OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 | |
5 #ifndef _PKCS11N_H_ | |
6 #define _PKCS11N_H_ | |
7 | |
8 /* | |
9 * pkcs11n.h | |
10 * | |
11 * This file contains the NSS-specific type definitions for Cryptoki | |
12 * (PKCS#11). | |
13 */ | |
14 | |
15 /* | |
16 * NSSCK_VENDOR_NSS | |
17 * | |
18 * Cryptoki reserves the high half of all the number spaces for | |
19 * vendor-defined use. I'd like to keep all of our NSS- | |
20 * specific values together, but not in the oh-so-obvious | |
21 * 0x80000001, 0x80000002, etc. area. So I've picked an offset, | |
22 * and constructed values for the beginnings of our spaces. | |
23 * | |
24 * Note that some "historical" Netscape values don't fall within | |
25 * this range. | |
26 */ | |
27 #define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */ | |
28 | |
29 /* | |
30 * NSS-defined object classes | |
31 * | |
32 */ | |
33 #define CKO_NSS (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | |
34 | |
35 #define CKO_NSS_CRL (CKO_NSS + 1) | |
36 #define CKO_NSS_SMIME (CKO_NSS + 2) | |
37 #define CKO_NSS_TRUST (CKO_NSS + 3) | |
38 #define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4) | |
39 #define CKO_NSS_NEWSLOT (CKO_NSS + 5) | |
40 #define CKO_NSS_DELSLOT (CKO_NSS + 6) | |
41 | |
42 | |
43 /* | |
44 * NSS-defined key types | |
45 * | |
46 */ | |
47 #define CKK_NSS (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | |
48 | |
49 #define CKK_NSS_PKCS8 (CKK_NSS + 1) | |
50 | |
51 #define CKK_NSS_JPAKE_ROUND1 (CKK_NSS + 2) | |
52 #define CKK_NSS_JPAKE_ROUND2 (CKK_NSS + 3) | |
53 | |
54 #define CKK_NSS_CHACHA20 (CKK_NSS + 4) | |
55 | |
56 /* | |
57 * NSS-defined certificate types | |
58 * | |
59 */ | |
60 #define CKC_NSS (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | |
61 | |
62 /* FAKE PKCS #11 defines */ | |
63 #define CKA_DIGEST 0x81000000L | |
64 #define CKA_FLAGS_ONLY 0 /* CKA_CLASS */ | |
65 | |
66 /* | |
67 * NSS-defined object attributes | |
68 * | |
69 */ | |
70 #define CKA_NSS (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | |
71 | |
72 #define CKA_NSS_URL (CKA_NSS + 1) | |
73 #define CKA_NSS_EMAIL (CKA_NSS + 2) | |
74 #define CKA_NSS_SMIME_INFO (CKA_NSS + 3) | |
75 #define CKA_NSS_SMIME_TIMESTAMP (CKA_NSS + 4) | |
76 #define CKA_NSS_PKCS8_SALT (CKA_NSS + 5) | |
77 #define CKA_NSS_PASSWORD_CHECK (CKA_NSS + 6) | |
78 #define CKA_NSS_EXPIRES (CKA_NSS + 7) | |
79 #define CKA_NSS_KRL (CKA_NSS + 8) | |
80 | |
81 #define CKA_NSS_PQG_COUNTER (CKA_NSS + 20) | |
82 #define CKA_NSS_PQG_SEED (CKA_NSS + 21) | |
83 #define CKA_NSS_PQG_H (CKA_NSS + 22) | |
84 #define CKA_NSS_PQG_SEED_BITS (CKA_NSS + 23) | |
85 #define CKA_NSS_MODULE_SPEC (CKA_NSS + 24) | |
86 #define CKA_NSS_OVERRIDE_EXTENSIONS (CKA_NSS + 25) | |
87 | |
88 #define CKA_NSS_JPAKE_SIGNERID (CKA_NSS + 26) | |
89 #define CKA_NSS_JPAKE_PEERID (CKA_NSS + 27) | |
90 #define CKA_NSS_JPAKE_GX1 (CKA_NSS + 28) | |
91 #define CKA_NSS_JPAKE_GX2 (CKA_NSS + 29) | |
92 #define CKA_NSS_JPAKE_GX3 (CKA_NSS + 30) | |
93 #define CKA_NSS_JPAKE_GX4 (CKA_NSS + 31) | |
94 #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32) | |
95 #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33) | |
96 | |
97 /* | |
98 * Trust attributes: | |
99 * | |
100 * If trust goes standard, these probably will too. So I'll | |
101 * put them all in one place. | |
102 */ | |
103 | |
104 #define CKA_TRUST (CKA_NSS + 0x2000) | |
105 | |
106 /* "Usage" key information */ | |
107 #define CKA_TRUST_DIGITAL_SIGNATURE (CKA_TRUST + 1) | |
108 #define CKA_TRUST_NON_REPUDIATION (CKA_TRUST + 2) | |
109 #define CKA_TRUST_KEY_ENCIPHERMENT (CKA_TRUST + 3) | |
110 #define CKA_TRUST_DATA_ENCIPHERMENT (CKA_TRUST + 4) | |
111 #define CKA_TRUST_KEY_AGREEMENT (CKA_TRUST + 5) | |
112 #define CKA_TRUST_KEY_CERT_SIGN (CKA_TRUST + 6) | |
113 #define CKA_TRUST_CRL_SIGN (CKA_TRUST + 7) | |
114 | |
115 /* "Purpose" trust information */ | |
116 #define CKA_TRUST_SERVER_AUTH (CKA_TRUST + 8) | |
117 #define CKA_TRUST_CLIENT_AUTH (CKA_TRUST + 9) | |
118 #define CKA_TRUST_CODE_SIGNING (CKA_TRUST + 10) | |
119 #define CKA_TRUST_EMAIL_PROTECTION (CKA_TRUST + 11) | |
120 #define CKA_TRUST_IPSEC_END_SYSTEM (CKA_TRUST + 12) | |
121 #define CKA_TRUST_IPSEC_TUNNEL (CKA_TRUST + 13) | |
122 #define CKA_TRUST_IPSEC_USER (CKA_TRUST + 14) | |
123 #define CKA_TRUST_TIME_STAMPING (CKA_TRUST + 15) | |
124 #define CKA_TRUST_STEP_UP_APPROVED (CKA_TRUST + 16) | |
125 | |
126 #define CKA_CERT_SHA1_HASH (CKA_TRUST + 100) | |
127 #define CKA_CERT_MD5_HASH (CKA_TRUST + 101) | |
128 | |
129 /* NSS trust stuff */ | |
130 | |
131 /* HISTORICAL: define used to pass in the database key for DSA private keys */ | |
132 #define CKA_NETSCAPE_DB 0xD5A0DB00L | |
133 #define CKA_NETSCAPE_TRUST 0x80000001L | |
134 | |
135 /* FAKE PKCS #11 defines */ | |
136 #define CKM_FAKE_RANDOM 0x80000efeUL | |
137 #define CKM_INVALID_MECHANISM 0xffffffffUL | |
138 | |
139 /* | |
140 * NSS-defined crypto mechanisms | |
141 * | |
142 */ | |
143 #define CKM_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | |
144 | |
145 #define CKM_NSS_AES_KEY_WRAP (CKM_NSS + 1) | |
146 #define CKM_NSS_AES_KEY_WRAP_PAD (CKM_NSS + 2) | |
147 | |
148 /* HKDF key derivation mechanisms. See CK_NSS_HKDFParams for documentation. */ | |
149 #define CKM_NSS_HKDF_SHA1 (CKM_NSS + 3) | |
150 #define CKM_NSS_HKDF_SHA256 (CKM_NSS + 4) | |
151 #define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5) | |
152 #define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6) | |
153 | |
154 /* J-PAKE round 1 key generation mechanisms. | |
155 * | |
156 * Required template attributes: CKA_PRIME, CKA_SUBPRIME, CKA_BASE, | |
157 * CKA_NSS_JPAKE_SIGNERID | |
158 * Output key type: CKK_NSS_JPAKE_ROUND1 | |
159 * Output key class: CKO_PRIVATE_KEY | |
160 * Parameter type: CK_NSS_JPAKERound1Params | |
161 * | |
162 */ | |
163 #define CKM_NSS_JPAKE_ROUND1_SHA1 (CKM_NSS + 7) | |
164 #define CKM_NSS_JPAKE_ROUND1_SHA256 (CKM_NSS + 8) | |
165 #define CKM_NSS_JPAKE_ROUND1_SHA384 (CKM_NSS + 9) | |
166 #define CKM_NSS_JPAKE_ROUND1_SHA512 (CKM_NSS + 10) | |
167 | |
168 /* J-PAKE round 2 key derivation mechanisms. | |
169 * | |
170 * Required template attributes: CKA_NSS_JPAKE_PEERID | |
171 * Input key type: CKK_NSS_JPAKE_ROUND1 | |
172 * Output key type: CKK_NSS_JPAKE_ROUND2 | |
173 * Output key class: CKO_PRIVATE_KEY | |
174 * Parameter type: CK_NSS_JPAKERound2Params | |
175 */ | |
176 #define CKM_NSS_JPAKE_ROUND2_SHA1 (CKM_NSS + 11) | |
177 #define CKM_NSS_JPAKE_ROUND2_SHA256 (CKM_NSS + 12) | |
178 #define CKM_NSS_JPAKE_ROUND2_SHA384 (CKM_NSS + 13) | |
179 #define CKM_NSS_JPAKE_ROUND2_SHA512 (CKM_NSS + 14) | |
180 | |
181 /* J-PAKE final key material derivation mechanisms | |
182 * | |
183 * Input key type: CKK_NSS_JPAKE_ROUND2 | |
184 * Output key type: CKK_GENERIC_SECRET | |
185 * Output key class: CKO_SECRET_KEY | |
186 * Parameter type: CK_NSS_JPAKEFinalParams | |
187 * | |
188 * You must apply a KDF (e.g. CKM_NSS_HKDF_*) to resultant keying material | |
189 * to get a key with uniformly distributed bits. | |
190 */ | |
191 #define CKM_NSS_JPAKE_FINAL_SHA1 (CKM_NSS + 15) | |
192 #define CKM_NSS_JPAKE_FINAL_SHA256 (CKM_NSS + 16) | |
193 #define CKM_NSS_JPAKE_FINAL_SHA384 (CKM_NSS + 17) | |
194 #define CKM_NSS_JPAKE_FINAL_SHA512 (CKM_NSS + 18) | |
195 | |
196 /* Constant-time MAC mechanisms: | |
197 * | |
198 * These operations verify a padded, MAC-then-encrypt block of data in | |
199 * constant-time. Because of the order of operations, the padding bytes are not | |
200 * protected by the MAC. However, disclosing the value of the padding bytes | |
201 * gives an attacker the ability to decrypt ciphertexts. Such disclosure can be | |
202 * as subtle as taking slightly less time to perform the MAC when the padding | |
203 * is one byte longer. See https://www.isg.rhul.ac.uk/tls/ | |
204 * | |
205 * CKM_NSS_HMAC_CONSTANT_TIME: performs an HMAC authentication. | |
206 * CKM_NSS_SSL3_MAC_CONSTANT_TIME: performs an authentication with SSLv3 MAC. | |
207 * | |
208 * Parameter type: CK_NSS_MAC_CONSTANT_TIME_PARAMS | |
209 */ | |
210 #define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19) | |
211 #define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20) | |
212 | |
213 /* TLS 1.2 mechanisms */ | |
214 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) | |
215 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) | |
216 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) | |
217 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | |
218 | |
219 /* TLS extended master secret derivation */ | |
220 #define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE (CKM_NSS + 25) | |
221 #define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (CKM_NSS + 26) | |
222 | |
223 #define CKM_NSS_CHACHA20_KEY_GEN (CKM_NSS + 27) | |
224 #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 28) | |
225 | |
226 /* | |
227 * HISTORICAL: | |
228 * Do not attempt to use these. They are only used by NETSCAPE's internal | |
229 * PKCS #11 interface. Most of these are place holders for other mechanism | |
230 * and will change in the future. | |
231 */ | |
232 #define CKM_NETSCAPE_PBE_SHA1_DES_CBC 0x80000002UL | |
233 #define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC 0x80000003UL | |
234 #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC 0x80000004UL | |
235 #define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC 0x80000005UL | |
236 #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4 0x80000006UL | |
237 #define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4 0x80000007UL | |
238 #define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC 0x80000008UL | |
239 #define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN 0x80000009UL | |
240 #define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN 0x8000000aUL | |
241 #define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN 0x8000000bUL | |
242 | |
243 #define CKM_TLS_PRF_GENERAL 0x80000373UL | |
244 | |
245 typedef struct CK_NSS_JPAKEPublicValue { | |
246 CK_BYTE * pGX; | |
247 CK_ULONG ulGXLen; | |
248 CK_BYTE * pGV; | |
249 CK_ULONG ulGVLen; | |
250 CK_BYTE * pR; | |
251 CK_ULONG ulRLen; | |
252 } CK_NSS_JPAKEPublicValue; | |
253 | |
254 typedef struct CK_NSS_JPAKERound1Params { | |
255 CK_NSS_JPAKEPublicValue gx1; /* out */ | |
256 CK_NSS_JPAKEPublicValue gx2; /* out */ | |
257 } CK_NSS_JPAKERound1Params; | |
258 | |
259 typedef struct CK_NSS_JPAKERound2Params { | |
260 CK_BYTE * pSharedKey; /* in */ | |
261 CK_ULONG ulSharedKeyLen; /* in */ | |
262 CK_NSS_JPAKEPublicValue gx3; /* in */ | |
263 CK_NSS_JPAKEPublicValue gx4; /* in */ | |
264 CK_NSS_JPAKEPublicValue A; /* out */ | |
265 } CK_NSS_JPAKERound2Params; | |
266 | |
267 typedef struct CK_NSS_JPAKEFinalParams { | |
268 CK_NSS_JPAKEPublicValue B; /* in */ | |
269 } CK_NSS_JPAKEFinalParams; | |
270 | |
271 /* macAlg: the MAC algorithm to use. This determines the hash function used in | |
272 * the HMAC/SSLv3 MAC calculations. | |
273 * ulBodyTotalLen: the total length of the data, including padding bytes and | |
274 * padding length. | |
275 * pHeader: points to a block of data that contains additional data to | |
276 * authenticate. For TLS this includes the sequence number etc. For SSLv3, | |
277 * this also includes the initial padding bytes. | |
278 * | |
279 * NOTE: the softoken's implementation of CKM_NSS_HMAC_CONSTANT_TIME and | |
280 * CKM_NSS_SSL3_MAC_CONSTANT_TIME requires that the sum of ulBodyTotalLen | |
281 * and ulHeaderLen be much smaller than 2^32 / 8 bytes because it uses an | |
282 * unsigned int variable to represent the length in bits. This should not | |
283 * be a problem because the SSL/TLS protocol limits the size of an SSL | |
284 * record to something considerably less than 2^32 bytes. | |
285 */ | |
286 typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS { | |
287 CK_MECHANISM_TYPE macAlg; /* in */ | |
288 CK_ULONG ulBodyTotalLen; /* in */ | |
289 CK_BYTE * pHeader; /* in */ | |
290 CK_ULONG ulHeaderLen; /* in */ | |
291 } CK_NSS_MAC_CONSTANT_TIME_PARAMS; | |
292 | |
293 typedef struct CK_NSS_AEAD_PARAMS { | |
294 CK_BYTE_PTR pNonce; | |
295 CK_ULONG ulNonceLen; | |
296 CK_BYTE_PTR pAAD; | |
297 CK_ULONG ulAADLen; | |
298 CK_ULONG ulTagLen; | |
299 } CK_NSS_AEAD_PARAMS; | |
300 | |
301 /* | |
302 * NSS-defined return values | |
303 * | |
304 */ | |
305 #define CKR_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | |
306 | |
307 #define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1) | |
308 #define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2) | |
309 | |
310 /* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms. | |
311 See RFC 5869. | |
312 | |
313 bExtract: If set, HKDF-Extract will be applied to the input key. If | |
314 the optional salt is given, it is used; otherwise, the salt is | |
315 set to a sequence of zeros equal in length to the HMAC output. | |
316 If bExpand is not set, then the key template given to | |
317 C_DeriveKey must indicate an output key size less than or equal | |
318 to the output size of the HMAC. | |
319 | |
320 bExpand: If set, HKDF-Expand will be applied to the input key (if | |
321 bExtract is not set) or to the result of HKDF-Extract (if | |
322 bExtract is set). Any info given in the optional pInfo field will | |
323 be included in the calculation. | |
324 | |
325 The size of the output key must be specified in the template passed to | |
326 C_DeriveKey. | |
327 */ | |
328 typedef struct CK_NSS_HKDFParams { | |
329 CK_BBOOL bExtract; | |
330 CK_BYTE_PTR pSalt; | |
331 CK_ULONG ulSaltLen; | |
332 CK_BBOOL bExpand; | |
333 CK_BYTE_PTR pInfo; | |
334 CK_ULONG ulInfoLen; | |
335 } CK_NSS_HKDFParams; | |
336 | |
337 /* | |
338 * Parameter for the TLS extended master secret key derivation mechanisms: | |
339 * | |
340 * * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE | |
341 * * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH | |
342 * | |
343 * For the TLS 1.2 PRF, the prfHashMechanism parameter determines the hash | |
344 * function used. For earlier versions of the PRF, set the prfHashMechanism | |
345 * value to CKM_TLS_PRF. | |
346 * | |
347 * The session hash input is expected to be the output of the same hash | |
348 * function as the PRF uses (as required by draft-ietf-tls-session-hash). So | |
349 * the ulSessionHashLen member must be equal the output length of the hash | |
350 * function specified by the prfHashMechanism member (or, for pre-TLS 1.2 PRF, | |
351 * the length of concatenated MD5 and SHA-1 digests). | |
352 * | |
353 */ | |
354 typedef struct CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS { | |
355 CK_MECHANISM_TYPE prfHashMechanism; | |
356 CK_BYTE_PTR pSessionHash; | |
357 CK_ULONG ulSessionHashLen; | |
358 CK_VERSION_PTR pVersion; | |
359 } CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS; | |
360 | |
361 | |
362 /* | |
363 * Trust info | |
364 * | |
365 * This isn't part of the Cryptoki standard (yet), so I'm putting | |
366 * all the definitions here. Some of this would move to nssckt.h | |
367 * if trust info were made part of the standard. In view of this | |
368 * possibility, I'm putting my (NSS) values in the NSS | |
369 * vendor space, like everything else. | |
370 */ | |
371 | |
372 typedef CK_ULONG CK_TRUST; | |
373 | |
374 /* The following trust types are defined: */ | |
375 #define CKT_VENDOR_DEFINED 0x80000000 | |
376 | |
377 #define CKT_NSS (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NSS) | |
378 | |
379 /* If trust goes standard, these'll probably drop out of vendor space. */ | |
380 #define CKT_NSS_TRUSTED (CKT_NSS + 1) | |
381 #define CKT_NSS_TRUSTED_DELEGATOR (CKT_NSS + 2) | |
382 #define CKT_NSS_MUST_VERIFY_TRUST (CKT_NSS + 3) | |
383 #define CKT_NSS_NOT_TRUSTED (CKT_NSS + 10) | |
384 #define CKT_NSS_TRUST_UNKNOWN (CKT_NSS + 5) /* default */ | |
385 | |
386 /* | |
387 * These may well remain NSS-specific; I'm only using them | |
388 * to cache resolution data. | |
389 */ | |
390 #define CKT_NSS_VALID_DELEGATOR (CKT_NSS + 11) | |
391 | |
392 | |
393 /* | |
394 * old definitions. They still exist, but the plain meaning of the | |
395 * labels have never been accurate to what was really implemented. | |
396 * The new labels correctly reflect what the values effectively mean. | |
397 */ | |
398 #if defined(__GNUC__) && (__GNUC__ > 3) | |
399 /* make GCC warn when we use these #defines */ | |
400 /* | |
401 * This is really painful because GCC doesn't allow us to mark random | |
402 * #defines as deprecated. We can only mark the following: | |
403 * functions, variables, and types. | |
404 * const variables will create extra storage for everyone including this | |
405 * header file, so it's undesirable. | |
406 * functions could be inlined to prevent storage creation, but will fail | |
407 * when constant values are expected (like switch statements). | |
408 * enum types do not seem to pay attention to the deprecated attribute. | |
409 * | |
410 * That leaves typedefs. We declare new types that we then deprecate, then | |
411 * cast the resulting value to the deprecated type in the #define, thus | |
412 * producting the warning when the #define is used. | |
413 */ | |
414 #if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5) | |
415 /* The mac doesn't like the friendlier deprecate messages. I'm assuming this | |
416 * is a gcc version issue rather than mac or ppc specific */ | |
417 typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated)); | |
418 typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated)); | |
419 typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated)); | |
420 #else | |
421 /* when possible, get a full deprecation warning. This works on gcc 4.5 | |
422 * it may work on earlier versions of gcc */ | |
423 typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated | |
424 ("CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST"))); | |
425 typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated | |
426 ("CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED"))); | |
427 typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated | |
428 ("CKT_NSS_MUST_VERIFY really functions as CKT_NSS_TRUST_UNKNOWN"))); | |
429 #endif | |
430 #define CKT_NSS_UNTRUSTED ((__CKT_NSS_UNTRUSTED)CKT_NSS_MUST_VERIFY_TRUST) | |
431 #define CKT_NSS_VALID ((__CKT_NSS_VALID) CKT_NSS_NOT_TRUSTED) | |
432 /* keep the old value for compatibility reasons*/ | |
433 #define CKT_NSS_MUST_VERIFY ((__CKT_NSS_MUST_VERIFY)(CKT_NSS +4)) | |
434 #else | |
435 #ifdef _WIN32 | |
436 /* This magic gets the windows compiler to give us a deprecation | |
437 * warning */ | |
438 #pragma deprecated(CKT_NSS_UNTRUSTED, CKT_NSS_MUST_VERIFY, CKT_NSS_VALID) | |
439 #endif | |
440 /* CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST */ | |
441 #define CKT_NSS_UNTRUSTED CKT_NSS_MUST_VERIFY_TRUST | |
442 /* CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED */ | |
443 #define CKT_NSS_VALID CKT_NSS_NOT_TRUSTED | |
444 /* CKT_NSS_MUST_VERIFY was always treated as CKT_NSS_TRUST_UNKNOWN */ | |
445 #define CKT_NSS_MUST_VERIFY (CKT_NSS + 4) /*really means trust unknown*/ | |
446 #endif | |
447 | |
448 /* don't leave old programs in a lurch just yet, give them the old NETSCAPE | |
449 * synonym */ | |
450 #define CKO_NETSCAPE_CRL CKO_NSS_CRL | |
451 #define CKO_NETSCAPE_SMIME CKO_NSS_SMIME | |
452 #define CKO_NETSCAPE_TRUST CKO_NSS_TRUST | |
453 #define CKO_NETSCAPE_BUILTIN_ROOT_LIST CKO_NSS_BUILTIN_ROOT_LIST | |
454 #define CKO_NETSCAPE_NEWSLOT CKO_NSS_NEWSLOT | |
455 #define CKO_NETSCAPE_DELSLOT CKO_NSS_DELSLOT | |
456 #define CKK_NETSCAPE_PKCS8 CKK_NSS_PKCS8 | |
457 #define CKA_NETSCAPE_URL CKA_NSS_URL | |
458 #define CKA_NETSCAPE_EMAIL CKA_NSS_EMAIL | |
459 #define CKA_NETSCAPE_SMIME_INFO CKA_NSS_SMIME_INFO | |
460 #define CKA_NETSCAPE_SMIME_TIMESTAMP CKA_NSS_SMIME_TIMESTAMP | |
461 #define CKA_NETSCAPE_PKCS8_SALT CKA_NSS_PKCS8_SALT | |
462 #define CKA_NETSCAPE_PASSWORD_CHECK CKA_NSS_PASSWORD_CHECK | |
463 #define CKA_NETSCAPE_EXPIRES CKA_NSS_EXPIRES | |
464 #define CKA_NETSCAPE_KRL CKA_NSS_KRL | |
465 #define CKA_NETSCAPE_PQG_COUNTER CKA_NSS_PQG_COUNTER | |
466 #define CKA_NETSCAPE_PQG_SEED CKA_NSS_PQG_SEED | |
467 #define CKA_NETSCAPE_PQG_H CKA_NSS_PQG_H | |
468 #define CKA_NETSCAPE_PQG_SEED_BITS CKA_NSS_PQG_SEED_BITS | |
469 #define CKA_NETSCAPE_MODULE_SPEC CKA_NSS_MODULE_SPEC | |
470 #define CKM_NETSCAPE_AES_KEY_WRAP CKM_NSS_AES_KEY_WRAP | |
471 #define CKM_NETSCAPE_AES_KEY_WRAP_PAD CKM_NSS_AES_KEY_WRAP_PAD | |
472 #define CKR_NETSCAPE_CERTDB_FAILED CKR_NSS_CERTDB_FAILED | |
473 #define CKR_NETSCAPE_KEYDB_FAILED CKR_NSS_KEYDB_FAILED | |
474 | |
475 #define CKT_NETSCAPE_TRUSTED CKT_NSS_TRUSTED | |
476 #define CKT_NETSCAPE_TRUSTED_DELEGATOR CKT_NSS_TRUSTED_DELEGATOR | |
477 #define CKT_NETSCAPE_UNTRUSTED CKT_NSS_UNTRUSTED | |
478 #define CKT_NETSCAPE_MUST_VERIFY CKT_NSS_MUST_VERIFY | |
479 #define CKT_NETSCAPE_TRUST_UNKNOWN CKT_NSS_TRUST_UNKNOWN | |
480 #define CKT_NETSCAPE_VALID CKT_NSS_VALID | |
481 #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR | |
482 | |
483 /* | |
484 * These are not really PKCS #11 values specifically. They are the 'loadable' | |
485 * module spec NSS uses. The are available for others to use as well, but not | |
486 * part of the formal PKCS #11 spec. | |
487 * | |
488 * The function 'FIND' returns an array of PKCS #11 initialization strings | |
489 * The function 'ADD' takes a PKCS #11 initialization string and stores it. | |
490 * The function 'DEL' takes a 'name= library=' value and deletes the associated | |
491 * string. | |
492 * The function 'RELEASE' frees the array returned by 'FIND' | |
493 */ | |
494 #define SECMOD_MODULE_DB_FUNCTION_FIND 0 | |
495 #define SECMOD_MODULE_DB_FUNCTION_ADD 1 | |
496 #define SECMOD_MODULE_DB_FUNCTION_DEL 2 | |
497 #define SECMOD_MODULE_DB_FUNCTION_RELEASE 3 | |
498 typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function, | |
499 char *parameters, void *moduleSpec); | |
500 | |
501 /* softoken slot ID's */ | |
502 #define SFTK_MIN_USER_SLOT_ID 4 | |
503 #define SFTK_MAX_USER_SLOT_ID 100 | |
504 #define SFTK_MIN_FIPS_USER_SLOT_ID 101 | |
505 #define SFTK_MAX_FIPS_USER_SLOT_ID 127 | |
506 | |
507 | |
508 #endif /* _PKCS11N_H_ */ | |
OLD | NEW |