/gecko_api/include/secmodt.h
C++ Header | 502 lines | 220 code | 47 blank | 235 comment | 0 complexity | 7791ea9bd10d4757846bad973cfd0ebf MD5 | raw file
1/* ***** BEGIN LICENSE BLOCK ***** 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 3 * 4 * The contents of this file are subject to the Mozilla Public License Version 5 * 1.1 (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * http://www.mozilla.org/MPL/ 8 * 9 * Software distributed under the License is distributed on an "AS IS" basis, 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 11 * for the specific language governing rights and limitations under the 12 * License. 13 * 14 * The Original Code is the Netscape security libraries. 15 * 16 * The Initial Developer of the Original Code is 17 * Netscape Communications Corporation. 18 * Portions created by the Initial Developer are Copyright (C) 1994-2000 19 * the Initial Developer. All Rights Reserved. 20 * 21 * Contributor(s): 22 * 23 * Alternatively, the contents of this file may be used under the terms of 24 * either the GNU General Public License Version 2 or later (the "GPL"), or 25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), 26 * in which case the provisions of the GPL or the LGPL are applicable instead 27 * of those above. If you wish to allow use of your version of this file only 28 * under the terms of either the GPL or the LGPL, and not to allow others to 29 * use your version of this file under the terms of the MPL, indicate your 30 * decision by deleting the provisions above and replace them with the notice 31 * and other provisions required by the GPL or the LGPL. If you do not delete 32 * the provisions above, a recipient may use your version of this file under 33 * the terms of any one of the MPL, the GPL or the LGPL. 34 * 35 * ***** END LICENSE BLOCK ***** */ 36#ifndef _SECMODT_H_ 37#define _SECMODT_H_ 1 38 39#include "nssrwlkt.h" 40#include "nssilckt.h" 41#include "secoid.h" 42#include "secasn1.h" 43#include "pkcs11t.h" 44 45/* find a better home for these... */ 46extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[]; 47extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate; 48extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; 49extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate; 50extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[]; 51extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate; 52extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[]; 53extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate; 54 55/* PKCS11 needs to be included */ 56typedef struct SECMODModuleStr SECMODModule; 57typedef struct SECMODModuleListStr SECMODModuleList; 58typedef NSSRWLock SECMODListLock; 59typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ 60typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */ 61typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ 62typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ 63typedef struct PK11SlotListStr PK11SlotList; 64typedef struct PK11SlotListElementStr PK11SlotListElement; 65typedef struct PK11RSAGenParamsStr PK11RSAGenParams; 66typedef unsigned long SECMODModuleID; 67typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry; 68typedef struct PK11GenericObjectStr PK11GenericObject; 69typedef void (*PK11FreeDataFunc)(void *); 70 71struct SECMODModuleStr { 72 PRArenaPool *arena; 73 PRBool internal; /* true of internally linked modules, false 74 * for the loaded modules */ 75 PRBool loaded; /* Set to true if module has been loaded */ 76 PRBool isFIPS; /* Set to true if module is finst internal */ 77 char *dllName; /* name of the shared library which implements 78 * this module */ 79 char *commonName; /* name of the module to display to the user */ 80 void *library; /* pointer to the library. opaque. used only by 81 * pk11load.c */ 82 void *functionList; /* The PKCS #11 function table */ 83 PZLock *refLock; /* only used pk11db.c */ 84 int refCount; /* Module reference count */ 85 PK11SlotInfo **slots; /* array of slot points attached to this mod*/ 86 int slotCount; /* count of slot in above array */ 87 PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ 88 int slotInfoCount; /* count */ 89 SECMODModuleID moduleID; /* ID so we can find this module again */ 90 PRBool isThreadSafe; 91 unsigned long ssl[2]; /* SSL cipher enable flags */ 92 char *libraryParams; /* Module specific parameters */ 93 void *moduleDBFunc; /* function to return module configuration data*/ 94 SECMODModule *parent; /* module that loaded us */ 95 PRBool isCritical; /* This module must load successfully */ 96 PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ 97 PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ 98 int trustOrder; /* order for this module's certificate trust rollup */ 99 int cipherOrder; /* order for cipher operations */ 100 unsigned long evControlMask; /* control the running and shutdown of slot 101 * events (SECMOD_WaitForAnyTokenEvent) */ 102 CK_VERSION cryptokiVersion; /* version of this library */ 103}; 104 105/* evControlMask flags */ 106/* 107 * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent. 108 * 109 * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in 110 * C_WaitForSlotEvent(). 111 * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code 112 * which polls for token insertion and removal events. 113 * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is 114 * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent 115 * should return immediately to it's caller. 116 */ 117#define SECMOD_END_WAIT 0x01 118#define SECMOD_WAIT_SIMULATED_EVENT 0x02 119#define SECMOD_WAIT_PKCS11_EVENT 0x04 120 121struct SECMODModuleListStr { 122 SECMODModuleList *next; 123 SECMODModule *module; 124}; 125 126struct PK11SlotListStr { 127 PK11SlotListElement *head; 128 PK11SlotListElement *tail; 129 PZLock *lock; 130}; 131 132struct PK11SlotListElementStr { 133 PK11SlotListElement *next; 134 PK11SlotListElement *prev; 135 PK11SlotInfo *slot; 136 int refCount; 137}; 138 139struct PK11RSAGenParamsStr { 140 int keySizeInBits; 141 unsigned long pe; 142}; 143 144typedef enum { 145 PK11CertListUnique = 0, /* get one instance of all certs */ 146 PK11CertListUser = 1, /* get all instances of user certs */ 147 PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key. 148 * deprecated. Use PK11CertListCAUnique 149 */ 150 PK11CertListCA = 3, /* get all instances of CA certs */ 151 PK11CertListCAUnique = 4, /* get one instance of CA certs */ 152 PK11CertListUserUnique = 5, /* get one instance of user certs */ 153 PK11CertListAll = 6 /* get all instances of all certs */ 154} PK11CertListType; 155 156/* 157 * Entry into the Array which lists all the legal bits for the default flags 158 * in the slot, their definition, and the PKCS #11 mechanism the represent 159 * Always Statically allocated. 160 */ 161struct PK11DefaultArrayEntryStr { 162 char *name; 163 unsigned long flag; 164 unsigned long mechanism; /* this is a long so we don't include the 165 * whole pkcs 11 world to use this header */ 166}; 167 168 169#define SECMOD_RSA_FLAG 0x00000001L 170#define SECMOD_DSA_FLAG 0x00000002L 171#define SECMOD_RC2_FLAG 0x00000004L 172#define SECMOD_RC4_FLAG 0x00000008L 173#define SECMOD_DES_FLAG 0x00000010L 174#define SECMOD_DH_FLAG 0x00000020L 175#define SECMOD_FORTEZZA_FLAG 0x00000040L 176#define SECMOD_RC5_FLAG 0x00000080L 177#define SECMOD_SHA1_FLAG 0x00000100L 178#define SECMOD_MD5_FLAG 0x00000200L 179#define SECMOD_MD2_FLAG 0x00000400L 180#define SECMOD_SSL_FLAG 0x00000800L 181#define SECMOD_TLS_FLAG 0x00001000L 182#define SECMOD_AES_FLAG 0x00002000L 183#define SECMOD_SHA256_FLAG 0x00004000L 184#define SECMOD_SHA512_FLAG 0x00008000L /* also for SHA384 */ 185#define SECMOD_CAMELLIA_FLAG 0x00010000L /* = PUBLIC_MECH_CAMELLIA_FLAG */ 186/* reserved bit for future, do not use */ 187#define SECMOD_RESERVED_FLAG 0X08000000L 188#define SECMOD_FRIENDLY_FLAG 0x10000000L 189#define SECMOD_RANDOM_FLAG 0x80000000L 190 191/* need to make SECMOD and PK11 prefixes consistant. */ 192#define PK11_OWN_PW_DEFAULTS 0x20000000L 193#define PK11_DISABLE_FLAG 0x40000000L 194 195/* 196 * PK11AttrFlags 197 * 198 * A 32-bit bitmask of PK11_ATTR_XXX flags 199 */ 200typedef PRUint32 PK11AttrFlags; 201 202/* 203 * PK11_ATTR_XXX 204 * 205 * The following PK11_ATTR_XXX bitflags are used to specify 206 * PKCS #11 object attributes that have Boolean values. Some NSS 207 * functions have a "PK11AttrFlags attrFlags" parameter whose value 208 * is the logical OR of these bitflags. NSS use these bitflags on 209 * private keys or secret keys. Some of these bitflags also apply 210 * to the public keys associated with the private keys. 211 * 212 * For each PKCS #11 object attribute, we need two bitflags to 213 * specify not only "true" and "false" but also "default". For 214 * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the 215 * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add 216 * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) } 217 * to the template. If PK11_ATTR_PUBLIC is set, we add 218 * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) } 219 * to the template. If neither flag is set, we don't add any 220 * CKA_PRIVATE entry to the template. 221 */ 222 223/* 224 * Attributes for PKCS #11 storage objects, which include not only 225 * keys but also certificates and domain parameters. 226 */ 227 228/* 229 * PK11_ATTR_TOKEN 230 * PK11_ATTR_SESSION 231 * 232 * These two flags determine whether the object is a token or 233 * session object. 234 * 235 * These two flags are related and cannot both be set. 236 * If the PK11_ATTR_TOKEN flag is set, the object is a token 237 * object. If the PK11_ATTR_SESSION flag is set, the object is 238 * a session object. If neither flag is set, the object is *by 239 * default* a session object. 240 * 241 * These two flags specify the value of the PKCS #11 CKA_TOKEN 242 * attribute. 243 */ 244#define PK11_ATTR_TOKEN 0x00000001L 245#define PK11_ATTR_SESSION 0x00000002L 246 247/* 248 * PK11_ATTR_PRIVATE 249 * PK11_ATTR_PUBLIC 250 * 251 * These two flags determine whether the object is a private or 252 * public object. A user may not access a private object until the 253 * user has authenticated to the token. 254 * 255 * These two flags are related and cannot both be set. 256 * If the PK11_ATTR_PRIVATE flag is set, the object is a private 257 * object. If the PK11_ATTR_PUBLIC flag is set, the object is a 258 * public object. If neither flag is set, it is token-specific 259 * whether the object is private or public. 260 * 261 * These two flags specify the value of the PKCS #11 CKA_PRIVATE 262 * attribute. NSS only uses this attribute on private and secret 263 * keys, so public keys created by NSS get the token-specific 264 * default value of the CKA_PRIVATE attribute. 265 */ 266#define PK11_ATTR_PRIVATE 0x00000004L 267#define PK11_ATTR_PUBLIC 0x00000008L 268 269/* 270 * PK11_ATTR_MODIFIABLE 271 * PK11_ATTR_UNMODIFIABLE 272 * 273 * These two flags determine whether the object is modifiable or 274 * read-only. 275 * 276 * These two flags are related and cannot both be set. 277 * If the PK11_ATTR_MODIFIABLE flag is set, the object can be 278 * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object 279 * is read-only. If neither flag is set, the object is *by default* 280 * modifiable. 281 * 282 * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE 283 * attribute. 284 */ 285#define PK11_ATTR_MODIFIABLE 0x00000010L 286#define PK11_ATTR_UNMODIFIABLE 0x00000020L 287 288/* Attributes for PKCS #11 key objects. */ 289 290/* 291 * PK11_ATTR_SENSITIVE 292 * PK11_ATTR_INSENSITIVE 293 * 294 * These two flags are related and cannot both be set. 295 * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive. 296 * If the PK11_ATTR_INSENSITIVE flag is set, the key is not 297 * sensitive. If neither flag is set, it is token-specific whether 298 * the key is sensitive or not. 299 * 300 * If a key is sensitive, certain attributes of the key cannot be 301 * revealed in plaintext outside the token. 302 * 303 * This flag specifies the value of the PKCS #11 CKA_SENSITIVE 304 * attribute. Although the default value of the CKA_SENSITIVE 305 * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS 306 * tokens set the default value to CK_TRUE because only CK_TRUE 307 * is allowed. So in practice the default value of this attribute 308 * is token-specific, hence the need for two bitflags. 309 */ 310#define PK11_ATTR_SENSITIVE 0x00000040L 311#define PK11_ATTR_INSENSITIVE 0x00000080L 312 313/* 314 * PK11_ATTR_EXTRACTABLE 315 * PK11_ATTR_UNEXTRACTABLE 316 * 317 * These two flags are related and cannot both be set. 318 * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable 319 * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set, 320 * the key is not extractable, and certain attributes of the key 321 * cannot be revealed in plaintext outside the token (just like a 322 * sensitive key). If neither flag is set, it is token-specific 323 * whether the key is extractable or not. 324 * 325 * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE 326 * attribute. 327 */ 328#define PK11_ATTR_EXTRACTABLE 0x00000100L 329#define PK11_ATTR_UNEXTRACTABLE 0x00000200L 330 331/* Cryptographic module types */ 332#define SECMOD_EXTERNAL 0 /* external module */ 333#define SECMOD_INTERNAL 1 /* internal default module */ 334#define SECMOD_FIPS 2 /* internal fips module */ 335 336/* default module configuration strings */ 337#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SHA256,SHA512]" 338 339#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \ 340"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})" 341 342#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module" 343#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1) 344#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module" 345#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3) 346 347/* 348 * What is the origin of a given Key. Normally this doesn't matter, but 349 * the fortezza code needs to know if it needs to invoke the SSL3 fortezza 350 * hack. 351 */ 352typedef enum { 353 PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ 354 PK11_OriginDerive = 1, /* Key was derived from some other key */ 355 PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ 356 PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */ 357 PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ 358} PK11Origin; 359 360/* PKCS #11 disable reasons */ 361typedef enum { 362 PK11_DIS_NONE = 0, 363 PK11_DIS_USER_SELECTED = 1, 364 PK11_DIS_COULD_NOT_INIT_TOKEN = 2, 365 PK11_DIS_TOKEN_VERIFY_FAILED = 3, 366 PK11_DIS_TOKEN_NOT_PRESENT = 4 367} PK11DisableReasons; 368 369/* types of PKCS #11 objects 370 * used to identify which NSS data structure is 371 * passed to the PK11_Raw* functions. Types map as follows: 372 * PK11_TypeGeneric PK11GenericObject * 373 * PK11_TypePrivKey SECKEYPrivateKey * 374 * PK11_TypePubKey SECKEYPublicKey * 375 * PK11_TypeSymKey PK11SymKey * 376 * PK11_TypeCert CERTCertificate * (currently not used). 377 */ 378typedef enum { 379 PK11_TypeGeneric = 0, 380 PK11_TypePrivKey = 1, 381 PK11_TypePubKey = 2, 382 PK11_TypeCert = 3, 383 PK11_TypeSymKey = 4 384} PK11ObjectType; 385 386 387 388/* function pointer type for password callback function. 389 * This type is passed in to PK11_SetPasswordFunc() 390 */ 391typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg); 392typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); 393typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); 394 395/* 396 * Special strings the password callback function can return only if 397 * the slot is an protected auth path slot. 398 */ 399#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate 400 * has already been made, just retry 401 * the operation */ 402#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate 403 * has completed. Continue without 404 * another call to C_Login */ 405/* All other non-null values mean that that NSS could call C_Login to force 406 * the authentication. The following define is to aid applications in 407 * documenting that is what it's trying to do */ 408#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented 409 * to the user, initiate a C_Login 410 * to authenticate the token */ 411 412/* 413 * PKCS #11 key structures 414 */ 415 416/* 417** Attributes 418*/ 419struct SECKEYAttributeStr { 420 SECItem attrType; 421 SECItem **attrValue; 422}; 423typedef struct SECKEYAttributeStr SECKEYAttribute; 424 425/* 426** A PKCS#8 private key info object 427*/ 428struct SECKEYPrivateKeyInfoStr { 429 PLArenaPool *arena; 430 SECItem version; 431 SECAlgorithmID algorithm; 432 SECItem privateKey; 433 SECKEYAttribute **attributes; 434}; 435typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo; 436 437/* 438** A PKCS#8 private key info object 439*/ 440struct SECKEYEncryptedPrivateKeyInfoStr { 441 PLArenaPool *arena; 442 SECAlgorithmID algorithm; 443 SECItem encryptedData; 444}; 445typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo; 446 447/* 448 * token removal detection 449 */ 450typedef enum { 451 PK11TokenNotRemovable = 0, 452 PK11TokenPresent = 1, 453 PK11TokenChanged = 2, 454 PK11TokenRemoved = 3 455} PK11TokenStatus; 456 457typedef enum { 458 PK11TokenRemovedOrChangedEvent = 0, 459 PK11TokenPresentEvent = 1 460} PK11TokenEvent; 461 462/* 463 * CRL Import Flags 464 */ 465#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000 466#define CRL_IMPORT_BYPASS_CHECKS 0x00000001 467 468 469/* 470 * Merge Error Log 471 */ 472typedef struct PK11MergeLogStr PK11MergeLog; 473typedef struct PK11MergeLogNodeStr PK11MergeLogNode; 474 475/* These need to be global, leave some open fields so we can 'expand' 476 * these without breaking binary compatibility */ 477struct PK11MergeLogNodeStr { 478 PK11MergeLogNode *next; /* next entry in the list */ 479 PK11MergeLogNode *prev; /* last entry in the list */ 480 PK11GenericObject *object; /* object that failed */ 481 int error; /* what the error was */ 482 CK_RV reserved1; 483 unsigned long reserved2; /* future flags */ 484 unsigned long reserved3; /* future scalar */ 485 void *reserved4; /* future pointer */ 486 void *reserved5; /* future expansion pointer */ 487}; 488 489struct PK11MergeLogStr { 490 PK11MergeLogNode *head; 491 PK11MergeLogNode *tail; 492 PRArenaPool *arena; 493 int version; 494 unsigned long reserved1; 495 unsigned long reserved2; 496 unsigned long reserved3; 497 void *reserverd4; 498 void *reserverd5; 499}; 500 501 502#endif /*_SECMODT_H_ */