JPAKE_PEERID |
171 * Input key type: CKK_NSS_JPAKE_ROUND1 | 171 * Input key type: CKK_NSS_JPAKE_ROUND1 |
172 * Output key type: CKK_NSS_JPAKE_ROUND2 | 172 * Output key type: CKK_NSS_JPAKE_ROUND2 |
173 * Output key class: CKO_PRIVATE_KEY | 173 * Output key class: CKO_PRIVATE_KEY |
174 * Parameter type: CK_NSS_JPAKERound2Params | 174 * Parameter type: CK_NSS_JPAKERound2Params |
175 */ | 175 */ |
176 #define CKM_NSS_JPAKE_ROUND2_SHA1 (CKM_NSS + 11) | 176 #define CKM_NSS_JPAKE_ROUND2_SHA1 (CKM_NSS + 11) |
177 #define CKM_NSS_JPAKE_ROUND2_SHA256 (CKM_NSS + 12) | 177 #define CKM_NSS_JPAKE_ROUND2_SHA256 (CKM_NSS + 12) |
178 #define CKM_NSS_JPAKE_ROUND2_SHA384 (CKM_NSS + 13) | 178 #define CKM_NSS_JPAKE_ROUND2_SHA384 (CKM_NSS + 13) |
179 #define CKM_NSS_JPAKE_ROUND2_SHA512 (CKM_NSS + 14) | 179 #define CKM_NSS_JPAKE_ROUND2_SHA512 (CKM_NSS + 14) |
180 | 180 |
181 /* J-PAKE final key material derivation mechanisms | 181 /* J-PAKE final key material derivation mechanisms |
182 * | 182 * |
183 * Input key type: CKK_NSS_JPAKE_ROUND2 | 183 * Input key type: CKK_NSS_JPAKE_ROUND2 |
184 * Output key type: CKK_GENERIC_SECRET | 184 * Output key type: CKK_GENERIC_SECRET |
185 * Output key class: CKO_SECRET_KEY | 185 * Output key class: CKO_SECRET_KEY |
186 * Parameter type: CK_NSS_JPAKEFinalParams | 186 * Parameter type: CK_NSS_JPAKEFinalParams |
187 * | 187 * |
188 * You must apply a KDF (e.g. CKM_NSS_HKDF_*) to resultant keying material | 188 * You must apply a KDF (e.g. CKM_NSS_HKDF_*) to resultant keying material |
189 * to get a key with uniformly distributed bits. | 189 * to get a key with uniformly distributed bits. |
190 */ | 190 */ |
191 #define CKM_NSS_JPAKE_FINAL_SHA1 (CKM_NSS + 15) | 191 #define CKM_NSS_JPAKE_FINAL_SHA1 (CKM_NSS + 15) |
192 #define CKM_NSS_JPAKE_FINAL_SHA256 (CKM_NSS + 16) | 192 #define CKM_NSS_JPAKE_FINAL_SHA256 (CKM_NSS + 16) |
193 #define CKM_NSS_JPAKE_FINAL_SHA384 (CKM_NSS + 17) | 193 #define CKM_NSS_JPAKE_FINAL_SHA384 (CKM_NSS + 17) |
194 #define CKM_NSS_JPAKE_FINAL_SHA512 (CKM_NSS + 18) | 194 #define CKM_NSS_JPAKE_FINAL_SHA512 (CKM_NSS + 18) |
195 | 195 |
196 /* Constant-time MAC mechanisms: | 196 /* Constant-time MAC mechanisms: |
197 * | 197 * |
198 * These operations verify a padded, MAC-then-encrypt block of data in | 198 * These operations verify a padded, MAC-then-encrypt block of data in |
(...skipping 10 matching lines...) Expand all Loading... | |
209 */ | 209 */ |
210 #define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19) | 210 #define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19) |
211 #define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20) | 211 #define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20) |
212 | 212 |
213 /* TLS 1.2 mechanisms */ | 213 /* TLS 1.2 mechanisms */ |
214 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) | 214 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) |
215 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) | 215 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) |
216 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) | 216 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) |
217 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | 217 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
218 | 218 |
219 #define CKM_NSS_CHACHA20_KEY_GEN (CKM_NSS + 25) | 219 /* TLS extended master secret derivation */ |
220 #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26) | 220 #define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE (CKM_NSS + 25) |
221 #define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (CKM_NSS + 26) | |
222 | |
223 #define CKM_NSS_CHACHA20_KEY_GEN (CKM_NSS + 27) | |
224 #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 28) | |
davidben
2015/12/11 22:10:58
I assume we have no more consumers of these symbol
Ryan Sleevi
2015/12/11 22:20:44
We actually don't ship the CHACHA20_POLY1305 patch
| |
221 | 225 |
222 /* | 226 /* |
223 * HISTORICAL: | 227 * HISTORICAL: |
224 * Do not attempt to use these. They are only used by NETSCAPE's internal | 228 * Do not attempt to use these. They are only used by NETSCAPE's internal |
225 * PKCS #11 interface. Most of these are place holders for other mechanism | 229 * PKCS #11 interface. Most of these are place holders for other mechanism |
226 * and will change in the future. | 230 * and will change in the future. |
227 */ | 231 */ |
228 #define CKM_NETSCAPE_PBE_SHA1_DES_CBC 0x80000002UL | 232 #define CKM_NETSCAPE_PBE_SHA1_DES_CBC 0x80000002UL |
229 #define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC 0x80000003UL | 233 #define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC 0x80000003UL |
230 #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC 0x80000004UL | 234 #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC 0x80000004UL |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
298 * NSS-defined return values | 302 * NSS-defined return values |
299 * | 303 * |
300 */ | 304 */ |
301 #define CKR_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | 305 #define CKR_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
302 | 306 |
303 #define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1) | 307 #define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1) |
304 #define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2) | 308 #define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2) |
305 | 309 |
306 /* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms. | 310 /* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms. |
307 See RFC 5869. | 311 See RFC 5869. |
308 | 312 |
309 bExtract: If set, HKDF-Extract will be applied to the input key. If | 313 bExtract: If set, HKDF-Extract will be applied to the input key. If |
310 the optional salt is given, it is used; otherwise, the salt is | 314 the optional salt is given, it is used; otherwise, the salt is |
311 set to a sequence of zeros equal in length to the HMAC output. | 315 set to a sequence of zeros equal in length to the HMAC output. |
312 If bExpand is not set, then the key template given to | 316 If bExpand is not set, then the key template given to |
313 C_DeriveKey must indicate an output key size less than or equal | 317 C_DeriveKey must indicate an output key size less than or equal |
314 to the output size of the HMAC. | 318 to the output size of the HMAC. |
315 | 319 |
316 bExpand: If set, HKDF-Expand will be applied to the input key (if | 320 bExpand: If set, HKDF-Expand will be applied to the input key (if |
317 bExtract is not set) or to the result of HKDF-Extract (if | 321 bExtract is not set) or to the result of HKDF-Extract (if |
318 bExtract is set). Any info given in the optional pInfo field will | 322 bExtract is set). Any info given in the optional pInfo field will |
319 be included in the calculation. | 323 be included in the calculation. |
320 | 324 |
321 The size of the output key must be specified in the template passed to | 325 The size of the output key must be specified in the template passed to |
322 C_DeriveKey. | 326 C_DeriveKey. |
323 */ | 327 */ |
324 typedef struct CK_NSS_HKDFParams { | 328 typedef struct CK_NSS_HKDFParams { |
325 CK_BBOOL bExtract; | 329 CK_BBOOL bExtract; |
326 CK_BYTE_PTR pSalt; | 330 CK_BYTE_PTR pSalt; |
327 CK_ULONG ulSaltLen; | 331 CK_ULONG ulSaltLen; |
328 CK_BBOOL bExpand; | 332 CK_BBOOL bExpand; |
329 CK_BYTE_PTR pInfo; | 333 CK_BYTE_PTR pInfo; |
330 CK_ULONG ulInfoLen; | 334 CK_ULONG ulInfoLen; |
331 } CK_NSS_HKDFParams; | 335 } CK_NSS_HKDFParams; |
332 | 336 |
333 /* | 337 /* |
338 * Parameter for the TLS extended master secret key derivation mechanisms: | |
339 * | |
340 * * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE | |
341 * * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH | |
342 * | |
343 * For the TLS 1.2 PRF, the prfHashMechanism parameter determines the hash | |
344 * function used. For earlier versions of the PRF, set the prfHashMechanism | |
345 * value to CKM_TLS_PRF. | |
346 * | |
347 * The session hash input is expected to be the output of the same hash | |
348 * function as the PRF uses (as required by draft-ietf-tls-session-hash). So | |
349 * the ulSessionHashLen member must be equal the output length of the hash | |
350 * function specified by the prfHashMechanism member (or, for pre-TLS 1.2 PRF, | |
351 * the length of concatenated MD5 and SHA-1 digests). | |
352 * | |
353 */ | |
354 typedef struct CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS { | |
355 CK_MECHANISM_TYPE prfHashMechanism; | |
356 CK_BYTE_PTR pSessionHash; | |
357 CK_ULONG ulSessionHashLen; | |
358 CK_VERSION_PTR pVersion; | |
359 } CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS; | |
360 | |
361 | |
362 /* | |
334 * Trust info | 363 * Trust info |
335 * | 364 * |
336 * This isn't part of the Cryptoki standard (yet), so I'm putting | 365 * This isn't part of the Cryptoki standard (yet), so I'm putting |
337 * all the definitions here. Some of this would move to nssckt.h | 366 * all the definitions here. Some of this would move to nssckt.h |
338 * if trust info were made part of the standard. In view of this | 367 * if trust info were made part of the standard. In view of this |
339 * possibility, I'm putting my (NSS) values in the NSS | 368 * possibility, I'm putting my (NSS) values in the NSS |
340 * vendor space, like everything else. | 369 * vendor space, like everything else. |
341 */ | 370 */ |
342 | 371 |
343 typedef CK_ULONG CK_TRUST; | 372 typedef CK_ULONG CK_TRUST; |
344 | 373 |
345 /* The following trust types are defined: */ | 374 /* The following trust types are defined: */ |
346 #define CKT_VENDOR_DEFINED 0x80000000 | 375 #define CKT_VENDOR_DEFINED 0x80000000 |
347 | 376 |
348 #define CKT_NSS (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | 377 #define CKT_NSS (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
349 | 378 |
350 /* If trust goes standard, these'll probably drop out of vendor space. */ | 379 /* If trust goes standard, these'll probably drop out of vendor space. */ |
351 #define CKT_NSS_TRUSTED (CKT_NSS + 1) | 380 #define CKT_NSS_TRUSTED (CKT_NSS + 1) |
352 #define CKT_NSS_TRUSTED_DELEGATOR (CKT_NSS + 2) | 381 #define CKT_NSS_TRUSTED_DELEGATOR (CKT_NSS + 2) |
353 #define CKT_NSS_MUST_VERIFY_TRUST (CKT_NSS + 3) | 382 #define CKT_NSS_MUST_VERIFY_TRUST (CKT_NSS + 3) |
354 #define CKT_NSS_NOT_TRUSTED (CKT_NSS + 10) | 383 #define CKT_NSS_NOT_TRUSTED (CKT_NSS + 10) |
355 #define CKT_NSS_TRUST_UNKNOWN (CKT_NSS + 5) /* default */ | 384 #define CKT_NSS_TRUST_UNKNOWN (CKT_NSS + 5) /* default */ |
356 | 385 |
357 /* | 386 /* |
358 * These may well remain NSS-specific; I'm only using them | 387 * These may well remain NSS-specific; I'm only using them |
359 * to cache resolution data. | 388 * to cache resolution data. |
360 */ | 389 */ |
361 #define CKT_NSS_VALID_DELEGATOR (CKT_NSS + 11) | 390 #define CKT_NSS_VALID_DELEGATOR (CKT_NSS + 11) |
362 | 391 |
363 | 392 |
364 /* | 393 /* |
365 * old definitions. They still exist, but the plain meaning of the | 394 * old definitions. They still exist, but the plain meaning of the |
366 * labels have never been accurate to what was really implemented. | 395 * labels have never been accurate to what was really implemented. |
367 * The new labels correctly reflect what the values effectively mean. | 396 * The new labels correctly reflect what the values effectively mean. |
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
458 * | 487 * |
459 * The function 'FIND' returns an array of PKCS #11 initialization strings | 488 * The function 'FIND' returns an array of PKCS #11 initialization strings |
460 * The function 'ADD' takes a PKCS #11 initialization string and stores it. | 489 * The function 'ADD' takes a PKCS #11 initialization string and stores it. |
461 * The function 'DEL' takes a 'name= library=' value and deletes the associated | 490 * The function 'DEL' takes a 'name= library=' value and deletes the associated |
462 * string. | 491 * string. |
463 * The function 'RELEASE' frees the array returned by 'FIND' | 492 * The function 'RELEASE' frees the array returned by 'FIND' |
464 */ | 493 */ |
465 #define SECMOD_MODULE_DB_FUNCTION_FIND 0 | 494 #define SECMOD_MODULE_DB_FUNCTION_FIND 0 |
466 #define SECMOD_MODULE_DB_FUNCTION_ADD 1 | 495 #define SECMOD_MODULE_DB_FUNCTION_ADD 1 |
467 #define SECMOD_MODULE_DB_FUNCTION_DEL 2 | 496 #define SECMOD_MODULE_DB_FUNCTION_DEL 2 |
468 #define SECMOD_MODULE_DB_FUNCTION_RELEASE 3 | 497 #define SECMOD_MODULE_DB_FUNCTION_RELEASE 3 |
469 typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function, | 498 typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function, |
470 char *parameters, void *moduleSpec); | 499 char *parameters, void *moduleSpec); |
471 | 500 |
472 /* softoken slot ID's */ | 501 /* softoken slot ID's */ |
473 #define SFTK_MIN_USER_SLOT_ID 4 | 502 #define SFTK_MIN_USER_SLOT_ID 4 |
474 #define SFTK_MAX_USER_SLOT_ID 100 | 503 #define SFTK_MAX_USER_SLOT_ID 100 |
475 #define SFTK_MIN_FIPS_USER_SLOT_ID 101 | 504 #define SFTK_MIN_FIPS_USER_SLOT_ID 101 |
476 #define SFTK_MAX_FIPS_USER_SLOT_ID 127 | 505 #define SFTK_MAX_FIPS_USER_SLOT_ID 127 |
477 | 506 |
478 | 507 |
479 #endif /* _PKCS11N_H_ */ | 508 #endif /* _PKCS11N_H_ */ |
OLD | NEW |