PageRenderTime 31ms CodeModel.GetById 16ms app.highlight 11ms RepoModel.GetById 1ms app.codeStats 0ms

/security/nss/lib/softoken/secmodt.h

http://github.com/zpao/v8monkey
C Header | 503 lines | 221 code | 47 blank | 235 comment | 0 complexity | 43bc1951058a7a884499765ad139e00a MD5 | raw file
  1/* ***** BEGIN LICENSE BLOCK *****
  2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3 *
  4 * The contents of this file are subject to the Mozilla Public License Version
  5 * 1.1 (the "License"); you may not use this file except in compliance with
  6 * the License. You may obtain a copy of the License at
  7 * http://www.mozilla.org/MPL/
  8 *
  9 * Software distributed under the License is distributed on an "AS IS" basis,
 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 11 * for the specific language governing rights and limitations under the
 12 * License.
 13 *
 14 * The Original Code is the Netscape security libraries.
 15 *
 16 * The Initial Developer of the Original Code is
 17 * Netscape Communications Corporation.
 18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
 19 * the Initial Developer. All Rights Reserved.
 20 *
 21 * Contributor(s):
 22 *
 23 * Alternatively, the contents of this file may be used under the terms of
 24 * either the GNU General Public License Version 2 or later (the "GPL"), or
 25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 26 * in which case the provisions of the GPL or the LGPL are applicable instead
 27 * of those above. If you wish to allow use of your version of this file only
 28 * under the terms of either the GPL or the LGPL, and not to allow others to
 29 * use your version of this file under the terms of the MPL, indicate your
 30 * decision by deleting the provisions above and replace them with the notice
 31 * and other provisions required by the GPL or the LGPL. If you do not delete
 32 * the provisions above, a recipient may use your version of this file under
 33 * the terms of any one of the MPL, the GPL or the LGPL.
 34 *
 35 * ***** END LICENSE BLOCK ***** */
 36#ifndef _SECMODT_H_
 37#define _SECMODT_H_ 1
 38
 39#include "nssrwlkt.h"
 40#include "nssilckt.h"
 41#include "secoid.h"
 42#include "secasn1.h"
 43#include "pkcs11t.h"
 44
 45/* find a better home for these... */
 46extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
 47extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
 48extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
 49extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
 50extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
 51extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
 52extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
 53extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
 54
 55/* PKCS11 needs to be included */
 56typedef struct SECMODModuleStr SECMODModule;
 57typedef struct SECMODModuleListStr SECMODModuleList;
 58typedef NSSRWLock SECMODListLock;
 59typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
 60typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
 61typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
 62typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
 63typedef struct PK11SlotListStr PK11SlotList;
 64typedef struct PK11SlotListElementStr PK11SlotListElement;
 65typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
 66typedef unsigned long SECMODModuleID;
 67typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
 68typedef struct PK11GenericObjectStr PK11GenericObject;
 69typedef void (*PK11FreeDataFunc)(void *);
 70
 71struct SECMODModuleStr {
 72    PLArenaPool	*arena;
 73    PRBool	internal;	/* true of internally linked modules, false
 74				 * for the loaded modules */
 75    PRBool	loaded;		/* Set to true if module has been loaded */
 76    PRBool	isFIPS;		/* Set to true if module is finst internal */
 77    char	*dllName;	/* name of the shared library which implements
 78				 * this module */
 79    char	*commonName;	/* name of the module to display to the user */
 80    void	*library;	/* pointer to the library. opaque. used only by
 81				 * pk11load.c */
 82    void	*functionList; /* The PKCS #11 function table */
 83    PZLock	*refLock;	/* only used pk11db.c */
 84    int		refCount;	/* Module reference count */
 85    PK11SlotInfo **slots;	/* array of slot points attached to this mod*/
 86    int		slotCount;	/* count of slot in above array */
 87    PK11PreSlotInfo *slotInfo;	/* special info about slots default settings */
 88    int		slotInfoCount;  /* count */
 89    SECMODModuleID moduleID;	/* ID so we can find this module again */
 90    PRBool	isThreadSafe;
 91    unsigned long ssl[2];	/* SSL cipher enable flags */
 92    char	*libraryParams;  /* Module specific parameters */
 93    void *moduleDBFunc; /* function to return module configuration data*/
 94    SECMODModule *parent;	/* module that loaded us */
 95    PRBool	isCritical;	/* This module must load successfully */
 96    PRBool	isModuleDB;	/* this module has lists of PKCS #11 modules */
 97    PRBool	moduleDBOnly;	/* this module only has lists of PKCS #11 modules */
 98    int		trustOrder;	/* order for this module's certificate trust rollup */
 99    int		cipherOrder;	/* order for cipher operations */
100    unsigned long evControlMask; /* control the running and shutdown of slot
101				  * events (SECMOD_WaitForAnyTokenEvent) */
102    CK_VERSION  cryptokiVersion; /* version of this library */
103};
104
105/* evControlMask flags */
106/*
107 * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
108 *
109 * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
110 *  C_WaitForSlotEvent().
111 * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
112 *  which polls for token insertion and removal events.
113 * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
114 *  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
115 *  should return immediately to it's caller.
116 */ 
117#define SECMOD_END_WAIT 	    0x01
118#define SECMOD_WAIT_SIMULATED_EVENT 0x02 
119#define SECMOD_WAIT_PKCS11_EVENT    0x04
120
121struct SECMODModuleListStr {
122    SECMODModuleList	*next;
123    SECMODModule	*module;
124};
125
126struct PK11SlotListStr {
127    PK11SlotListElement *head;
128    PK11SlotListElement *tail;
129    PZLock *lock;
130};
131
132struct PK11SlotListElementStr {
133    PK11SlotListElement *next;
134    PK11SlotListElement *prev;
135    PK11SlotInfo *slot;
136    int refCount;
137};
138
139struct PK11RSAGenParamsStr {
140    int keySizeInBits;
141    unsigned long pe;
142};
143
144typedef enum {
145     PK11CertListUnique = 0,     /* get one instance of all certs */
146     PK11CertListUser = 1,       /* get all instances of user certs */
147     PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
148                                  * deprecated. Use PK11CertListCAUnique
149                                  */
150     PK11CertListCA = 3,         /* get all instances of CA certs */
151     PK11CertListCAUnique = 4,   /* get one instance of CA certs */
152     PK11CertListUserUnique = 5, /* get one instance of user certs */
153     PK11CertListAll = 6         /* get all instances of all certs */
154} PK11CertListType;
155
156/*
157 * Entry into the Array which lists all the legal bits for the default flags
158 * in the slot, their definition, and the PKCS #11 mechanism the represent
159 * Always Statically allocated. 
160 */
161struct PK11DefaultArrayEntryStr {
162    char *name;
163    unsigned long flag;
164    unsigned long mechanism; /* this is a long so we don't include the 
165			      * whole pkcs 11 world to use this header */
166};
167
168
169#define SECMOD_RSA_FLAG 	0x00000001L
170#define SECMOD_DSA_FLAG 	0x00000002L
171#define SECMOD_RC2_FLAG 	0x00000004L
172#define SECMOD_RC4_FLAG 	0x00000008L
173#define SECMOD_DES_FLAG 	0x00000010L
174#define SECMOD_DH_FLAG	 	0x00000020L
175#define SECMOD_FORTEZZA_FLAG	0x00000040L
176#define SECMOD_RC5_FLAG		0x00000080L
177#define SECMOD_SHA1_FLAG	0x00000100L
178#define SECMOD_MD5_FLAG		0x00000200L
179#define SECMOD_MD2_FLAG		0x00000400L
180#define SECMOD_SSL_FLAG		0x00000800L
181#define SECMOD_TLS_FLAG		0x00001000L
182#define SECMOD_AES_FLAG 	0x00002000L
183#define SECMOD_SHA256_FLAG	0x00004000L
184#define SECMOD_SHA512_FLAG	0x00008000L	/* also for SHA384 */
185#define SECMOD_CAMELLIA_FLAG 	0x00010000L /* = PUBLIC_MECH_CAMELLIA_FLAG */
186#define SECMOD_SEED_FLAG	0x00020000L
187/* reserved bit for future, do not use */
188#define SECMOD_RESERVED_FLAG    0X08000000L
189#define SECMOD_FRIENDLY_FLAG	0x10000000L
190#define SECMOD_RANDOM_FLAG	0x80000000L
191
192/* need to make SECMOD and PK11 prefixes consistant. */
193#define PK11_OWN_PW_DEFAULTS 0x20000000L
194#define PK11_DISABLE_FLAG    0x40000000L
195
196/*
197 * PK11AttrFlags
198 *
199 * A 32-bit bitmask of PK11_ATTR_XXX flags
200 */
201typedef PRUint32 PK11AttrFlags;
202
203/*
204 * PK11_ATTR_XXX
205 *
206 * The following PK11_ATTR_XXX bitflags are used to specify
207 * PKCS #11 object attributes that have Boolean values.  Some NSS
208 * functions have a "PK11AttrFlags attrFlags" parameter whose value
209 * is the logical OR of these bitflags.  NSS use these bitflags on
210 * private keys or secret keys.  Some of these bitflags also apply
211 * to the public keys associated with the private keys.
212 *
213 * For each PKCS #11 object attribute, we need two bitflags to
214 * specify not only "true" and "false" but also "default".  For
215 * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
216 * CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
217 *     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
218 * to the template.  If PK11_ATTR_PUBLIC is set, we add
219 *     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
220 * to the template.  If neither flag is set, we don't add any
221 * CKA_PRIVATE entry to the template.
222 */
223
224/*
225 * Attributes for PKCS #11 storage objects, which include not only
226 * keys but also certificates and domain parameters.
227 */
228
229/*
230 * PK11_ATTR_TOKEN
231 * PK11_ATTR_SESSION
232 *
233 * These two flags determine whether the object is a token or
234 * session object.
235 *
236 * These two flags are related and cannot both be set.
237 * If the PK11_ATTR_TOKEN flag is set, the object is a token
238 * object.  If the PK11_ATTR_SESSION flag is set, the object is
239 * a session object.  If neither flag is set, the object is *by
240 * default* a session object.
241 *
242 * These two flags specify the value of the PKCS #11 CKA_TOKEN
243 * attribute.
244 */
245#define PK11_ATTR_TOKEN         0x00000001L
246#define PK11_ATTR_SESSION       0x00000002L
247
248/*
249 * PK11_ATTR_PRIVATE
250 * PK11_ATTR_PUBLIC
251 *
252 * These two flags determine whether the object is a private or
253 * public object.  A user may not access a private object until the
254 * user has authenticated to the token.
255 *
256 * These two flags are related and cannot both be set.
257 * If the PK11_ATTR_PRIVATE flag is set, the object is a private
258 * object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
259 * public object.  If neither flag is set, it is token-specific
260 * whether the object is private or public.
261 *
262 * These two flags specify the value of the PKCS #11 CKA_PRIVATE
263 * attribute.  NSS only uses this attribute on private and secret
264 * keys, so public keys created by NSS get the token-specific
265 * default value of the CKA_PRIVATE attribute.
266 */
267#define PK11_ATTR_PRIVATE       0x00000004L
268#define PK11_ATTR_PUBLIC        0x00000008L
269
270/*
271 * PK11_ATTR_MODIFIABLE
272 * PK11_ATTR_UNMODIFIABLE
273 *
274 * These two flags determine whether the object is modifiable or
275 * read-only.
276 *
277 * These two flags are related and cannot both be set.
278 * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
279 * modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
280 * is read-only.  If neither flag is set, the object is *by default*
281 * modifiable.
282 *
283 * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
284 * attribute.
285 */
286#define PK11_ATTR_MODIFIABLE    0x00000010L
287#define PK11_ATTR_UNMODIFIABLE  0x00000020L
288
289/* Attributes for PKCS #11 key objects. */
290
291/*
292 * PK11_ATTR_SENSITIVE
293 * PK11_ATTR_INSENSITIVE
294 *
295 * These two flags are related and cannot both be set.
296 * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
297 * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
298 * sensitive.  If neither flag is set, it is token-specific whether
299 * the key is sensitive or not.
300 *
301 * If a key is sensitive, certain attributes of the key cannot be
302 * revealed in plaintext outside the token.
303 *
304 * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
305 * attribute.  Although the default value of the CKA_SENSITIVE
306 * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
307 * tokens set the default value to CK_TRUE because only CK_TRUE
308 * is allowed.  So in practice the default value of this attribute
309 * is token-specific, hence the need for two bitflags.
310 */
311#define PK11_ATTR_SENSITIVE     0x00000040L
312#define PK11_ATTR_INSENSITIVE   0x00000080L
313
314/*
315 * PK11_ATTR_EXTRACTABLE
316 * PK11_ATTR_UNEXTRACTABLE
317 *
318 * These two flags are related and cannot both be set.
319 * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
320 * and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
321 * the key is not extractable, and certain attributes of the key
322 * cannot be revealed in plaintext outside the token (just like a
323 * sensitive key).  If neither flag is set, it is token-specific
324 * whether the key is extractable or not.
325 *
326 * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
327 * attribute.
328 */
329#define PK11_ATTR_EXTRACTABLE   0x00000100L
330#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
331
332/* Cryptographic module types */
333#define SECMOD_EXTERNAL	0	/* external module */
334#define SECMOD_INTERNAL 1	/* internal default module */
335#define SECMOD_FIPS	2	/* internal fips module */
336
337/* default module configuration strings */
338#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
339
340#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
341"Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
342
343#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
344#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
345#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
346#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
347
348/*
349 * What is the origin of a given Key. Normally this doesn't matter, but
350 * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
351 * hack.
352 */
353typedef enum {
354    PK11_OriginNULL = 0,	/* There is not key, it's a null SymKey */
355    PK11_OriginDerive = 1,	/* Key was derived from some other key */
356    PK11_OriginGenerated = 2,	/* Key was generated (also PBE keys) */
357    PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
358    PK11_OriginUnwrap = 4	/* Key was unwrapped or decrypted */
359} PK11Origin;
360
361/* PKCS #11 disable reasons */
362typedef enum {
363    PK11_DIS_NONE = 0,
364    PK11_DIS_USER_SELECTED = 1,
365    PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
366    PK11_DIS_TOKEN_VERIFY_FAILED = 3,
367    PK11_DIS_TOKEN_NOT_PRESENT = 4
368} PK11DisableReasons;
369
370/* types of PKCS #11 objects 
371 * used to identify which NSS data structure is 
372 * passed to the PK11_Raw* functions. Types map as follows:
373 *   PK11_TypeGeneric            PK11GenericObject *
374 *   PK11_TypePrivKey            SECKEYPrivateKey *
375 *   PK11_TypePubKey             SECKEYPublicKey *
376 *   PK11_TypeSymKey             PK11SymKey *
377 *   PK11_TypeCert               CERTCertificate * (currently not used).
378 */
379typedef enum {
380   PK11_TypeGeneric = 0,
381   PK11_TypePrivKey = 1,
382   PK11_TypePubKey = 2,
383   PK11_TypeCert = 3,
384   PK11_TypeSymKey = 4
385} PK11ObjectType;
386
387
388
389/* function pointer type for password callback function.
390 * This type is passed in to PK11_SetPasswordFunc() 
391 */
392typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
393typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
394typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
395
396/*
397 * Special strings the password callback function can return only if
398 * the slot is an protected auth path slot.
399 */ 
400#define PK11_PW_RETRY		"RETRY"	/* an failed attempt to authenticate
401					 * has already been made, just retry
402					 * the operation */
403#define PK11_PW_AUTHENTICATED	"AUTH"  /* a successful attempt to authenticate
404					 * has completed. Continue without
405					 * another call to C_Login */
406/* All other non-null values mean that that NSS could call C_Login to force
407 * the authentication. The following define is to aid applications in 
408 * documenting that is what it's trying to do */
409#define PK11_PW_TRY		"TRY"   /* Default: a prompt has been presented
410					 * to the user, initiate a C_Login
411					 * to authenticate the token */
412
413/*
414 * PKCS #11 key structures
415 */
416
417/*
418** Attributes
419*/
420struct SECKEYAttributeStr {
421    SECItem attrType;
422    SECItem **attrValue;
423};
424typedef struct SECKEYAttributeStr SECKEYAttribute;
425
426/*
427** A PKCS#8 private key info object
428*/
429struct SECKEYPrivateKeyInfoStr {
430    PLArenaPool *arena;
431    SECItem version;
432    SECAlgorithmID algorithm;
433    SECItem privateKey;
434    SECKEYAttribute **attributes;
435};
436typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
437
438/*
439** A PKCS#8 private key info object
440*/
441struct SECKEYEncryptedPrivateKeyInfoStr {
442    PLArenaPool *arena;
443    SECAlgorithmID algorithm;
444    SECItem encryptedData;
445};
446typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
447
448/*
449 * token removal detection
450 */
451typedef enum {
452   PK11TokenNotRemovable = 0,
453   PK11TokenPresent = 1,
454   PK11TokenChanged = 2,
455   PK11TokenRemoved = 3
456} PK11TokenStatus;
457
458typedef enum {
459   PK11TokenRemovedOrChangedEvent = 0,
460   PK11TokenPresentEvent = 1
461} PK11TokenEvent;
462
463/*
464 * CRL Import Flags
465 */
466#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
467#define CRL_IMPORT_BYPASS_CHECKS   0x00000001
468
469
470/*
471 * Merge Error Log
472 */
473typedef struct PK11MergeLogStr PK11MergeLog;
474typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
475
476/* These need to be global, leave some open fields so we can 'expand'
477 * these without breaking binary compatibility */
478struct PK11MergeLogNodeStr {
479    PK11MergeLogNode *next;   /* next entry in the list */
480    PK11MergeLogNode *prev;   /* last entry in the list */
481    PK11GenericObject *object; /* object that failed */
482    int	error;		       /* what the error was */
483    CK_RV reserved1;
484    unsigned long reserved2; /* future flags */
485    unsigned long reserved3; /* future scalar */
486    void *reserved4; 	      /* future pointer */
487    void *reserved5;	      /* future expansion pointer */
488};
489
490struct PK11MergeLogStr {
491    PK11MergeLogNode *head;
492    PK11MergeLogNode *tail;
493    PLArenaPool *arena;
494    int version;
495    unsigned long reserved1;
496    unsigned long reserved2;
497    unsigned long reserved3;
498    void *reserverd4;
499    void *reserverd5;
500};
501    
502
503#endif /*_SECMODT_H_ */