Delete bundled copy of NSS and replace with README.

nss/lib/pk11wrap/secmodt.h

-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#ifndef _SECMODT_H_
-#define _SECMODT_H_ 1
-
-#include "nssrwlkt.h"
-#include "nssilckt.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "pkcs11t.h"
-#include "utilmodt.h"
-
-SEC_BEGIN_PROTOS
-
-/* find a better home for these... */
-extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
-SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
-extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
-SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
-extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
-SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
-extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
-SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
-
-SEC_END_PROTOS
-
-/* PKCS11 needs to be included */
-typedef struct SECMODModuleStr SECMODModule;
-typedef struct SECMODModuleListStr SECMODModuleList;
-typedef NSSRWLock SECMODListLock;
-typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
-typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
-typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
-typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
-typedef struct PK11SlotListStr PK11SlotList;
-typedef struct PK11SlotListElementStr PK11SlotListElement;
-typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
-typedef unsigned long SECMODModuleID;
-typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
-typedef struct PK11GenericObjectStr PK11GenericObject;
-typedef void (*PK11FreeDataFunc)(void *);
-
-struct SECMODModuleStr {
-    PLArenaPool *arena;
-    PRBool      internal;       /* true of internally linked modules, false
-                                 * for the loaded modules */
-    PRBool      loaded;         /* Set to true if module has been loaded */
-    PRBool      isFIPS;         /* Set to true if module is finst internal */
-    char        *dllName;       /* name of the shared library which implements
-                                 * this module */
-    char        *commonName;    /* name of the module to display to the user */
-    void        *library;       /* pointer to the library. opaque. used only by
-                                 * pk11load.c */
-    void        *functionList; /* The PKCS #11 function table */
-    PZLock      *refLock;       /* only used pk11db.c */
-    int         refCount;       /* Module reference count */
-    PK11SlotInfo **slots;       /* array of slot points attached to this mod*/
-    int         slotCount;      /* count of slot in above array */
-    PK11PreSlotInfo *slotInfo;  /* special info about slots default settings */
-    int         slotInfoCount;  /* count */
-    SECMODModuleID moduleID;    /* ID so we can find this module again */
-    PRBool      isThreadSafe;
-    unsigned long ssl[2];       /* SSL cipher enable flags */
-    char        *libraryParams;  /* Module specific parameters */
-    void *moduleDBFunc; /* function to return module configuration data*/
-    SECMODModule *parent;       /* module that loaded us */
-    PRBool      isCritical;     /* This module must load successfully */
-    PRBool      isModuleDB;     /* this module has lists of PKCS #11 modules */
-    PRBool      moduleDBOnly;   /* this module only has lists of PKCS #11 modules */
-    int         trustOrder;     /* order for this module's certificate trust rollup */
-    int         cipherOrder;    /* order for cipher operations */
-    unsigned long evControlMask; /* control the running and shutdown of slot
-                                  * events (SECMOD_WaitForAnyTokenEvent) */
-    CK_VERSION  cryptokiVersion; /* version of this library */
-};
-
-/* evControlMask flags */
-/*
- * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
- *
- * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
- *  C_WaitForSlotEvent().
- * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
- *  which polls for token insertion and removal events.
- * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
- *  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
- *  should return immediately to it's caller.
- */ 
-#define SECMOD_END_WAIT             0x01
-#define SECMOD_WAIT_SIMULATED_EVENT 0x02 
-#define SECMOD_WAIT_PKCS11_EVENT    0x04
-
-struct SECMODModuleListStr {
-    SECMODModuleList    *next;
-    SECMODModule        *module;
-};
-
-struct PK11SlotListStr {
-    PK11SlotListElement *head;
-    PK11SlotListElement *tail;
-    PZLock *lock;
-};
-
-struct PK11SlotListElementStr {
-    PK11SlotListElement *next;
-    PK11SlotListElement *prev;
-    PK11SlotInfo *slot;
-    int refCount;
-};
-
-struct PK11RSAGenParamsStr {
-    int keySizeInBits;
-    unsigned long pe;
-};
-
-typedef enum {
-     PK11CertListUnique = 0,     /* get one instance of all certs */
-     PK11CertListUser = 1,       /* get all instances of user certs */
-     PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
-                                  * deprecated. Use PK11CertListCAUnique
-                                  */
-     PK11CertListCA = 3,         /* get all instances of CA certs */
-     PK11CertListCAUnique = 4,   /* get one instance of CA certs */
-     PK11CertListUserUnique = 5, /* get one instance of user certs */
-     PK11CertListAll = 6         /* get all instances of all certs */
-} PK11CertListType;
-
-/*
- * Entry into the array which lists all the legal bits for the default flags
- * in the slot, their definition, and the PKCS #11 mechanism they represent.
- * Always statically allocated. 
- */
-struct PK11DefaultArrayEntryStr {
-    const char *name;
-    unsigned long flag;
-    unsigned long mechanism; /* this is a long so we don't include the 
-                              * whole pkcs 11 world to use this header */
-};
-
-/*
- * PK11AttrFlags
- *
- * A 32-bit bitmask of PK11_ATTR_XXX flags
- */
-typedef PRUint32 PK11AttrFlags;
-
-/*
- * PK11_ATTR_XXX
- *
- * The following PK11_ATTR_XXX bitflags are used to specify
- * PKCS #11 object attributes that have Boolean values.  Some NSS
- * functions have a "PK11AttrFlags attrFlags" parameter whose value
- * is the logical OR of these bitflags.  NSS use these bitflags on
- * private keys or secret keys.  Some of these bitflags also apply
- * to the public keys associated with the private keys.
- *
- * For each PKCS #11 object attribute, we need two bitflags to
- * specify not only "true" and "false" but also "default".  For
- * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
- * CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
- *     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
- * to the template.  If PK11_ATTR_PUBLIC is set, we add
- *     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
- * to the template.  If neither flag is set, we don't add any
- * CKA_PRIVATE entry to the template.
- */
-
-/*
- * Attributes for PKCS #11 storage objects, which include not only
- * keys but also certificates and domain parameters.
- */
-
-/*
- * PK11_ATTR_TOKEN
- * PK11_ATTR_SESSION
- *
- * These two flags determine whether the object is a token or
- * session object.
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_TOKEN flag is set, the object is a token
- * object.  If the PK11_ATTR_SESSION flag is set, the object is
- * a session object.  If neither flag is set, the object is *by
- * default* a session object.
- *
- * These two flags specify the value of the PKCS #11 CKA_TOKEN
- * attribute.
- */
-#define PK11_ATTR_TOKEN         0x00000001L
-#define PK11_ATTR_SESSION       0x00000002L
-
-/*
- * PK11_ATTR_PRIVATE
- * PK11_ATTR_PUBLIC
- *
- * These two flags determine whether the object is a private or
- * public object.  A user may not access a private object until the
- * user has authenticated to the token.
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_PRIVATE flag is set, the object is a private
- * object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
- * public object.  If neither flag is set, it is token-specific
- * whether the object is private or public.
- *
- * These two flags specify the value of the PKCS #11 CKA_PRIVATE
- * attribute.  NSS only uses this attribute on private and secret
- * keys, so public keys created by NSS get the token-specific
- * default value of the CKA_PRIVATE attribute.
- */
-#define PK11_ATTR_PRIVATE       0x00000004L
-#define PK11_ATTR_PUBLIC        0x00000008L
-
-/*
- * PK11_ATTR_MODIFIABLE
- * PK11_ATTR_UNMODIFIABLE
- *
- * These two flags determine whether the object is modifiable or
- * read-only.
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
- * modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
- * is read-only.  If neither flag is set, the object is *by default*
- * modifiable.
- *
- * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
- * attribute.
- */
-#define PK11_ATTR_MODIFIABLE    0x00000010L
-#define PK11_ATTR_UNMODIFIABLE  0x00000020L
-
-/* Attributes for PKCS #11 key objects. */
-
-/*
- * PK11_ATTR_SENSITIVE
- * PK11_ATTR_INSENSITIVE
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
- * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
- * sensitive.  If neither flag is set, it is token-specific whether
- * the key is sensitive or not.
- *
- * If a key is sensitive, certain attributes of the key cannot be
- * revealed in plaintext outside the token.
- *
- * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
- * attribute.  Although the default value of the CKA_SENSITIVE
- * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
- * tokens set the default value to CK_TRUE because only CK_TRUE
- * is allowed.  So in practice the default value of this attribute
- * is token-specific, hence the need for two bitflags.
- */
-#define PK11_ATTR_SENSITIVE     0x00000040L
-#define PK11_ATTR_INSENSITIVE   0x00000080L
-
-/*
- * PK11_ATTR_EXTRACTABLE
- * PK11_ATTR_UNEXTRACTABLE
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
- * and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
- * the key is not extractable, and certain attributes of the key
- * cannot be revealed in plaintext outside the token (just like a
- * sensitive key).  If neither flag is set, it is token-specific
- * whether the key is extractable or not.
- *
- * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
- * attribute.
- */
-#define PK11_ATTR_EXTRACTABLE   0x00000100L
-#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
-
-/* Cryptographic module types */
-#define SECMOD_EXTERNAL 0       /* external module */
-#define SECMOD_INTERNAL 1       /* internal default module */
-#define SECMOD_FIPS     2       /* internal fips module */
-
-/* default module configuration strings */
-#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
-
-#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
-"Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
-
-#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
-#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
-#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
-#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
-
-/*
- * What is the origin of a given Key. Normally this doesn't matter, but
- * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
- * hack.
- */
-typedef enum {
-    PK11_OriginNULL = 0,        /* There is not key, it's a null SymKey */
-    PK11_OriginDerive = 1,      /* Key was derived from some other key */
-    PK11_OriginGenerated = 2,   /* Key was generated (also PBE keys) */
-    PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
-    PK11_OriginUnwrap = 4       /* Key was unwrapped or decrypted */
-} PK11Origin;
-
-/* PKCS #11 disable reasons */
-typedef enum {
-    PK11_DIS_NONE = 0,
-    PK11_DIS_USER_SELECTED = 1,
-    PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
-    PK11_DIS_TOKEN_VERIFY_FAILED = 3,
-    PK11_DIS_TOKEN_NOT_PRESENT = 4
-} PK11DisableReasons;
-
-/* types of PKCS #11 objects 
- * used to identify which NSS data structure is 
- * passed to the PK11_Raw* functions. Types map as follows:
- *   PK11_TypeGeneric            PK11GenericObject *
- *   PK11_TypePrivKey            SECKEYPrivateKey *
- *   PK11_TypePubKey             SECKEYPublicKey *
- *   PK11_TypeSymKey             PK11SymKey *
- *   PK11_TypeCert               CERTCertificate * (currently not used).
- */
-typedef enum {
-   PK11_TypeGeneric = 0,
-   PK11_TypePrivKey = 1,
-   PK11_TypePubKey = 2,
-   PK11_TypeCert = 3,
-   PK11_TypeSymKey = 4
-} PK11ObjectType;
-
-
-
-/* function pointer type for password callback function.
- * This type is passed in to PK11_SetPasswordFunc() 
- */
-typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
-typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
-typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
-
-/*
- * Special strings the password callback function can return only if
- * the slot is an protected auth path slot.
- */ 
-#define PK11_PW_RETRY           "RETRY" /* an failed attempt to authenticate
-                                         * has already been made, just retry
-                                         * the operation */
-#define PK11_PW_AUTHENTICATED   "AUTH"  /* a successful attempt to authenticate
-                                         * has completed. Continue without
-                                         * another call to C_Login */
-/* All other non-null values mean that that NSS could call C_Login to force
- * the authentication. The following define is to aid applications in 
- * documenting that is what it's trying to do */
-#define PK11_PW_TRY             "TRY"   /* Default: a prompt has been presented
-                                         * to the user, initiate a C_Login
-                                         * to authenticate the token */
-
-/*
- * PKCS #11 key structures
- */
-
-/*
-** Attributes
-*/
-struct SECKEYAttributeStr {
-    SECItem attrType;
-    SECItem **attrValue;
-};
-typedef struct SECKEYAttributeStr SECKEYAttribute;
-
-/*
-** A PKCS#8 private key info object
-*/
-struct SECKEYPrivateKeyInfoStr {
-    PLArenaPool *arena;
-    SECItem version;
-    SECAlgorithmID algorithm;
-    SECItem privateKey;
-    SECKEYAttribute **attributes;
-};
-typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
-
-/*
-** A PKCS#8 private key info object
-*/
-struct SECKEYEncryptedPrivateKeyInfoStr {
-    PLArenaPool *arena;
-    SECAlgorithmID algorithm;
-    SECItem encryptedData;
-};
-typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
-
-/*
- * token removal detection
- */
-typedef enum {
-   PK11TokenNotRemovable = 0,
-   PK11TokenPresent = 1,
-   PK11TokenChanged = 2,
-   PK11TokenRemoved = 3
-} PK11TokenStatus;
-
-typedef enum {
-   PK11TokenRemovedOrChangedEvent = 0,
-   PK11TokenPresentEvent = 1
-} PK11TokenEvent;
-
-/*
- * CRL Import Flags
- */
-#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
-#define CRL_IMPORT_BYPASS_CHECKS   0x00000001
-
-
-/*
- * Merge Error Log
- */
-typedef struct PK11MergeLogStr PK11MergeLog;
-typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
-
-/* These need to be global, leave some open fields so we can 'expand'
- * these without breaking binary compatibility */
-struct PK11MergeLogNodeStr {
-    PK11MergeLogNode *next;   /* next entry in the list */
-    PK11MergeLogNode *prev;   /* last entry in the list */
-    PK11GenericObject *object; /* object that failed */
-    int error;                 /* what the error was */
-    CK_RV reserved1;
-    unsigned long reserved2; /* future flags */
-    unsigned long reserved3; /* future scalar */
-    void *reserved4;          /* future pointer */
-    void *reserved5;          /* future expansion pointer */
-};
-
-struct PK11MergeLogStr {
-    PK11MergeLogNode *head;
-    PK11MergeLogNode *tail;
-    PLArenaPool *arena;
-    int version;
-    unsigned long reserved1;
-    unsigned long reserved2;
-    unsigned long reserved3;
-    void *reserverd4;
-    void *reserverd5;
-};
-    
-
-#endif /*_SECMODT_H_ */