OLD | NEW |
| (Empty) |
1 /* | |
2 * NSS utility functions | |
3 * | |
4 * This Source Code Form is subject to the terms of the Mozilla Public | |
5 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
7 | |
8 #ifndef __nss_h_ | |
9 #define __nss_h_ | |
10 | |
11 /* The private macro _NSS_ECC_STRING is for NSS internal use only. */ | |
12 #ifndef NSS_DISABLE_ECC | |
13 #ifdef NSS_ECC_MORE_THAN_SUITE_B | |
14 #define _NSS_ECC_STRING " Extended ECC" | |
15 #else | |
16 #define _NSS_ECC_STRING " Basic ECC" | |
17 #endif | |
18 #else | |
19 #define _NSS_ECC_STRING "" | |
20 #endif | |
21 | |
22 /* The private macro _NSS_CUSTOMIZED is for NSS internal use only. */ | |
23 #if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL) | |
24 #define _NSS_CUSTOMIZED " (Customized build)" | |
25 #else | |
26 #define _NSS_CUSTOMIZED | |
27 #endif | |
28 | |
29 /* | |
30 * NSS's major version, minor version, patch level, build number, and whether | |
31 * this is a beta release. | |
32 * | |
33 * The format of the version string should be | |
34 * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>]
[ <Beta>]" | |
35 */ | |
36 #define NSS_VERSION "3.23" _NSS_ECC_STRING _NSS_CUSTOMIZED | |
37 #define NSS_VMAJOR 3 | |
38 #define NSS_VMINOR 23 | |
39 #define NSS_VPATCH 0 | |
40 #define NSS_VBUILD 0 | |
41 #define NSS_BETA PR_FALSE | |
42 | |
43 #ifndef RC_INVOKED | |
44 | |
45 #include "seccomon.h" | |
46 | |
47 typedef struct NSSInitParametersStr NSSInitParameters; | |
48 | |
49 /* | |
50 * parameters used to initialize softoken. Mostly strings used to | |
51 * internationalize softoken. Memory for the strings are owned by the caller, | |
52 * who is free to free them once NSS_ContextInit returns. If the string | |
53 * parameter is NULL (as opposed to empty, zero length), then the softoken | |
54 * default is used. These are equivalent to the parameters for | |
55 * PK11_ConfigurePKCS11(). | |
56 * | |
57 * field names match their equivalent parameter names for softoken strings | |
58 * documented at https://developer.mozilla.org/en/PKCS11_Module_Specs. | |
59 * | |
60 * minPWLen | |
61 * Minimum password length in bytes. | |
62 * manufacturerID | |
63 * Override the default manufactureID value for the module returned in | |
64 * the CK_INFO, CK_SLOT_INFO, and CK_TOKEN_INFO structures with an | |
65 * internationalize string (UTF8). This value will be truncated at 32 | |
66 * bytes (not including the trailing NULL, partial UTF8 characters will be | |
67 * dropped). | |
68 * libraryDescription | |
69 * Override the default libraryDescription value for the module returned in | |
70 * the CK_INFO structure with an internationalize string (UTF8). This value | |
71 * will be truncated at 32 bytes(not including the trailing NULL, partial | |
72 * UTF8 characters will be dropped). | |
73 * cryptoTokenDescription | |
74 * Override the default label value for the internal crypto token returned | |
75 * in the CK_TOKEN_INFO structure with an internationalize string (UTF8). | |
76 * This value will be truncated at 32 bytes (not including the trailing | |
77 * NULL, partial UTF8 characters will be dropped). | |
78 * dbTokenDescription | |
79 * Override the default label value for the internal DB token returned in | |
80 * the CK_TOKEN_INFO structure with an internationalize string (UTF8). This | |
81 * value will be truncated at 32 bytes (not including the trailing NULL, | |
82 * partial UTF8 characters will be dropped). | |
83 * FIPSTokenDescription | |
84 * Override the default label value for the internal FIPS token returned in | |
85 * the CK_TOKEN_INFO structure with an internationalize string (UTF8). This | |
86 * value will be truncated at 32 bytes (not including the trailing NULL, | |
87 * partial UTF8 characters will be dropped). | |
88 * cryptoSlotDescription | |
89 * Override the default slotDescription value for the internal crypto token | |
90 * returned in the CK_SLOT_INFO structure with an internationalize string | |
91 * (UTF8). This value will be truncated at 64 bytes (not including the | |
92 * trailing NULL, partial UTF8 characters will be dropped). | |
93 * dbSlotDescription | |
94 * Override the default slotDescription value for the internal DB token | |
95 * returned in the CK_SLOT_INFO structure with an internationalize string | |
96 * (UTF8). This value will be truncated at 64 bytes (not including the | |
97 * trailing NULL, partial UTF8 characters will be dropped). | |
98 * FIPSSlotDescription | |
99 * Override the default slotDecription value for the internal FIPS token | |
100 * returned in the CK_SLOT_INFO structure with an internationalize string | |
101 * (UTF8). This value will be truncated at 64 bytes (not including the | |
102 * trailing NULL, partial UTF8 characters will be dropped). | |
103 * | |
104 */ | |
105 struct NSSInitParametersStr { | |
106 unsigned int length; /* allow this structure to grow in the future, | |
107 * must be set */ | |
108 PRBool passwordRequired; | |
109 int minPWLen; | |
110 char * manufactureID; /* variable names for strings match the */ | |
111 char * libraryDescription; /* parameter name in softoken */ | |
112 char * cryptoTokenDescription; | |
113 char * dbTokenDescription; | |
114 char * FIPSTokenDescription; | |
115 char * cryptoSlotDescription; | |
116 char * dbSlotDescription; | |
117 char * FIPSSlotDescription; | |
118 }; | |
119 | |
120 | |
121 SEC_BEGIN_PROTOS | |
122 | |
123 /* | |
124 * Return a boolean that indicates whether the underlying library | |
125 * will perform as the caller expects. | |
126 * | |
127 * The only argument is a string, which should be the version | |
128 * identifier of the NSS library. That string will be compared | |
129 * against a string that represents the actual build version of | |
130 * the NSS library. | |
131 */ | |
132 extern PRBool NSS_VersionCheck(const char *importedVersion); | |
133 | |
134 /* | |
135 * Returns a const string of the NSS library version. | |
136 */ | |
137 extern const char *NSS_GetVersion(void); | |
138 | |
139 /* | |
140 * Open the Cert, Key, and Security Module databases, read only. | |
141 * Initialize the Random Number Generator. | |
142 * Does not initialize the cipher policies or enables. | |
143 * Default policy settings disallow all ciphers. | |
144 */ | |
145 extern SECStatus NSS_Init(const char *configdir); | |
146 | |
147 /* | |
148 * Returns whether NSS has already been initialized or not. | |
149 */ | |
150 extern PRBool NSS_IsInitialized(void); | |
151 | |
152 /* | |
153 * Open the Cert, Key, and Security Module databases, read/write. | |
154 * Initialize the Random Number Generator. | |
155 * Does not initialize the cipher policies or enables. | |
156 * Default policy settings disallow all ciphers. | |
157 */ | |
158 extern SECStatus NSS_InitReadWrite(const char *configdir); | |
159 | |
160 /* | |
161 * Open the Cert, Key, and Security Module databases, read/write. | |
162 * Initialize the Random Number Generator. | |
163 * Does not initialize the cipher policies or enables. | |
164 * Default policy settings disallow all ciphers. | |
165 * | |
166 * This allows using application defined prefixes for the cert and key db's | |
167 * and an alternate name for the secmod database. NOTE: In future releases, | |
168 * the database prefixes my not necessarily map to database names. | |
169 * | |
170 * configdir - base directory where all the cert, key, and module datbases live. | |
171 * certPrefix - prefix added to the beginning of the cert database example: " | |
172 * "https-server1-" | |
173 * keyPrefix - prefix added to the beginning of the key database example: " | |
174 * "https-server1-" | |
175 * secmodName - name of the security module database (usually "secmod.db"). | |
176 * flags - change the open options of NSS_Initialize as follows: | |
177 * NSS_INIT_READONLY - Open the databases read only. | |
178 * NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just | |
179 * initialize the volatile certdb. | |
180 * NSS_INIT_NOMODDB - Don't open the security module DB, just | |
181 * initialize the PKCS #11 module. | |
182 * NSS_INIT_FORCEOPEN - Continue to force initializations even if the | |
183 * databases cannot be opened. | |
184 * NSS_INIT_NOROOTINIT - Don't try to look for the root certs module | |
185 * automatically. | |
186 * NSS_INIT_OPTIMIZESPACE - Use smaller tables and caches. | |
187 * NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are | |
188 * thread-safe, ie. that support locking - either OS | |
189 * locking or NSS-provided locks . If a PKCS#11 | |
190 * module isn't thread-safe, don't serialize its | |
191 * calls; just don't load it instead. This is necessary | |
192 * if another piece of code is using the same PKCS#11 | |
193 * modules that NSS is accessing without going through | |
194 * NSS, for example the Java SunPKCS11 provider. | |
195 * NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED | |
196 * error when loading PKCS#11 modules. This is necessary | |
197 * if another piece of code is using the same PKCS#11 | |
198 * modules that NSS is accessing without going through | |
199 * NSS, for example Java SunPKCS11 provider. | |
200 * NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any | |
201 * PKCS#11 module. This may be necessary in order to | |
202 * ensure continuous operation and proper shutdown | |
203 * sequence if another piece of code is using the same | |
204 * PKCS#11 modules that NSS is accessing without going | |
205 * through NSS, for example Java SunPKCS11 provider. | |
206 * The following limitation applies when this is set : | |
207 * SECMOD_WaitForAnyTokenEvent will not use | |
208 * C_WaitForSlotEvent, in order to prevent the need for | |
209 * C_Finalize. This call will be emulated instead. | |
210 * NSS_INIT_RESERVED - Currently has no effect, but may be used in the | |
211 * future to trigger better cooperation between PKCS#11 | |
212 * modules used by both NSS and the Java SunPKCS11 | |
213 * provider. This should occur after a new flag is defined | |
214 * for C_Initialize by the PKCS#11 working group. | |
215 * NSS_INIT_COOPERATE - Sets 4 recommended options for applications that | |
216 * use both NSS and the Java SunPKCS11 provider. | |
217 * | |
218 * Also NOTE: This is not the recommended method for initializing NSS. | |
219 * The preferred method is NSS_init(). | |
220 */ | |
221 #define NSS_INIT_READONLY 0x1 | |
222 #define NSS_INIT_NOCERTDB 0x2 | |
223 #define NSS_INIT_NOMODDB 0x4 | |
224 #define NSS_INIT_FORCEOPEN 0x8 | |
225 #define NSS_INIT_NOROOTINIT 0x10 | |
226 #define NSS_INIT_OPTIMIZESPACE 0x20 | |
227 #define NSS_INIT_PK11THREADSAFE 0x40 | |
228 #define NSS_INIT_PK11RELOAD 0x80 | |
229 #define NSS_INIT_NOPK11FINALIZE 0x100 | |
230 #define NSS_INIT_RESERVED 0x200 | |
231 | |
232 #define NSS_INIT_COOPERATE NSS_INIT_PK11THREADSAFE | \ | |
233 NSS_INIT_PK11RELOAD | \ | |
234 NSS_INIT_NOPK11FINALIZE | \ | |
235 NSS_INIT_RESERVED | |
236 | |
237 #define SECMOD_DB "secmod.db" | |
238 | |
239 typedef struct NSSInitContextStr NSSInitContext; | |
240 | |
241 | |
242 extern SECStatus NSS_Initialize(const char *configdir, | |
243 const char *certPrefix, const char *keyPrefix, | |
244 const char *secmodName, PRUint32 flags); | |
245 | |
246 extern NSSInitContext *NSS_InitContext(const char *configdir, | |
247 const char *certPrefix, const char *keyPrefix, | |
248 const char *secmodName, NSSInitParameters *initParams, PRUint32 flags); | |
249 | |
250 extern SECStatus NSS_ShutdownContext(NSSInitContext *); | |
251 | |
252 /* | |
253 * same as NSS_Init, but checks to see if we need to merge an | |
254 * old database in. | |
255 * updatedir is the directory where the old database lives. | |
256 * updCertPrefix is the certPrefix for the old database. | |
257 * updKeyPrefix is the keyPrefix for the old database. | |
258 * updateID is a unique identifier chosen by the application for | |
259 * the specific database. | |
260 * updatName is the name the user will be prompted for when | |
261 * asking to authenticate to the old database */ | |
262 extern SECStatus NSS_InitWithMerge(const char *configdir, | |
263 const char *certPrefix, const char *keyPrefix, const char *secmodName, | |
264 const char *updatedir, const char *updCertPrefix, | |
265 const char *updKeyPrefix, const char *updateID, | |
266 const char *updateName, PRUint32 flags); | |
267 /* | |
268 * initialize NSS without a creating cert db's, key db's, or secmod db's. | |
269 */ | |
270 SECStatus NSS_NoDB_Init(const char *configdir); | |
271 | |
272 /* | |
273 * Allow applications and libraries to register with NSS so that they are called | |
274 * when NSS shuts down. | |
275 * | |
276 * void *appData application specific data passed in by the application at | |
277 * NSS_RegisterShutdown() time. | |
278 * void *nssData is NULL in this release, but is reserved for future versions of
| |
279 * NSS to pass some future status information * back to the shutdown function. | |
280 * | |
281 * If the shutdown function returns SECFailure, | |
282 * Shutdown will still complete, but NSS_Shutdown() will return SECFailure. | |
283 */ | |
284 typedef SECStatus (*NSS_ShutdownFunc)(void *appData, void *nssData); | |
285 | |
286 /* | |
287 * Register a shutdown function. | |
288 */ | |
289 SECStatus NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData); | |
290 | |
291 /* | |
292 * Remove an existing shutdown function (you may do this if your library is | |
293 * complete and going away, but NSS is still running). | |
294 */ | |
295 SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData); | |
296 | |
297 /* Available options for NSS_OptionSet() and NSS_OptionGet(). | |
298 */ | |
299 #define NSS_RSA_MIN_KEY_SIZE 0x001 | |
300 #define NSS_DH_MIN_KEY_SIZE 0x002 | |
301 #define NSS_DSA_MIN_KEY_SIZE 0x004 | |
302 #define NSS_TLS_VERSION_MIN_POLICY 0x008 | |
303 #define NSS_TLS_VERSION_MAX_POLICY 0x009 | |
304 #define NSS_DTLS_VERSION_MIN_POLICY 0x00a | |
305 #define NSS_DTLS_VERSION_MAX_POLICY 0x00b | |
306 | |
307 /* | |
308 * Set and get global options for the NSS library. | |
309 */ | |
310 SECStatus NSS_OptionSet(PRInt32 which, PRInt32 value); | |
311 SECStatus NSS_OptionGet(PRInt32 which, PRInt32 *value); | |
312 | |
313 | |
314 /* | |
315 * Close the Cert, Key databases. | |
316 */ | |
317 extern SECStatus NSS_Shutdown(void); | |
318 | |
319 /* | |
320 * set the PKCS #11 strings for the internal token. | |
321 */ | |
322 void PK11_ConfigurePKCS11(const char *man, const char *libdesc, | |
323 const char *tokdesc, const char *ptokdesc, const char *slotdesc, | |
324 const char *pslotdesc, const char *fslotdesc, const char *fpslotdesc, | |
325 int minPwd, int pwRequired); | |
326 | |
327 /* | |
328 * Dump the contents of the certificate cache and the temporary cert store. | |
329 * Use to detect leaked references of certs at shutdown time. | |
330 */ | |
331 void nss_DumpCertificateCacheInfo(void); | |
332 | |
333 SEC_END_PROTOS | |
334 | |
335 #endif /* RC_INVOKED */ | |
336 #endif /* __nss_h_ */ | |
OLD | NEW |