PageRenderTime 364ms CodeModel.GetById 31ms app.highlight 154ms RepoModel.GetById 168ms app.codeStats 1ms

/gecko_api/include/pk11pub.h

http://firefox-mac-pdf.googlecode.com/
C++ Header | 799 lines | 415 code | 53 blank | 331 comment | 0 complexity | 9088fe7e78881237e4a4a2f49aae5830 MD5 | raw file
  1/* ***** BEGIN LICENSE BLOCK *****
  2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3 *
  4 * The contents of this file are subject to the Mozilla Public License Version
  5 * 1.1 (the "License"); you may not use this file except in compliance with
  6 * the License. You may obtain a copy of the License at
  7 * http://www.mozilla.org/MPL/
  8 *
  9 * Software distributed under the License is distributed on an "AS IS" basis,
 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 11 * for the specific language governing rights and limitations under the
 12 * License.
 13 *
 14 * The Original Code is the Netscape security libraries.
 15 *
 16 * The Initial Developer of the Original Code is
 17 * Netscape Communications Corporation.
 18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
 19 * the Initial Developer. All Rights Reserved.
 20 *
 21 * Contributor(s):
 22 *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
 23 *
 24 * Alternatively, the contents of this file may be used under the terms of
 25 * either the GNU General Public License Version 2 or later (the "GPL"), or
 26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 27 * in which case the provisions of the GPL or the LGPL are applicable instead
 28 * of those above. If you wish to allow use of your version of this file only
 29 * under the terms of either the GPL or the LGPL, and not to allow others to
 30 * use your version of this file under the terms of the MPL, indicate your
 31 * decision by deleting the provisions above and replace them with the notice
 32 * and other provisions required by the GPL or the LGPL. If you do not delete
 33 * the provisions above, a recipient may use your version of this file under
 34 * the terms of any one of the MPL, the GPL or the LGPL.
 35 *
 36 * ***** END LICENSE BLOCK ***** */
 37#ifndef _PK11PUB_H_
 38#define _PK11PUB_H_
 39#include "plarena.h"
 40#include "seccomon.h"
 41#include "secoidt.h"
 42#include "secdert.h"
 43#include "keyt.h"
 44#include "certt.h"
 45#include "pkcs11t.h"
 46#include "secmodt.h"
 47#include "seccomon.h"
 48#include "pkcs7t.h"
 49#include "cmsreclist.h"
 50
 51/*
 52 * Exported PK11 wrap functions.
 53 */
 54
 55SEC_BEGIN_PROTOS
 56
 57/************************************************************
 58 * Generic Slot Lists Management
 59 ************************************************************/
 60void PK11_FreeSlotList(PK11SlotList *list);
 61SECStatus PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le);
 62PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list);
 63PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list, 
 64				PK11SlotListElement *le, PRBool restart);
 65
 66/************************************************************
 67 * Generic Slot Management
 68 ************************************************************/
 69PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
 70void PK11_FreeSlot(PK11SlotInfo *slot);
 71SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
 72SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
 73PK11SlotInfo *PK11_GetInternalKeySlot(void);
 74PK11SlotInfo *PK11_GetInternalSlot(void);
 75SECStatus PK11_Logout(PK11SlotInfo *slot);
 76void PK11_LogoutAll(void);
 77
 78
 79/************************************************************
 80 *  Slot Password Management
 81 ************************************************************/
 82void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout);
 83void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout);
 84SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
 85SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw);
 86PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
 87SECStatus PK11_InitPin(PK11SlotInfo *slot,const char *ssopw,
 88                       const char *pk11_userpwd);
 89SECStatus PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw,
 90                        const char *newpw);
 91void PK11_SetPasswordFunc(PK11PasswordFunc func);
 92int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
 93SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
 94SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
 95SECStatus PK11_TokenRefresh(PK11SlotInfo *slot);
 96
 97
 98/******************************************************************
 99 *           Slot info functions
100 ******************************************************************/
101PK11SlotInfo *PK11_FindSlotByName(const char *name);
102/******************************************************************
103 * PK11_FindSlotsByNames searches for a PK11SlotInfo using one or
104 * more criteria : dllName, slotName and tokenName . In addition, if
105 * presentOnly is set , only slots with a token inserted will be
106 * returned.
107 ******************************************************************/
108PK11SlotList *PK11_FindSlotsByNames(const char *dllName,
109        const char* slotName, const char* tokenName, PRBool presentOnly);
110PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
111PRBool PK11_IsInternal(PK11SlotInfo *slot);
112char * PK11_GetTokenName(PK11SlotInfo *slot);
113char * PK11_GetSlotName(PK11SlotInfo *slot);
114PRBool PK11_NeedLogin(PK11SlotInfo *slot);
115PRBool PK11_IsFriendly(PK11SlotInfo *slot);
116PRBool PK11_IsHW(PK11SlotInfo *slot);
117PRBool PK11_IsRemovable(PK11SlotInfo *slot);
118PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
119PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
120int PK11_GetSlotSeries(PK11SlotInfo *slot);
121int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
122unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
123CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
124SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
125SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
126SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
127PRBool PK11_IsDisabled(PK11SlotInfo *slot);
128PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
129PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
130/* Prevents the slot from being used, and set disable reason to user-disable */
131/* NOTE: Mechanisms that were ON continue to stay ON */
132/*       Therefore, when the slot is enabled, it will remember */
133/*       what mechanisms needs to be turned on */
134PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
135/* Allow all mechanisms that are ON before UserDisableSlot() */
136/* was called to be available again */
137PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
138/*
139 * wait for a specific slot event.
140 * event is a specific event to wait for. Currently only 
141 *    PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined.
142 * timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only
143 * poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change).
144 * pollInterval is a suggested pulling interval value. '0' means use the 
145 *  default. Future implementations that don't poll may ignore this value.
146 * series is the current series for the last slot. This should be the series 
147 *  value for the slot the last time you read persistant information from the
148 *  slot. For instance, if you publish a cert from the slot, you should obtain
149 *  the slot series at that time. Then PK11_WaitForTokenEvent can detect a 
150 *  a change in the slot between the time you publish and the time 
151 *  PK11_WaitForTokenEvent is called, elliminating potential race conditions.
152 *
153 * The current status that is returned is:
154 *   PK11TokenNotRemovable - always returned for any non-removable token.
155 *   PK11TokenPresent - returned when the token is present and we are waiting
156 *     on a PK11TokenPresentEvent. Then next event to look for is a 
157 *     PK11TokenChangeOrRemovalEvent.
158 *   PK11TokenChanged - returned when the old token has been removed and a new
159 *     token ad been inserted, and we are waiting for a 
160 *     PK11TokenChangeOrRemovalEvent. The next event to look for is another
161 *     PK11TokenChangeOrRemovalEvent.
162 *   PK11TokenRemoved - returned when the token is not present and we are 
163 *     waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for 
164 *     is a PK11TokenPresentEvent.
165 */
166PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
167	PRIntervalTime timeout, PRIntervalTime pollInterval, int series);
168
169PRBool PK11_NeedPWInit(void);
170PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
171SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
172PRBool PK11_IsFIPS(void);
173SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
174
175/*********************************************************************
176 *            Slot mapping utility functions.
177 *********************************************************************/
178PRBool PK11_IsPresent(PK11SlotInfo *slot);
179PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
180PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW,
181					PRBool loadCerts, void *wincx);
182PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int count,
183							void *wincx);
184PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
185CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
186int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
187
188/*
189 * Open a new database using the softoken. The caller is responsible for making
190 * sure the module spec is correct and usable. The caller should ask for one
191 * new database per call if the caller wants to get meaningful information
192 * about the new database.
193 *
194 * moduleSpec is the same data that you would pass to softoken at
195 * initialization time under the 'tokens' options. For example, if you were
196 * to specify tokens=<0x4=[configdir='./mybackup' tokenDescription='Backup']>
197 * You would specify "configdir='./mybackup' tokenDescription='Backup'" as your
198 * module spec here. The slot ID will be calculated for you by
199 * SECMOD_OpenUserDB().
200 *
201 * Typical parameters here are configdir, tokenDescription and flags.
202 *
203 * a Full list is below:
204 *
205 *
206 *  configDir - The location of the databases for this token. If configDir is
207 *         not specified, and noCertDB and noKeyDB is not specified, the load
208 *         will fail.
209 *   certPrefix - Cert prefix for this token.
210 *   keyPrefix - Prefix for the key database for this token. (if not specified,
211 *         certPrefix will be used).
212 *   tokenDescription - The label value for this token returned in the
213 *         CK_TOKEN_INFO structure with an internationalize string (UTF8).
214 *         This value will be truncated at 32 bytes (no NULL, partial UTF8
215 *         characters dropped). You should specify a user friendly name here
216 *         as this is the value the token will be refered to in most
217 *         application UI's. You should make sure tokenDescription is unique.
218 *   slotDescription - The slotDescription value for this token returned
219 *         in the CK_SLOT_INFO structure with an internationalize string
220 *         (UTF8). This value will be truncated at 64 bytes (no NULL, partial
221 *         UTF8 characters dropped). This name will not change after the
222 *         database is closed. It should have some number to make this unique.
223 *   minPWLen - minimum password length for this token.
224 *   flags - comma separated list of flag values, parsed case-insensitive.
225 *         Valid flags are:
226 *              readOnly - Databases should be opened read only.
227 *              noCertDB - Don't try to open a certificate database.
228 *              noKeyDB - Don't try to open a key database.
229 *              forceOpen - Don't fail to initialize the token if the
230 *                databases could not be opened.
231 *              passwordRequired - zero length passwords are not acceptable
232 *                (valid only if there is a keyDB).
233 *              optimizeSpace - allocate smaller hash tables and lock tables.
234 *                When this flag is not specified, Softoken will allocate
235 *                large tables to prevent lock contention.
236 */
237PK11SlotInfo *SECMOD_OpenUserDB(const char *moduleSpec);
238SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot);
239
240/*
241 * merge the permanent objects from on token to another 
242 */
243SECStatus PK11_MergeTokens(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
244                PK11MergeLog *log, void *targetPwArg, void *sourcePwArg);
245
246/*
247 * create and destroy merge logs needed by PK11_MergeTokens
248 */
249PK11MergeLog * PK11_CreateMergeLog();
250void PK11_DestroyMergeLog(PK11MergeLog *log);
251
252
253
254/*********************************************************************
255 *       Mechanism Mapping functions
256 *********************************************************************/
257CK_MECHANISM_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len);
258CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
259int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params);
260int PK11_GetIVLength(CK_MECHANISM_TYPE type);
261SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv);
262unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len);
263SECItem * PK11_BlockData(SECItem *data,unsigned long size);
264
265/* PKCS #11 to DER mapping functions */
266SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
267SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
268CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
269SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
270SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
271SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
272                                   PRArenaPool *arena, SECAlgorithmID *algid);
273SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
274SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo *,unsigned char *data,int len);
275SECStatus PK11_RandomUpdate(void *data, size_t bytes);
276SECStatus PK11_GenerateRandom(unsigned char *data,int len);
277
278/* warning: cannot work with pkcs 5 v2
279 * use algorithm ID s instead of pkcs #11 mechanism pointers */
280CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
281					    CK_MECHANISM_PTR pCryptoMechanism,
282					    SECItem *pbe_pwd, PRBool bad3DES);
283CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
284CK_MECHANISM_TYPE PK11_MapSignKeyType(KeyType keyType);
285
286/**********************************************************************
287 *                   Symetric, Public, and Private Keys 
288 **********************************************************************/
289void PK11_FreeSymKey(PK11SymKey *key);
290PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
291PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
292    PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx);
293PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, 
294    CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, 
295    SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx);
296PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
297    PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, 
298    PRBool owner, void *wincx);
299PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
300			      CK_MECHANISM_TYPE type,int series, void *wincx);
301/*
302 * This function is not thread-safe.  It can only be called when only
303 * one thread has a reference to wrapKey.
304 */
305void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
306CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
307/*
308 * import a public key into the desired slot
309 *  
310 * This function takes a public key structure and creates a public key in a 
311 * given slot. If isToken is set, then a persistant public key is created.
312 *
313 * Note: it is possible for this function to return a handle for a key which
314 * is persistant, even if isToken is not set.
315 */
316CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot, 
317				SECKEYPublicKey *pubKey, PRBool isToken);
318PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
319				SECItem *param,	int keySize,void *wincx);
320PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
321				SECItem *param, int keySize, SECItem *keyid,
322				PRBool isToken, void *wincx);
323PK11SymKey *PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot,
324				CK_MECHANISM_TYPE type, SECItem *param,
325				int keySize, SECItem *keyid, CK_FLAGS opFlags,
326				PK11AttrFlags attrFlags, void *wincx);
327PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname,
328								void *wincx);
329PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey);
330CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *key);
331
332/*
333 * PK11_SetSymKeyUserData
334 *   sets generic user data on keys (usually a pointer to a data structure)
335 * that can later be retrieved by PK11_GetSymKeyUserData().
336 *    symKey - key where data will be set.
337 *    data - data to be set.
338 *    freefunc - function used to free the data.
339 * Setting user data on symKeys with existing user data already set will cause 
340 * the existing user data to be freed before the new user data is set.
341 * Freeing user data is done by calling the user specified freefunc. 
342 * If freefunc is NULL, the user data is assumed to be global or static an 
343 * not freed. Passing NULL for user data to PK11_SetSymKeyUserData has the 
344 * effect of freeing any existing user data, and clearing the user data 
345 * pointer. If user data exists when the symKey is finally freed, that 
346 * data will be freed with freefunc.
347 *
348 * Applications should only use this function on keys which the application
349 * has created directly, as there is only one user data value per key.
350 */
351void PK11_SetSymKeyUserData(PK11SymKey *symKey, void *data, 
352                                 PK11FreeDataFunc freefunc);
353/* PK11_GetSymKeyUserData 
354 *   retrieves generic user data which was set on a key by 
355 * PK11_SetSymKeyUserData.
356 *    symKey - key with data to be fetched
357 *
358 * If no data exists, or the data has been cleared, PK11_GetSymKeyUserData
359 * will return NULL. Returned data is still owned and managed by the SymKey,
360 * the caller should not free the data.
361 *
362 */
363void *PK11_GetSymKeyUserData(PK11SymKey *symKey);
364
365SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
366				PK11SymKey *symKey, SECItem *wrappedKey);
367SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
368	 PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
369/* move a key to 'slot' optionally set the key attributes according to either
370 * operation or the  flags and making the key permanent at the same time.
371 * If the key is moved to the same slot, operation and flags values are 
372 * currently ignored */
373PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, 
374			CK_FLAGS flags, PRBool  perm, PK11SymKey *symKey);
375/*
376 * derive a new key from the base key.
377 *  PK11_Derive returns a key which can do exactly one operation, and is
378 * ephemeral (session key).
379 *  PK11_DeriveWithFlags is the same as PK11_Derive, except you can use
380 * CKF_ flags to enable more than one operation.
381 *  PK11_DeriveWithFlagsPerm is the same as PK11_DeriveWithFlags except you can
382 *  (optionally) make the key permanent (token key).
383 */
384PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
385   			SECItem *param, CK_MECHANISM_TYPE target, 
386		        CK_ATTRIBUTE_TYPE operation, int keySize);
387PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey, 
388	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
389	CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
390PK11SymKey * PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey, 
391	CK_MECHANISM_TYPE derive, 
392	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
393	int keySize, CK_FLAGS flags, PRBool isPerm);
394
395PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey, 
396 SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
397 CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
398		 CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ;
399PK11SymKey *PK11_PubDeriveWithKDF( SECKEYPrivateKey *privKey, 
400 SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
401 CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
402		 CK_ATTRIBUTE_TYPE operation, int keySize,
403		 CK_ULONG kdf, SECItem *sharedData, void *wincx);
404
405/*
406 * unwrap a new key with a symetric key.
407 *  PK11_Unwrap returns a key which can do exactly one operation, and is
408 * ephemeral (session key).
409 *  PK11_UnwrapWithFlags is the same as PK11_Unwrap, except you can use
410 * CKF_ flags to enable more than one operation.
411 *  PK11_UnwrapWithFlagsPerm is the same as PK11_UnwrapWithFlags except you can
412 *  (optionally) make the key permanent (token key).
413 */
414PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key, 
415	CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,  
416	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
417PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, 
418	CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
419	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
420	CK_FLAGS flags);
421PK11SymKey * PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, 
422	CK_MECHANISM_TYPE wrapType,
423        SECItem *param, SECItem *wrappedKey, 
424	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
425	 int keySize, CK_FLAGS flags, PRBool isPerm);
426
427/*
428 * unwrap a new key with a private key.
429 *  PK11_PubUnwrap returns a key which can do exactly one operation, and is
430 * ephemeral (session key).
431 *  PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can 
432 * use * CKF_ flags to enable more than one operation, and optionally make 
433 * the key permanent (token key).
434 */
435PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
436	 CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
437PK11SymKey * PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, 
438	  SECItem *wrappedKey, CK_MECHANISM_TYPE target, 
439	  CK_ATTRIBUTE_TYPE operation, int keySize,
440	  CK_FLAGS flags, PRBool isPerm);
441PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, 
442						SECItem *keyID, void *wincx);
443SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force);
444SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
445SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
446SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx);
447SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot,
448		SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
449					PRBool token, PRBool sensitive);
450char * PK11_GetSymKeyNickname(PK11SymKey *symKey);
451char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
452char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
453SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
454SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, 
455							const char *nickname);
456SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, 
457							const char *nickname);
458
459/* size to hold key in bytes */
460unsigned int PK11_GetKeyLength(PK11SymKey *key);
461/* size of actual secret parts of key in bits */
462/* algid is because RC4 strength is determined by the effective bits as well
463 * as the key bits */
464unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
465SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
466SECItem * PK11_GetKeyData(PK11SymKey *symKey);
467PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey);
468void *PK11_GetWindow(PK11SymKey *symKey);
469
470/*
471 * Explicitly set the key usage for the generated private key.
472 *
473 * This allows us to specify single use EC and RSA keys whose usage
474 * can be regulated by the underlying token.
475 *
476 * The underlying key usage is set using opFlags. opFlagsMask specifies
477 * which operations are specified by opFlags. For instance to turn encrypt
478 * on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and 
479 * opFlagsMask would be CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_VERIFY. You
480 * need to specify both the public and private key flags, 
481 * PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the 
482 * correct key type. Flags not specified in opFlagMask will be defaulted 
483 * according to mechanism type and token capabilities.
484 */
485SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,
486   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
487   PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask,
488    void *wincx);
489/*
490 * The attrFlags is the logical OR of the PK11_ATTR_XXX bitflags.
491 * These flags apply to the private key.  The PK11_ATTR_TOKEN,
492 * PK11_ATTR_SESSION, PK11_ATTR_MODIFIABLE, and PK11_ATTR_UNMODIFIABLE
493 * flags also apply to the public key.
494 */
495SECKEYPrivateKey *PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot,
496   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
497		 	    PK11AttrFlags attrFlags, void *wincx);
498SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
499   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
500		 	    PRBool isPerm, PRBool isSensitive, void *wincx);
501SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
502				 	CERTCertificate *cert, void *wincx);
503SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
504SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
505				       void *wincx);
506int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key); 
507
508/* note: despite the name, this function takes a private key. */
509SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
510   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
511#define PK11_PrivDecryptRaw PK11_PubDecryptRaw
512/* The encrypt function that complements the above decrypt function. */
513SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
514                unsigned char *data, unsigned dataLen, void *wincx);
515
516SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data,
517   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
518/* The encrypt function that complements the above decrypt function. */
519SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc,
520                unsigned char *data, unsigned dataLen, void *wincx);
521
522SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, 
523		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
524		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
525		unsigned int usage, void *wincx);
526SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
527		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
528		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
529		unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
530SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, 
531		SECItem *derPKI, SECItem *nickname,
532		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
533		unsigned int usage, void *wincx);
534SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
535		SECItem *derPKI, SECItem *nickname,
536		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
537		unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
538SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, 
539		SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, 
540		SECItem *nickname, SECItem *publicValue, PRBool isPerm,
541		PRBool isPrivate, KeyType type, 
542		unsigned int usage, void *wincx);
543SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
544		CERTCertificate *cert, void *wincx);
545SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
546		PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
547		SECKEYPrivateKey *pk, int iteration, void *wincx);
548SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
549		PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
550		CERTCertificate *cert, int iteration, void *wincx);
551SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot, 
552					CERTCertificate *cert, void *wincx);
553SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
554SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
555PRBool PK11_VerifyKeyOK(PK11SymKey *key);
556SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot, 
557		PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
558		SECItem *param, SECItem *wrappedKey, SECItem *label, 
559		SECItem *publicValue, PRBool token, PRBool sensitive,
560		CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
561		void *wincx);
562SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
563			   SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
564			   SECItem *param, SECItem *wrappedKey, void *wincx);
565SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk);
566PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
567	CK_MECHANISM_TYPE mech);
568SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot,
569						 char *nickname, void *wincx);
570SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot,
571							char *nickname);
572SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey);
573/* depricated */
574SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot);
575
576PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk,
577	void *wincx);
578SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey(
579	SECKEYPrivateKey *privk, void* wincx);
580SECKEYPrivateKey * PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot,
581				      SECKEYPrivateKey *privKey);
582
583/**********************************************************************
584 *                   Certs
585 **********************************************************************/
586SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
587SECStatus PK11_TraverseSlotCerts(
588     SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
589                                                void *arg, void *wincx);
590CERTCertificate * PK11_FindCertFromNickname(const char *nickname, void *wincx);
591CERTCertList * PK11_FindCertsFromNickname(const char *nickname, void *wincx);
592CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
593SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
594                CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
595SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
596                CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
597PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,
598								void *wincx);
599PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
600								void *wincx);
601PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
602					CK_OBJECT_HANDLE *keyPtr, void *wincx);
603PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert,
604					CK_OBJECT_HANDLE *keyPtr, void *wincx);
605CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
606					CERTIssuerAndSN *sn, void *wincx);
607CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
608	SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
609				SECKEYPrivateKey**privKey, void *wincx);
610int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
611				void *wincx);
612SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
613	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
614	void *arg);
615CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, 
616					  CERTCertificate *cert, void *wincx);
617SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
618					char *nickname, PRBool addUsage,
619					void *wincx);
620CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx);
621PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
622CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
623				     void *wincx);
624SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
625	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
626	void *arg);
627CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg);
628CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot);
629CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
630    int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena, PRInt32 decodeOptions);
631
632/**********************************************************************
633 *                   Sign/Verify 
634 **********************************************************************/
635
636/*
637 * Return the length in bytes of a signature generated with the
638 * private key.
639 *
640 * Return 0 or -1 on failure.  (XXX Should we fix it to always return
641 * -1 on failure?)
642 */
643int PK11_SignatureLen(SECKEYPrivateKey *key);
644PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
645SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash);
646SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig,
647						 SECItem *dsig, void * wincx);
648SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig, 
649						SECItem *hash, void *wincx);
650
651
652
653/**********************************************************************
654 *                   Crypto Contexts
655 **********************************************************************/
656void PK11_DestroyContext(PK11Context *context, PRBool freeit);
657PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
658	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
659PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
660PK11Context *PK11_CloneContext(PK11Context *old);
661SECStatus PK11_DigestBegin(PK11Context *cx);
662/*
663 * The output buffer 'out' must be big enough to hold the output of
664 * the hash algorithm 'hashAlg'.
665 */
666SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
667					PRInt32 len);
668SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in, 
669                        unsigned len);
670SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
671				int maxout, unsigned char *in, int inlen);
672SECStatus PK11_Finalize(PK11Context *context);
673SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, 
674				unsigned int *outLen, unsigned int length);
675SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
676						int *len, int saveLength);
677
678/* Save the context's state, with possible allocation.
679 * The caller may supply an already allocated buffer in preAllocBuf,
680 * with length pabLen.  If the buffer is large enough for the context's
681 * state, it will receive the state.
682 * If the buffer is not large enough (or NULL), then a new buffer will
683 * be allocated with PORT_Alloc.
684 * In either case, the state will be returned as a buffer, and the length
685 * of the state will be given in *stateLen.
686 */
687unsigned char *
688PK11_SaveContextAlloc(PK11Context *cx,
689                      unsigned char *preAllocBuf, unsigned int pabLen,
690                      unsigned int *stateLen);
691
692SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len);
693SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len);
694void PK11_SetFortezzaHack(PK11SymKey *symKey) ;
695
696
697/**********************************************************************
698 *                   PBE functions 
699 **********************************************************************/
700
701/* This function creates PBE parameters from the given inputs.  The result
702 * can be used to create a password integrity key for PKCS#12, by sending
703 * the return value to PK11_KeyGen along with the appropriate mechanism.
704 */
705SECItem * 
706PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations);
707
708/* free params created above (can be called after keygen is done */
709void PK11_DestroyPBEParams(SECItem *params);
710
711SECAlgorithmID *
712PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
713
714/* use to create PKCS5 V2 algorithms with finder control than that provided
715 * by PK11_CreatePBEAlgorithmID. */
716SECAlgorithmID *
717PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag,
718                            SECOidTag prfAlgTag, int keyLength, int iteration,
719                            SECItem *salt);
720PK11SymKey *
721PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid,  SECItem *pwitem,
722	       PRBool faulty3DES, void *wincx);
723
724/* warning: cannot work with PKCS 5 v2 use PK11_PBEKeyGen instead */
725PK11SymKey *
726PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
727		SECItem *pwitem, PRBool faulty3DES, void *wincx);
728SECItem *
729PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
730/*
731 * Get the Mechanism and parameter of the base encryption or mac scheme from
732 * a PBE algorithm ID.
733 *  Caller is responsible for freeing the return parameter (param).
734 */
735CK_MECHANISM_TYPE
736PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, 
737			   SECItem **param, SECItem *pwd);
738
739/**********************************************************************
740 * Functions to manage secmod flags
741 **********************************************************************/
742PK11DefaultArrayEntry * PK11_GetDefaultArray(int *);
743SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *, PK11DefaultArrayEntry *,
744							PRBool );
745
746/**********************************************************************
747 * Functions to look at PKCS #11 dependent data
748 **********************************************************************/
749PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot, 
750						CK_OBJECT_CLASS objClass);
751PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object);
752PK11GenericObject *PK11_GetPrevGenericObject(PK11GenericObject *object);
753SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object);
754SECStatus PK11_LinkGenericObject(PK11GenericObject *list,
755				 PK11GenericObject *object);
756SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object);
757SECStatus PK11_DestroyGenericObject(PK11GenericObject *object);
758PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot, 
759				   const CK_ATTRIBUTE *pTemplate, 
760				   int count, PRBool token);
761
762/*
763 * PK11_ReadRawAttribute and PK11_WriteRawAttribute are generic
764 * functions to read and modify the actual PKCS #11 attributes of
765 * the underlying pkcs #11 object.
766 * 
767 * object is a pointer to an NSS object that represents the underlying
768 *  PKCS #11 object. It's type must match the type of PK11ObjectType
769 *  as follows:
770 *
771 *     type                           object
772 *   PK11_TypeGeneric            PK11GenericObject *
773 *   PK11_TypePrivKey            SECKEYPrivateKey *
774 *   PK11_TypePubKey             SECKEYPublicKey *
775 *   PK11_TypeSymKey             PK11SymKey *
776 *
777 *  All other types are considered invalid. If type does not match the object
778 *  passed, unpredictable results will occur.
779 */
780SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object, 
781				CK_ATTRIBUTE_TYPE attr, SECItem *item);
782SECStatus PK11_WriteRawAttribute(PK11ObjectType type, void *object, 
783				CK_ATTRIBUTE_TYPE attr, SECItem *item);
784
785
786/**********************************************************************
787 * New fucntions which are already depricated....
788 **********************************************************************/
789SECItem *
790PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
791					CERTCertificate *cert, void *pwarg);
792SECItem *
793PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
794
795PRBool SECMOD_HasRootCerts(void);
796
797SEC_END_PROTOS
798
799#endif