summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/pk11wrap/secmodt.h
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--security/nss/lib/pk11wrap/secmodt.h448
1 files changed, 448 insertions, 0 deletions
diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h
new file mode 100644
index 0000000000..5f15e5967c
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmodt.h
@@ -0,0 +1,448 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#ifndef _SECMODT_H_
+#define _SECMODT_H_ 1
+
+#include "nssrwlkt.h"
+#include "nssilckt.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "pkcs11t.h"
+#include "utilmodt.h"
+
+SEC_BEGIN_PROTOS
+
+/* find a better home for these... */
+extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
+extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
+extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
+extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
+
+SEC_END_PROTOS
+
+/* PKCS11 needs to be included */
+typedef struct SECMODModuleStr SECMODModule;
+typedef struct SECMODModuleListStr SECMODModuleList;
+typedef NSSRWLock SECMODListLock;
+typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
+typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
+typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
+typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
+typedef struct PK11SlotListStr PK11SlotList;
+typedef struct PK11SlotListElementStr PK11SlotListElement;
+typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
+typedef unsigned long SECMODModuleID;
+typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
+typedef struct PK11GenericObjectStr PK11GenericObject;
+typedef void (*PK11FreeDataFunc)(void *);
+
+struct SECMODModuleStr {
+ PLArenaPool *arena;
+ PRBool internal; /* true of internally linked modules, false
+ * for the loaded modules */
+ PRBool loaded; /* Set to true if module has been loaded */
+ PRBool isFIPS; /* Set to true if module is finst internal */
+ char *dllName; /* name of the shared library which implements
+ * this module */
+ char *commonName; /* name of the module to display to the user */
+ void *library; /* pointer to the library. opaque. used only by
+ * pk11load.c */
+ void *functionList; /* The PKCS #11 function table */
+ PZLock *refLock; /* only used pk11db.c */
+ int refCount; /* Module reference count */
+ PK11SlotInfo **slots; /* array of slot points attached to this mod*/
+ int slotCount; /* count of slot in above array */
+ PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
+ int slotInfoCount; /* count */
+ SECMODModuleID moduleID; /* ID so we can find this module again */
+ PRBool isThreadSafe;
+ unsigned long ssl[2]; /* SSL cipher enable flags */
+ char *libraryParams; /* Module specific parameters */
+ void *moduleDBFunc; /* function to return module configuration data*/
+ SECMODModule *parent; /* module that loaded us */
+ PRBool isCritical; /* This module must load successfully */
+ PRBool isModuleDB; /* this module has lists of PKCS #11 modules */
+ PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */
+ int trustOrder; /* order for this module's certificate trust rollup */
+ int cipherOrder; /* order for cipher operations */
+ unsigned long evControlMask; /* control the running and shutdown of slot
+ * events (SECMOD_WaitForAnyTokenEvent) */
+ CK_VERSION cryptokiVersion; /* version of this library */
+ CK_FLAGS flags; /* pkcs11 v3 flags */
+ /* Warning this could go way in future versions of NSS
+ * when FIPS indicators wind up in the functionList */
+ CK_NSS_GetFIPSStatus fipsIndicator;
+};
+
+/* evControlMask flags */
+/*
+ * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
+ *
+ * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
+ * C_WaitForSlotEvent().
+ * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
+ * which polls for token insertion and removal events.
+ * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
+ * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
+ * should return immediately to it's caller.
+ */
+#define SECMOD_END_WAIT 0x01
+#define SECMOD_WAIT_SIMULATED_EVENT 0x02
+#define SECMOD_WAIT_PKCS11_EVENT 0x04
+
+struct SECMODModuleListStr {
+ SECMODModuleList *next;
+ SECMODModule *module;
+};
+
+struct PK11SlotListStr {
+ PK11SlotListElement *head;
+ PK11SlotListElement *tail;
+ PZLock *lock;
+};
+
+struct PK11SlotListElementStr {
+ PK11SlotListElement *next;
+ PK11SlotListElement *prev;
+ PK11SlotInfo *slot;
+ int refCount;
+};
+
+struct PK11RSAGenParamsStr {
+ int keySizeInBits;
+ unsigned long pe;
+};
+
+typedef enum {
+ PK11CertListUnique = 0, /* get one instance of all certs */
+ PK11CertListUser = 1, /* get all instances of user certs */
+ PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
+ * deprecated. Use PK11CertListCAUnique
+ */
+ PK11CertListCA = 3, /* get all instances of CA certs */
+ PK11CertListCAUnique = 4, /* get one instance of CA certs */
+ PK11CertListUserUnique = 5, /* get one instance of user certs */
+ PK11CertListAll = 6 /* get all instances of all certs */
+} PK11CertListType;
+
+/*
+ * Entry into the array which lists all the legal bits for the default flags
+ * in the slot, their definition, and the PKCS #11 mechanism they represent.
+ * Always statically allocated.
+ */
+struct PK11DefaultArrayEntryStr {
+ const char *name;
+ unsigned long flag;
+ unsigned long mechanism; /* this is a long so we don't include the
+ * whole pkcs 11 world to use this header */
+};
+
+/*
+ * PK11AttrFlags
+ *
+ * A 32-bit bitmask of PK11_ATTR_XXX flags
+ */
+typedef PRUint32 PK11AttrFlags;
+
+/*
+ * PK11_ATTR_XXX
+ *
+ * The following PK11_ATTR_XXX bitflags are used to specify
+ * PKCS #11 object attributes that have Boolean values. Some NSS
+ * functions have a "PK11AttrFlags attrFlags" parameter whose value
+ * is the logical OR of these bitflags. NSS use these bitflags on
+ * private keys or secret keys. Some of these bitflags also apply
+ * to the public keys associated with the private keys.
+ *
+ * For each PKCS #11 object attribute, we need two bitflags to
+ * specify not only "true" and "false" but also "default". For
+ * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
+ * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add
+ * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
+ * to the template. If PK11_ATTR_PUBLIC is set, we add
+ * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
+ * to the template. If neither flag is set, we don't add any
+ * CKA_PRIVATE entry to the template.
+ */
+
+/*
+ * Attributes for PKCS #11 storage objects, which include not only
+ * keys but also certificates and domain parameters.
+ */
+
+/*
+ * PK11_ATTR_TOKEN
+ * PK11_ATTR_SESSION
+ *
+ * These two flags determine whether the object is a token or
+ * session object.
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_TOKEN flag is set, the object is a token
+ * object. If the PK11_ATTR_SESSION flag is set, the object is
+ * a session object. If neither flag is set, the object is *by
+ * default* a session object.
+ *
+ * These two flags specify the value of the PKCS #11 CKA_TOKEN
+ * attribute.
+ */
+#define PK11_ATTR_TOKEN 0x00000001L
+#define PK11_ATTR_SESSION 0x00000002L
+
+/*
+ * PK11_ATTR_PRIVATE
+ * PK11_ATTR_PUBLIC
+ *
+ * These two flags determine whether the object is a private or
+ * public object. A user may not access a private object until the
+ * user has authenticated to the token.
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_PRIVATE flag is set, the object is a private
+ * object. If the PK11_ATTR_PUBLIC flag is set, the object is a
+ * public object. If neither flag is set, it is token-specific
+ * whether the object is private or public.
+ *
+ * These two flags specify the value of the PKCS #11 CKA_PRIVATE
+ * attribute. NSS only uses this attribute on private and secret
+ * keys, so public keys created by NSS get the token-specific
+ * default value of the CKA_PRIVATE attribute.
+ */
+#define PK11_ATTR_PRIVATE 0x00000004L
+#define PK11_ATTR_PUBLIC 0x00000008L
+
+/*
+ * PK11_ATTR_MODIFIABLE
+ * PK11_ATTR_UNMODIFIABLE
+ *
+ * These two flags determine whether the object is modifiable or
+ * read-only.
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
+ * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object
+ * is read-only. If neither flag is set, the object is *by default*
+ * modifiable.
+ *
+ * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
+ * attribute.
+ */
+#define PK11_ATTR_MODIFIABLE 0x00000010L
+#define PK11_ATTR_UNMODIFIABLE 0x00000020L
+
+/* Attributes for PKCS #11 key objects. */
+
+/*
+ * PK11_ATTR_SENSITIVE
+ * PK11_ATTR_INSENSITIVE
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
+ * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
+ * sensitive. If neither flag is set, it is token-specific whether
+ * the key is sensitive or not.
+ *
+ * If a key is sensitive, certain attributes of the key cannot be
+ * revealed in plaintext outside the token.
+ *
+ * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
+ * attribute. Although the default value of the CKA_SENSITIVE
+ * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
+ * tokens set the default value to CK_TRUE because only CK_TRUE
+ * is allowed. So in practice the default value of this attribute
+ * is token-specific, hence the need for two bitflags.
+ */
+#define PK11_ATTR_SENSITIVE 0x00000040L
+#define PK11_ATTR_INSENSITIVE 0x00000080L
+
+/*
+ * PK11_ATTR_EXTRACTABLE
+ * PK11_ATTR_UNEXTRACTABLE
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
+ * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set,
+ * the key is not extractable, and certain attributes of the key
+ * cannot be revealed in plaintext outside the token (just like a
+ * sensitive key). If neither flag is set, it is token-specific
+ * whether the key is extractable or not.
+ *
+ * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
+ * attribute.
+ */
+#define PK11_ATTR_EXTRACTABLE 0x00000100L
+#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
+
+/* Cryptographic module types */
+#define SECMOD_EXTERNAL 0 /* external module */
+#define SECMOD_INTERNAL 1 /* internal default module */
+#define SECMOD_FIPS 2 /* internal fips module */
+
+/* default module configuration strings */
+#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
+
+#define SECMOD_MAKE_NSS_FLAGS(fips, slot) \
+ "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
+
+#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
+#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1)
+#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
+#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3)
+
+/*
+ * What is the origin of a given Key. Normally this doesn't matter, but
+ * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
+ * hack.
+ */
+typedef enum {
+ PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */
+ PK11_OriginDerive = 1, /* Key was derived from some other key */
+ PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */
+ PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */
+ PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */
+} PK11Origin;
+
+/* PKCS #11 disable reasons */
+typedef enum {
+ PK11_DIS_NONE = 0,
+ PK11_DIS_USER_SELECTED = 1,
+ PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
+ PK11_DIS_TOKEN_VERIFY_FAILED = 3,
+ PK11_DIS_TOKEN_NOT_PRESENT = 4
+} PK11DisableReasons;
+
+/* types of PKCS #11 objects
+ * used to identify which NSS data structure is
+ * passed to the PK11_Raw* functions. Types map as follows:
+ * PK11_TypeGeneric PK11GenericObject *
+ * PK11_TypePrivKey SECKEYPrivateKey *
+ * PK11_TypePubKey SECKEYPublicKey *
+ * PK11_TypeSymKey PK11SymKey *
+ * PK11_TypeCert CERTCertificate * (currently not used).
+ */
+typedef enum {
+ PK11_TypeGeneric = 0,
+ PK11_TypePrivKey = 1,
+ PK11_TypePubKey = 2,
+ PK11_TypeCert = 3,
+ PK11_TypeSymKey = 4
+} PK11ObjectType;
+
+/* function pointer type for password callback function.
+ * This type is passed in to PK11_SetPasswordFunc()
+ */
+typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
+typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
+typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
+
+/*
+ * Special strings the password callback function can return only if
+ * the slot is an protected auth path slot.
+ */
+#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate \
+ * has already been made, just retry \
+ * the operation */
+#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \
+ * has completed. Continue without \
+ * another call to C_Login */
+/* All other non-null values mean that that NSS could call C_Login to force
+ * the authentication. The following define is to aid applications in
+ * documenting that is what it's trying to do */
+#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \
+ * to the user, initiate a C_Login \
+ * to authenticate the token */
+
+/*
+ * PKCS #11 key structures
+ */
+
+/*
+** Attributes
+*/
+struct SECKEYAttributeStr {
+ SECItem attrType;
+ SECItem **attrValue;
+};
+typedef struct SECKEYAttributeStr SECKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYPrivateKeyInfoStr {
+ PLArenaPool *arena;
+ SECItem version;
+ SECAlgorithmID algorithm;
+ SECItem privateKey;
+ SECKEYAttribute **attributes;
+};
+typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYEncryptedPrivateKeyInfoStr {
+ PLArenaPool *arena;
+ SECAlgorithmID algorithm;
+ SECItem encryptedData;
+};
+typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
+
+/*
+ * token removal detection
+ */
+typedef enum {
+ PK11TokenNotRemovable = 0,
+ PK11TokenPresent = 1,
+ PK11TokenChanged = 2,
+ PK11TokenRemoved = 3
+} PK11TokenStatus;
+
+typedef enum {
+ PK11TokenRemovedOrChangedEvent = 0,
+ PK11TokenPresentEvent = 1
+} PK11TokenEvent;
+
+/*
+ * CRL Import Flags
+ */
+#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
+#define CRL_IMPORT_BYPASS_CHECKS 0x00000001
+
+/*
+ * Merge Error Log
+ */
+typedef struct PK11MergeLogStr PK11MergeLog;
+typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
+
+/* These need to be global, leave some open fields so we can 'expand'
+ * these without breaking binary compatibility */
+struct PK11MergeLogNodeStr {
+ PK11MergeLogNode *next; /* next entry in the list */
+ PK11MergeLogNode *prev; /* last entry in the list */
+ PK11GenericObject *object; /* object that failed */
+ int error; /* what the error was */
+ CK_RV reserved1;
+ unsigned long reserved2; /* future flags */
+ unsigned long reserved3; /* future scalar */
+ void *reserved4; /* future pointer */
+ void *reserved5; /* future expansion pointer */
+};
+
+struct PK11MergeLogStr {
+ PK11MergeLogNode *head;
+ PK11MergeLogNode *tail;
+ PLArenaPool *arena;
+ int version;
+ unsigned long reserved1;
+ unsigned long reserved2;
+ unsigned long reserved3;
+ void *reserverd4;
+ void *reserverd5;
+};
+
+#endif /*_SECMODT_H_ */