diff options
Diffstat (limited to '')
-rw-r--r-- | security/nss/lib/pk11wrap/secmodt.h | 448 |
1 files changed, 448 insertions, 0 deletions
diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h new file mode 100644 index 0000000000..5f15e5967c --- /dev/null +++ b/security/nss/lib/pk11wrap/secmodt.h @@ -0,0 +1,448 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef _SECMODT_H_ +#define _SECMODT_H_ 1 + +#include "nssrwlkt.h" +#include "nssilckt.h" +#include "secoid.h" +#include "secasn1.h" +#include "pkcs11t.h" +#include "utilmodt.h" + +SEC_BEGIN_PROTOS + +/* find a better home for these... */ +extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[]; +SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate) +extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; +SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate) +extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[]; +SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate) +extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[]; +SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate) + +SEC_END_PROTOS + +/* PKCS11 needs to be included */ +typedef struct SECMODModuleStr SECMODModule; +typedef struct SECMODModuleListStr SECMODModuleList; +typedef NSSRWLock SECMODListLock; +typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ +typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */ +typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ +typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ +typedef struct PK11SlotListStr PK11SlotList; +typedef struct PK11SlotListElementStr PK11SlotListElement; +typedef struct PK11RSAGenParamsStr PK11RSAGenParams; +typedef unsigned long SECMODModuleID; +typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry; +typedef struct PK11GenericObjectStr PK11GenericObject; +typedef void (*PK11FreeDataFunc)(void *); + +struct SECMODModuleStr { + PLArenaPool *arena; + PRBool internal; /* true of internally linked modules, false + * for the loaded modules */ + PRBool loaded; /* Set to true if module has been loaded */ + PRBool isFIPS; /* Set to true if module is finst internal */ + char *dllName; /* name of the shared library which implements + * this module */ + char *commonName; /* name of the module to display to the user */ + void *library; /* pointer to the library. opaque. used only by + * pk11load.c */ + void *functionList; /* The PKCS #11 function table */ + PZLock *refLock; /* only used pk11db.c */ + int refCount; /* Module reference count */ + PK11SlotInfo **slots; /* array of slot points attached to this mod*/ + int slotCount; /* count of slot in above array */ + PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ + int slotInfoCount; /* count */ + SECMODModuleID moduleID; /* ID so we can find this module again */ + PRBool isThreadSafe; + unsigned long ssl[2]; /* SSL cipher enable flags */ + char *libraryParams; /* Module specific parameters */ + void *moduleDBFunc; /* function to return module configuration data*/ + SECMODModule *parent; /* module that loaded us */ + PRBool isCritical; /* This module must load successfully */ + PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ + PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ + int trustOrder; /* order for this module's certificate trust rollup */ + int cipherOrder; /* order for cipher operations */ + unsigned long evControlMask; /* control the running and shutdown of slot + * events (SECMOD_WaitForAnyTokenEvent) */ + CK_VERSION cryptokiVersion; /* version of this library */ + CK_FLAGS flags; /* pkcs11 v3 flags */ + /* Warning this could go way in future versions of NSS + * when FIPS indicators wind up in the functionList */ + CK_NSS_GetFIPSStatus fipsIndicator; +}; + +/* evControlMask flags */ +/* + * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent. + * + * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in + * C_WaitForSlotEvent(). + * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code + * which polls for token insertion and removal events. + * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is + * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent + * should return immediately to it's caller. + */ +#define SECMOD_END_WAIT 0x01 +#define SECMOD_WAIT_SIMULATED_EVENT 0x02 +#define SECMOD_WAIT_PKCS11_EVENT 0x04 + +struct SECMODModuleListStr { + SECMODModuleList *next; + SECMODModule *module; +}; + +struct PK11SlotListStr { + PK11SlotListElement *head; + PK11SlotListElement *tail; + PZLock *lock; +}; + +struct PK11SlotListElementStr { + PK11SlotListElement *next; + PK11SlotListElement *prev; + PK11SlotInfo *slot; + int refCount; +}; + +struct PK11RSAGenParamsStr { + int keySizeInBits; + unsigned long pe; +}; + +typedef enum { + PK11CertListUnique = 0, /* get one instance of all certs */ + PK11CertListUser = 1, /* get all instances of user certs */ + PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key. + * deprecated. Use PK11CertListCAUnique + */ + PK11CertListCA = 3, /* get all instances of CA certs */ + PK11CertListCAUnique = 4, /* get one instance of CA certs */ + PK11CertListUserUnique = 5, /* get one instance of user certs */ + PK11CertListAll = 6 /* get all instances of all certs */ +} PK11CertListType; + +/* + * Entry into the array which lists all the legal bits for the default flags + * in the slot, their definition, and the PKCS #11 mechanism they represent. + * Always statically allocated. + */ +struct PK11DefaultArrayEntryStr { + const char *name; + unsigned long flag; + unsigned long mechanism; /* this is a long so we don't include the + * whole pkcs 11 world to use this header */ +}; + +/* + * PK11AttrFlags + * + * A 32-bit bitmask of PK11_ATTR_XXX flags + */ +typedef PRUint32 PK11AttrFlags; + +/* + * PK11_ATTR_XXX + * + * The following PK11_ATTR_XXX bitflags are used to specify + * PKCS #11 object attributes that have Boolean values. Some NSS + * functions have a "PK11AttrFlags attrFlags" parameter whose value + * is the logical OR of these bitflags. NSS use these bitflags on + * private keys or secret keys. Some of these bitflags also apply + * to the public keys associated with the private keys. + * + * For each PKCS #11 object attribute, we need two bitflags to + * specify not only "true" and "false" but also "default". For + * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the + * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add + * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) } + * to the template. If PK11_ATTR_PUBLIC is set, we add + * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) } + * to the template. If neither flag is set, we don't add any + * CKA_PRIVATE entry to the template. + */ + +/* + * Attributes for PKCS #11 storage objects, which include not only + * keys but also certificates and domain parameters. + */ + +/* + * PK11_ATTR_TOKEN + * PK11_ATTR_SESSION + * + * These two flags determine whether the object is a token or + * session object. + * + * These two flags are related and cannot both be set. + * If the PK11_ATTR_TOKEN flag is set, the object is a token + * object. If the PK11_ATTR_SESSION flag is set, the object is + * a session object. If neither flag is set, the object is *by + * default* a session object. + * + * These two flags specify the value of the PKCS #11 CKA_TOKEN + * attribute. + */ +#define PK11_ATTR_TOKEN 0x00000001L +#define PK11_ATTR_SESSION 0x00000002L + +/* + * PK11_ATTR_PRIVATE + * PK11_ATTR_PUBLIC + * + * These two flags determine whether the object is a private or + * public object. A user may not access a private object until the + * user has authenticated to the token. + * + * These two flags are related and cannot both be set. + * If the PK11_ATTR_PRIVATE flag is set, the object is a private + * object. If the PK11_ATTR_PUBLIC flag is set, the object is a + * public object. If neither flag is set, it is token-specific + * whether the object is private or public. + * + * These two flags specify the value of the PKCS #11 CKA_PRIVATE + * attribute. NSS only uses this attribute on private and secret + * keys, so public keys created by NSS get the token-specific + * default value of the CKA_PRIVATE attribute. + */ +#define PK11_ATTR_PRIVATE 0x00000004L +#define PK11_ATTR_PUBLIC 0x00000008L + +/* + * PK11_ATTR_MODIFIABLE + * PK11_ATTR_UNMODIFIABLE + * + * These two flags determine whether the object is modifiable or + * read-only. + * + * These two flags are related and cannot both be set. + * If the PK11_ATTR_MODIFIABLE flag is set, the object can be + * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object + * is read-only. If neither flag is set, the object is *by default* + * modifiable. + * + * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE + * attribute. + */ +#define PK11_ATTR_MODIFIABLE 0x00000010L +#define PK11_ATTR_UNMODIFIABLE 0x00000020L + +/* Attributes for PKCS #11 key objects. */ + +/* + * PK11_ATTR_SENSITIVE + * PK11_ATTR_INSENSITIVE + * + * These two flags are related and cannot both be set. + * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive. + * If the PK11_ATTR_INSENSITIVE flag is set, the key is not + * sensitive. If neither flag is set, it is token-specific whether + * the key is sensitive or not. + * + * If a key is sensitive, certain attributes of the key cannot be + * revealed in plaintext outside the token. + * + * This flag specifies the value of the PKCS #11 CKA_SENSITIVE + * attribute. Although the default value of the CKA_SENSITIVE + * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS + * tokens set the default value to CK_TRUE because only CK_TRUE + * is allowed. So in practice the default value of this attribute + * is token-specific, hence the need for two bitflags. + */ +#define PK11_ATTR_SENSITIVE 0x00000040L +#define PK11_ATTR_INSENSITIVE 0x00000080L + +/* + * PK11_ATTR_EXTRACTABLE + * PK11_ATTR_UNEXTRACTABLE + * + * These two flags are related and cannot both be set. + * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable + * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set, + * the key is not extractable, and certain attributes of the key + * cannot be revealed in plaintext outside the token (just like a + * sensitive key). If neither flag is set, it is token-specific + * whether the key is extractable or not. + * + * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE + * attribute. + */ +#define PK11_ATTR_EXTRACTABLE 0x00000100L +#define PK11_ATTR_UNEXTRACTABLE 0x00000200L + +/* Cryptographic module types */ +#define SECMOD_EXTERNAL 0 /* external module */ +#define SECMOD_INTERNAL 1 /* internal default module */ +#define SECMOD_FIPS 2 /* internal fips module */ + +/* default module configuration strings */ +#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" + +#define SECMOD_MAKE_NSS_FLAGS(fips, slot) \ + "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})" + +#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module" +#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1) +#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module" +#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3) + +/* + * What is the origin of a given Key. Normally this doesn't matter, but + * the fortezza code needs to know if it needs to invoke the SSL3 fortezza + * hack. + */ +typedef enum { + PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ + PK11_OriginDerive = 1, /* Key was derived from some other key */ + PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ + PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */ + PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ +} PK11Origin; + +/* PKCS #11 disable reasons */ +typedef enum { + PK11_DIS_NONE = 0, + PK11_DIS_USER_SELECTED = 1, + PK11_DIS_COULD_NOT_INIT_TOKEN = 2, + PK11_DIS_TOKEN_VERIFY_FAILED = 3, + PK11_DIS_TOKEN_NOT_PRESENT = 4 +} PK11DisableReasons; + +/* types of PKCS #11 objects + * used to identify which NSS data structure is + * passed to the PK11_Raw* functions. Types map as follows: + * PK11_TypeGeneric PK11GenericObject * + * PK11_TypePrivKey SECKEYPrivateKey * + * PK11_TypePubKey SECKEYPublicKey * + * PK11_TypeSymKey PK11SymKey * + * PK11_TypeCert CERTCertificate * (currently not used). + */ +typedef enum { + PK11_TypeGeneric = 0, + PK11_TypePrivKey = 1, + PK11_TypePubKey = 2, + PK11_TypeCert = 3, + PK11_TypeSymKey = 4 +} PK11ObjectType; + +/* function pointer type for password callback function. + * This type is passed in to PK11_SetPasswordFunc() + */ +typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg); +typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); +typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); + +/* + * Special strings the password callback function can return only if + * the slot is an protected auth path slot. + */ +#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate \ + * has already been made, just retry \ + * the operation */ +#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \ + * has completed. Continue without \ + * another call to C_Login */ +/* All other non-null values mean that that NSS could call C_Login to force + * the authentication. The following define is to aid applications in + * documenting that is what it's trying to do */ +#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \ + * to the user, initiate a C_Login \ + * to authenticate the token */ + +/* + * PKCS #11 key structures + */ + +/* +** Attributes +*/ +struct SECKEYAttributeStr { + SECItem attrType; + SECItem **attrValue; +}; +typedef struct SECKEYAttributeStr SECKEYAttribute; + +/* +** A PKCS#8 private key info object +*/ +struct SECKEYPrivateKeyInfoStr { + PLArenaPool *arena; + SECItem version; + SECAlgorithmID algorithm; + SECItem privateKey; + SECKEYAttribute **attributes; +}; +typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo; + +/* +** A PKCS#8 private key info object +*/ +struct SECKEYEncryptedPrivateKeyInfoStr { + PLArenaPool *arena; + SECAlgorithmID algorithm; + SECItem encryptedData; +}; +typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo; + +/* + * token removal detection + */ +typedef enum { + PK11TokenNotRemovable = 0, + PK11TokenPresent = 1, + PK11TokenChanged = 2, + PK11TokenRemoved = 3 +} PK11TokenStatus; + +typedef enum { + PK11TokenRemovedOrChangedEvent = 0, + PK11TokenPresentEvent = 1 +} PK11TokenEvent; + +/* + * CRL Import Flags + */ +#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000 +#define CRL_IMPORT_BYPASS_CHECKS 0x00000001 + +/* + * Merge Error Log + */ +typedef struct PK11MergeLogStr PK11MergeLog; +typedef struct PK11MergeLogNodeStr PK11MergeLogNode; + +/* These need to be global, leave some open fields so we can 'expand' + * these without breaking binary compatibility */ +struct PK11MergeLogNodeStr { + PK11MergeLogNode *next; /* next entry in the list */ + PK11MergeLogNode *prev; /* last entry in the list */ + PK11GenericObject *object; /* object that failed */ + int error; /* what the error was */ + CK_RV reserved1; + unsigned long reserved2; /* future flags */ + unsigned long reserved3; /* future scalar */ + void *reserved4; /* future pointer */ + void *reserved5; /* future expansion pointer */ +}; + +struct PK11MergeLogStr { + PK11MergeLogNode *head; + PK11MergeLogNode *tail; + PLArenaPool *arena; + int version; + unsigned long reserved1; + unsigned long reserved2; + unsigned long reserved3; + void *reserverd4; + void *reserverd5; +}; + +#endif /*_SECMODT_H_ */ |