PageRenderTime 54ms CodeModel.GetById 18ms RepoModel.GetById 0ms app.codeStats 0ms

/gecko_api/include/secmodt.h

http://firefox-mac-pdf.googlecode.com/
C Header | 502 lines | 220 code | 47 blank | 235 comment | 0 complexity | 7791ea9bd10d4757846bad973cfd0ebf MD5 | raw file
  1. /* ***** BEGIN LICENSE BLOCK *****
  2. * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3. *
  4. * The contents of this file are subject to the Mozilla Public License Version
  5. * 1.1 (the "License"); you may not use this file except in compliance with
  6. * the License. You may obtain a copy of the License at
  7. * http://www.mozilla.org/MPL/
  8. *
  9. * Software distributed under the License is distributed on an "AS IS" basis,
  10. * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11. * for the specific language governing rights and limitations under the
  12. * License.
  13. *
  14. * The Original Code is the Netscape security libraries.
  15. *
  16. * The Initial Developer of the Original Code is
  17. * Netscape Communications Corporation.
  18. * Portions created by the Initial Developer are Copyright (C) 1994-2000
  19. * the Initial Developer. All Rights Reserved.
  20. *
  21. * Contributor(s):
  22. *
  23. * Alternatively, the contents of this file may be used under the terms of
  24. * either the GNU General Public License Version 2 or later (the "GPL"), or
  25. * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  26. * in which case the provisions of the GPL or the LGPL are applicable instead
  27. * of those above. If you wish to allow use of your version of this file only
  28. * under the terms of either the GPL or the LGPL, and not to allow others to
  29. * use your version of this file under the terms of the MPL, indicate your
  30. * decision by deleting the provisions above and replace them with the notice
  31. * and other provisions required by the GPL or the LGPL. If you do not delete
  32. * the provisions above, a recipient may use your version of this file under
  33. * the terms of any one of the MPL, the GPL or the LGPL.
  34. *
  35. * ***** END LICENSE BLOCK ***** */
  36. #ifndef _SECMODT_H_
  37. #define _SECMODT_H_ 1
  38. #include "nssrwlkt.h"
  39. #include "nssilckt.h"
  40. #include "secoid.h"
  41. #include "secasn1.h"
  42. #include "pkcs11t.h"
  43. /* find a better home for these... */
  44. extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
  45. extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
  46. extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
  47. extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
  48. extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
  49. extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
  50. extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
  51. extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
  52. /* PKCS11 needs to be included */
  53. typedef struct SECMODModuleStr SECMODModule;
  54. typedef struct SECMODModuleListStr SECMODModuleList;
  55. typedef NSSRWLock SECMODListLock;
  56. typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
  57. typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
  58. typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
  59. typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
  60. typedef struct PK11SlotListStr PK11SlotList;
  61. typedef struct PK11SlotListElementStr PK11SlotListElement;
  62. typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
  63. typedef unsigned long SECMODModuleID;
  64. typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
  65. typedef struct PK11GenericObjectStr PK11GenericObject;
  66. typedef void (*PK11FreeDataFunc)(void *);
  67. struct SECMODModuleStr {
  68. PRArenaPool *arena;
  69. PRBool internal; /* true of internally linked modules, false
  70. * for the loaded modules */
  71. PRBool loaded; /* Set to true if module has been loaded */
  72. PRBool isFIPS; /* Set to true if module is finst internal */
  73. char *dllName; /* name of the shared library which implements
  74. * this module */
  75. char *commonName; /* name of the module to display to the user */
  76. void *library; /* pointer to the library. opaque. used only by
  77. * pk11load.c */
  78. void *functionList; /* The PKCS #11 function table */
  79. PZLock *refLock; /* only used pk11db.c */
  80. int refCount; /* Module reference count */
  81. PK11SlotInfo **slots; /* array of slot points attached to this mod*/
  82. int slotCount; /* count of slot in above array */
  83. PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
  84. int slotInfoCount; /* count */
  85. SECMODModuleID moduleID; /* ID so we can find this module again */
  86. PRBool isThreadSafe;
  87. unsigned long ssl[2]; /* SSL cipher enable flags */
  88. char *libraryParams; /* Module specific parameters */
  89. void *moduleDBFunc; /* function to return module configuration data*/
  90. SECMODModule *parent; /* module that loaded us */
  91. PRBool isCritical; /* This module must load successfully */
  92. PRBool isModuleDB; /* this module has lists of PKCS #11 modules */
  93. PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */
  94. int trustOrder; /* order for this module's certificate trust rollup */
  95. int cipherOrder; /* order for cipher operations */
  96. unsigned long evControlMask; /* control the running and shutdown of slot
  97. * events (SECMOD_WaitForAnyTokenEvent) */
  98. CK_VERSION cryptokiVersion; /* version of this library */
  99. };
  100. /* evControlMask flags */
  101. /*
  102. * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
  103. *
  104. * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
  105. * C_WaitForSlotEvent().
  106. * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
  107. * which polls for token insertion and removal events.
  108. * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
  109. * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
  110. * should return immediately to it's caller.
  111. */
  112. #define SECMOD_END_WAIT 0x01
  113. #define SECMOD_WAIT_SIMULATED_EVENT 0x02
  114. #define SECMOD_WAIT_PKCS11_EVENT 0x04
  115. struct SECMODModuleListStr {
  116. SECMODModuleList *next;
  117. SECMODModule *module;
  118. };
  119. struct PK11SlotListStr {
  120. PK11SlotListElement *head;
  121. PK11SlotListElement *tail;
  122. PZLock *lock;
  123. };
  124. struct PK11SlotListElementStr {
  125. PK11SlotListElement *next;
  126. PK11SlotListElement *prev;
  127. PK11SlotInfo *slot;
  128. int refCount;
  129. };
  130. struct PK11RSAGenParamsStr {
  131. int keySizeInBits;
  132. unsigned long pe;
  133. };
  134. typedef enum {
  135. PK11CertListUnique = 0, /* get one instance of all certs */
  136. PK11CertListUser = 1, /* get all instances of user certs */
  137. PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
  138. * deprecated. Use PK11CertListCAUnique
  139. */
  140. PK11CertListCA = 3, /* get all instances of CA certs */
  141. PK11CertListCAUnique = 4, /* get one instance of CA certs */
  142. PK11CertListUserUnique = 5, /* get one instance of user certs */
  143. PK11CertListAll = 6 /* get all instances of all certs */
  144. } PK11CertListType;
  145. /*
  146. * Entry into the Array which lists all the legal bits for the default flags
  147. * in the slot, their definition, and the PKCS #11 mechanism the represent
  148. * Always Statically allocated.
  149. */
  150. struct PK11DefaultArrayEntryStr {
  151. char *name;
  152. unsigned long flag;
  153. unsigned long mechanism; /* this is a long so we don't include the
  154. * whole pkcs 11 world to use this header */
  155. };
  156. #define SECMOD_RSA_FLAG 0x00000001L
  157. #define SECMOD_DSA_FLAG 0x00000002L
  158. #define SECMOD_RC2_FLAG 0x00000004L
  159. #define SECMOD_RC4_FLAG 0x00000008L
  160. #define SECMOD_DES_FLAG 0x00000010L
  161. #define SECMOD_DH_FLAG 0x00000020L
  162. #define SECMOD_FORTEZZA_FLAG 0x00000040L
  163. #define SECMOD_RC5_FLAG 0x00000080L
  164. #define SECMOD_SHA1_FLAG 0x00000100L
  165. #define SECMOD_MD5_FLAG 0x00000200L
  166. #define SECMOD_MD2_FLAG 0x00000400L
  167. #define SECMOD_SSL_FLAG 0x00000800L
  168. #define SECMOD_TLS_FLAG 0x00001000L
  169. #define SECMOD_AES_FLAG 0x00002000L
  170. #define SECMOD_SHA256_FLAG 0x00004000L
  171. #define SECMOD_SHA512_FLAG 0x00008000L /* also for SHA384 */
  172. #define SECMOD_CAMELLIA_FLAG 0x00010000L /* = PUBLIC_MECH_CAMELLIA_FLAG */
  173. /* reserved bit for future, do not use */
  174. #define SECMOD_RESERVED_FLAG 0X08000000L
  175. #define SECMOD_FRIENDLY_FLAG 0x10000000L
  176. #define SECMOD_RANDOM_FLAG 0x80000000L
  177. /* need to make SECMOD and PK11 prefixes consistant. */
  178. #define PK11_OWN_PW_DEFAULTS 0x20000000L
  179. #define PK11_DISABLE_FLAG 0x40000000L
  180. /*
  181. * PK11AttrFlags
  182. *
  183. * A 32-bit bitmask of PK11_ATTR_XXX flags
  184. */
  185. typedef PRUint32 PK11AttrFlags;
  186. /*
  187. * PK11_ATTR_XXX
  188. *
  189. * The following PK11_ATTR_XXX bitflags are used to specify
  190. * PKCS #11 object attributes that have Boolean values. Some NSS
  191. * functions have a "PK11AttrFlags attrFlags" parameter whose value
  192. * is the logical OR of these bitflags. NSS use these bitflags on
  193. * private keys or secret keys. Some of these bitflags also apply
  194. * to the public keys associated with the private keys.
  195. *
  196. * For each PKCS #11 object attribute, we need two bitflags to
  197. * specify not only "true" and "false" but also "default". For
  198. * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
  199. * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add
  200. * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
  201. * to the template. If PK11_ATTR_PUBLIC is set, we add
  202. * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
  203. * to the template. If neither flag is set, we don't add any
  204. * CKA_PRIVATE entry to the template.
  205. */
  206. /*
  207. * Attributes for PKCS #11 storage objects, which include not only
  208. * keys but also certificates and domain parameters.
  209. */
  210. /*
  211. * PK11_ATTR_TOKEN
  212. * PK11_ATTR_SESSION
  213. *
  214. * These two flags determine whether the object is a token or
  215. * session object.
  216. *
  217. * These two flags are related and cannot both be set.
  218. * If the PK11_ATTR_TOKEN flag is set, the object is a token
  219. * object. If the PK11_ATTR_SESSION flag is set, the object is
  220. * a session object. If neither flag is set, the object is *by
  221. * default* a session object.
  222. *
  223. * These two flags specify the value of the PKCS #11 CKA_TOKEN
  224. * attribute.
  225. */
  226. #define PK11_ATTR_TOKEN 0x00000001L
  227. #define PK11_ATTR_SESSION 0x00000002L
  228. /*
  229. * PK11_ATTR_PRIVATE
  230. * PK11_ATTR_PUBLIC
  231. *
  232. * These two flags determine whether the object is a private or
  233. * public object. A user may not access a private object until the
  234. * user has authenticated to the token.
  235. *
  236. * These two flags are related and cannot both be set.
  237. * If the PK11_ATTR_PRIVATE flag is set, the object is a private
  238. * object. If the PK11_ATTR_PUBLIC flag is set, the object is a
  239. * public object. If neither flag is set, it is token-specific
  240. * whether the object is private or public.
  241. *
  242. * These two flags specify the value of the PKCS #11 CKA_PRIVATE
  243. * attribute. NSS only uses this attribute on private and secret
  244. * keys, so public keys created by NSS get the token-specific
  245. * default value of the CKA_PRIVATE attribute.
  246. */
  247. #define PK11_ATTR_PRIVATE 0x00000004L
  248. #define PK11_ATTR_PUBLIC 0x00000008L
  249. /*
  250. * PK11_ATTR_MODIFIABLE
  251. * PK11_ATTR_UNMODIFIABLE
  252. *
  253. * These two flags determine whether the object is modifiable or
  254. * read-only.
  255. *
  256. * These two flags are related and cannot both be set.
  257. * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
  258. * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object
  259. * is read-only. If neither flag is set, the object is *by default*
  260. * modifiable.
  261. *
  262. * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
  263. * attribute.
  264. */
  265. #define PK11_ATTR_MODIFIABLE 0x00000010L
  266. #define PK11_ATTR_UNMODIFIABLE 0x00000020L
  267. /* Attributes for PKCS #11 key objects. */
  268. /*
  269. * PK11_ATTR_SENSITIVE
  270. * PK11_ATTR_INSENSITIVE
  271. *
  272. * These two flags are related and cannot both be set.
  273. * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
  274. * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
  275. * sensitive. If neither flag is set, it is token-specific whether
  276. * the key is sensitive or not.
  277. *
  278. * If a key is sensitive, certain attributes of the key cannot be
  279. * revealed in plaintext outside the token.
  280. *
  281. * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
  282. * attribute. Although the default value of the CKA_SENSITIVE
  283. * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
  284. * tokens set the default value to CK_TRUE because only CK_TRUE
  285. * is allowed. So in practice the default value of this attribute
  286. * is token-specific, hence the need for two bitflags.
  287. */
  288. #define PK11_ATTR_SENSITIVE 0x00000040L
  289. #define PK11_ATTR_INSENSITIVE 0x00000080L
  290. /*
  291. * PK11_ATTR_EXTRACTABLE
  292. * PK11_ATTR_UNEXTRACTABLE
  293. *
  294. * These two flags are related and cannot both be set.
  295. * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
  296. * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set,
  297. * the key is not extractable, and certain attributes of the key
  298. * cannot be revealed in plaintext outside the token (just like a
  299. * sensitive key). If neither flag is set, it is token-specific
  300. * whether the key is extractable or not.
  301. *
  302. * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
  303. * attribute.
  304. */
  305. #define PK11_ATTR_EXTRACTABLE 0x00000100L
  306. #define PK11_ATTR_UNEXTRACTABLE 0x00000200L
  307. /* Cryptographic module types */
  308. #define SECMOD_EXTERNAL 0 /* external module */
  309. #define SECMOD_INTERNAL 1 /* internal default module */
  310. #define SECMOD_FIPS 2 /* internal fips module */
  311. /* default module configuration strings */
  312. #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SHA256,SHA512]"
  313. #define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
  314. "Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
  315. #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
  316. #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
  317. #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
  318. #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
  319. /*
  320. * What is the origin of a given Key. Normally this doesn't matter, but
  321. * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
  322. * hack.
  323. */
  324. typedef enum {
  325. PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */
  326. PK11_OriginDerive = 1, /* Key was derived from some other key */
  327. PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */
  328. PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
  329. PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */
  330. } PK11Origin;
  331. /* PKCS #11 disable reasons */
  332. typedef enum {
  333. PK11_DIS_NONE = 0,
  334. PK11_DIS_USER_SELECTED = 1,
  335. PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
  336. PK11_DIS_TOKEN_VERIFY_FAILED = 3,
  337. PK11_DIS_TOKEN_NOT_PRESENT = 4
  338. } PK11DisableReasons;
  339. /* types of PKCS #11 objects
  340. * used to identify which NSS data structure is
  341. * passed to the PK11_Raw* functions. Types map as follows:
  342. * PK11_TypeGeneric PK11GenericObject *
  343. * PK11_TypePrivKey SECKEYPrivateKey *
  344. * PK11_TypePubKey SECKEYPublicKey *
  345. * PK11_TypeSymKey PK11SymKey *
  346. * PK11_TypeCert CERTCertificate * (currently not used).
  347. */
  348. typedef enum {
  349. PK11_TypeGeneric = 0,
  350. PK11_TypePrivKey = 1,
  351. PK11_TypePubKey = 2,
  352. PK11_TypeCert = 3,
  353. PK11_TypeSymKey = 4
  354. } PK11ObjectType;
  355. /* function pointer type for password callback function.
  356. * This type is passed in to PK11_SetPasswordFunc()
  357. */
  358. typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
  359. typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
  360. typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
  361. /*
  362. * Special strings the password callback function can return only if
  363. * the slot is an protected auth path slot.
  364. */
  365. #define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate
  366. * has already been made, just retry
  367. * the operation */
  368. #define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate
  369. * has completed. Continue without
  370. * another call to C_Login */
  371. /* All other non-null values mean that that NSS could call C_Login to force
  372. * the authentication. The following define is to aid applications in
  373. * documenting that is what it's trying to do */
  374. #define PK11_PW_TRY "TRY" /* Default: a prompt has been presented
  375. * to the user, initiate a C_Login
  376. * to authenticate the token */
  377. /*
  378. * PKCS #11 key structures
  379. */
  380. /*
  381. ** Attributes
  382. */
  383. struct SECKEYAttributeStr {
  384. SECItem attrType;
  385. SECItem **attrValue;
  386. };
  387. typedef struct SECKEYAttributeStr SECKEYAttribute;
  388. /*
  389. ** A PKCS#8 private key info object
  390. */
  391. struct SECKEYPrivateKeyInfoStr {
  392. PLArenaPool *arena;
  393. SECItem version;
  394. SECAlgorithmID algorithm;
  395. SECItem privateKey;
  396. SECKEYAttribute **attributes;
  397. };
  398. typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
  399. /*
  400. ** A PKCS#8 private key info object
  401. */
  402. struct SECKEYEncryptedPrivateKeyInfoStr {
  403. PLArenaPool *arena;
  404. SECAlgorithmID algorithm;
  405. SECItem encryptedData;
  406. };
  407. typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
  408. /*
  409. * token removal detection
  410. */
  411. typedef enum {
  412. PK11TokenNotRemovable = 0,
  413. PK11TokenPresent = 1,
  414. PK11TokenChanged = 2,
  415. PK11TokenRemoved = 3
  416. } PK11TokenStatus;
  417. typedef enum {
  418. PK11TokenRemovedOrChangedEvent = 0,
  419. PK11TokenPresentEvent = 1
  420. } PK11TokenEvent;
  421. /*
  422. * CRL Import Flags
  423. */
  424. #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
  425. #define CRL_IMPORT_BYPASS_CHECKS 0x00000001
  426. /*
  427. * Merge Error Log
  428. */
  429. typedef struct PK11MergeLogStr PK11MergeLog;
  430. typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
  431. /* These need to be global, leave some open fields so we can 'expand'
  432. * these without breaking binary compatibility */
  433. struct PK11MergeLogNodeStr {
  434. PK11MergeLogNode *next; /* next entry in the list */
  435. PK11MergeLogNode *prev; /* last entry in the list */
  436. PK11GenericObject *object; /* object that failed */
  437. int error; /* what the error was */
  438. CK_RV reserved1;
  439. unsigned long reserved2; /* future flags */
  440. unsigned long reserved3; /* future scalar */
  441. void *reserved4; /* future pointer */
  442. void *reserved5; /* future expansion pointer */
  443. };
  444. struct PK11MergeLogStr {
  445. PK11MergeLogNode *head;
  446. PK11MergeLogNode *tail;
  447. PRArenaPool *arena;
  448. int version;
  449. unsigned long reserved1;
  450. unsigned long reserved2;
  451. unsigned long reserved3;
  452. void *reserverd4;
  453. void *reserverd5;
  454. };
  455. #endif /*_SECMODT_H_ */