1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/pk11wrap/pk11pub.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,866 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +#ifndef _PK11PUB_H_
1.8 +#define _PK11PUB_H_
1.9 +#include "plarena.h"
1.10 +#include "seccomon.h"
1.11 +#include "secoidt.h"
1.12 +#include "secdert.h"
1.13 +#include "keyt.h"
1.14 +#include "certt.h"
1.15 +#include "pkcs11t.h"
1.16 +#include "secmodt.h"
1.17 +#include "seccomon.h"
1.18 +#include "pkcs7t.h"
1.19 +#include "cmsreclist.h"
1.20 +
1.21 +/*
1.22 + * Exported PK11 wrap functions.
1.23 + */
1.24 +
1.25 +SEC_BEGIN_PROTOS
1.26 +
1.27 +/************************************************************
1.28 + * Generic Slot Lists Management
1.29 + ************************************************************/
1.30 +void PK11_FreeSlotList(PK11SlotList *list);
1.31 +SECStatus PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le);
1.32 +PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list);
1.33 +PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list,
1.34 + PK11SlotListElement *le, PRBool restart);
1.35 +
1.36 +/************************************************************
1.37 + * Generic Slot Management
1.38 + ************************************************************/
1.39 +PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
1.40 +void PK11_FreeSlot(PK11SlotInfo *slot);
1.41 +SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
1.42 +SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
1.43 +PK11SlotInfo *PK11_GetInternalKeySlot(void);
1.44 +PK11SlotInfo *PK11_GetInternalSlot(void);
1.45 +SECStatus PK11_Logout(PK11SlotInfo *slot);
1.46 +void PK11_LogoutAll(void);
1.47 +
1.48 +
1.49 +/************************************************************
1.50 + * Slot Password Management
1.51 + ************************************************************/
1.52 +void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout);
1.53 +void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout);
1.54 +SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
1.55 +SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw);
1.56 +PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
1.57 +SECStatus PK11_InitPin(PK11SlotInfo *slot,const char *ssopw,
1.58 + const char *pk11_userpwd);
1.59 +SECStatus PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw,
1.60 + const char *newpw);
1.61 +void PK11_SetPasswordFunc(PK11PasswordFunc func);
1.62 +int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
1.63 +SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
1.64 +SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
1.65 +SECStatus PK11_TokenRefresh(PK11SlotInfo *slot);
1.66 +
1.67 +
1.68 +/******************************************************************
1.69 + * Slot info functions
1.70 + ******************************************************************/
1.71 +PK11SlotInfo *PK11_FindSlotByName(const char *name);
1.72 +/******************************************************************
1.73 + * PK11_FindSlotsByNames searches for a PK11SlotInfo using one or
1.74 + * more criteria : dllName, slotName and tokenName . In addition, if
1.75 + * presentOnly is set , only slots with a token inserted will be
1.76 + * returned.
1.77 + ******************************************************************/
1.78 +PK11SlotList *PK11_FindSlotsByNames(const char *dllName,
1.79 + const char* slotName, const char* tokenName, PRBool presentOnly);
1.80 +PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
1.81 +PRBool PK11_IsInternal(PK11SlotInfo *slot);
1.82 +PRBool PK11_IsInternalKeySlot(PK11SlotInfo *slot);
1.83 +char * PK11_GetTokenName(PK11SlotInfo *slot);
1.84 +char * PK11_GetSlotName(PK11SlotInfo *slot);
1.85 +PRBool PK11_NeedLogin(PK11SlotInfo *slot);
1.86 +PRBool PK11_IsFriendly(PK11SlotInfo *slot);
1.87 +PRBool PK11_IsHW(PK11SlotInfo *slot);
1.88 +PRBool PK11_IsRemovable(PK11SlotInfo *slot);
1.89 +PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
1.90 +PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
1.91 +int PK11_GetSlotSeries(PK11SlotInfo *slot);
1.92 +int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
1.93 +unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
1.94 +CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
1.95 +SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
1.96 +SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
1.97 +SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
1.98 +PRBool PK11_IsDisabled(PK11SlotInfo *slot);
1.99 +PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
1.100 +PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
1.101 +/* Prevents the slot from being used, and set disable reason to user-disable */
1.102 +/* NOTE: Mechanisms that were ON continue to stay ON */
1.103 +/* Therefore, when the slot is enabled, it will remember */
1.104 +/* what mechanisms needs to be turned on */
1.105 +PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
1.106 +/* Allow all mechanisms that are ON before UserDisableSlot() */
1.107 +/* was called to be available again */
1.108 +PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
1.109 +/*
1.110 + * wait for a specific slot event.
1.111 + * event is a specific event to wait for. Currently only
1.112 + * PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined.
1.113 + * timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only
1.114 + * poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change).
1.115 + * pollInterval is a suggested pulling interval value. '0' means use the
1.116 + * default. Future implementations that don't poll may ignore this value.
1.117 + * series is the current series for the last slot. This should be the series
1.118 + * value for the slot the last time you read persistant information from the
1.119 + * slot. For instance, if you publish a cert from the slot, you should obtain
1.120 + * the slot series at that time. Then PK11_WaitForTokenEvent can detect a
1.121 + * a change in the slot between the time you publish and the time
1.122 + * PK11_WaitForTokenEvent is called, elliminating potential race conditions.
1.123 + *
1.124 + * The current status that is returned is:
1.125 + * PK11TokenNotRemovable - always returned for any non-removable token.
1.126 + * PK11TokenPresent - returned when the token is present and we are waiting
1.127 + * on a PK11TokenPresentEvent. Then next event to look for is a
1.128 + * PK11TokenChangeOrRemovalEvent.
1.129 + * PK11TokenChanged - returned when the old token has been removed and a new
1.130 + * token ad been inserted, and we are waiting for a
1.131 + * PK11TokenChangeOrRemovalEvent. The next event to look for is another
1.132 + * PK11TokenChangeOrRemovalEvent.
1.133 + * PK11TokenRemoved - returned when the token is not present and we are
1.134 + * waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for
1.135 + * is a PK11TokenPresentEvent.
1.136 + */
1.137 +PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
1.138 + PRIntervalTime timeout, PRIntervalTime pollInterval, int series);
1.139 +
1.140 +PRBool PK11_NeedPWInit(void);
1.141 +PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
1.142 +SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
1.143 +PRBool PK11_IsFIPS(void);
1.144 +SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
1.145 +
1.146 +/*********************************************************************
1.147 + * Slot mapping utility functions.
1.148 + *********************************************************************/
1.149 +PRBool PK11_IsPresent(PK11SlotInfo *slot);
1.150 +PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
1.151 +PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW,
1.152 + PRBool loadCerts, void *wincx);
1.153 +PK11SlotInfo *PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type,
1.154 + CK_FLAGS *mechFlag, unsigned int *keySize,
1.155 + unsigned int count, void *wincx);
1.156 +PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type,
1.157 + unsigned int count, void *wincx);
1.158 +PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
1.159 +PK11SlotInfo *PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type,
1.160 + CK_FLAGS mechFlag, unsigned int keySize, void *wincx);
1.161 +CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
1.162 +int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
1.163 +
1.164 +/*
1.165 + * Open a new database using the softoken. The caller is responsible for making
1.166 + * sure the module spec is correct and usable. The caller should ask for one
1.167 + * new database per call if the caller wants to get meaningful information
1.168 + * about the new database.
1.169 + *
1.170 + * moduleSpec is the same data that you would pass to softoken at
1.171 + * initialization time under the 'tokens' options. For example, if you were
1.172 + * to specify tokens=<0x4=[configdir='./mybackup' tokenDescription='Backup']>
1.173 + * You would specify "configdir='./mybackup' tokenDescription='Backup'" as your
1.174 + * module spec here. The slot ID will be calculated for you by
1.175 + * SECMOD_OpenUserDB().
1.176 + *
1.177 + * Typical parameters here are configdir, tokenDescription and flags.
1.178 + *
1.179 + * a Full list is below:
1.180 + *
1.181 + *
1.182 + * configDir - The location of the databases for this token. If configDir is
1.183 + * not specified, and noCertDB and noKeyDB is not specified, the load
1.184 + * will fail.
1.185 + * certPrefix - Cert prefix for this token.
1.186 + * keyPrefix - Prefix for the key database for this token. (if not specified,
1.187 + * certPrefix will be used).
1.188 + * tokenDescription - The label value for this token returned in the
1.189 + * CK_TOKEN_INFO structure with an internationalize string (UTF8).
1.190 + * This value will be truncated at 32 bytes (no NULL, partial UTF8
1.191 + * characters dropped). You should specify a user friendly name here
1.192 + * as this is the value the token will be referred to in most
1.193 + * application UI's. You should make sure tokenDescription is unique.
1.194 + * slotDescription - The slotDescription value for this token returned
1.195 + * in the CK_SLOT_INFO structure with an internationalize string
1.196 + * (UTF8). This value will be truncated at 64 bytes (no NULL, partial
1.197 + * UTF8 characters dropped). This name will not change after the
1.198 + * database is closed. It should have some number to make this unique.
1.199 + * minPWLen - minimum password length for this token.
1.200 + * flags - comma separated list of flag values, parsed case-insensitive.
1.201 + * Valid flags are:
1.202 + * readOnly - Databases should be opened read only.
1.203 + * noCertDB - Don't try to open a certificate database.
1.204 + * noKeyDB - Don't try to open a key database.
1.205 + * forceOpen - Don't fail to initialize the token if the
1.206 + * databases could not be opened.
1.207 + * passwordRequired - zero length passwords are not acceptable
1.208 + * (valid only if there is a keyDB).
1.209 + * optimizeSpace - allocate smaller hash tables and lock tables.
1.210 + * When this flag is not specified, Softoken will allocate
1.211 + * large tables to prevent lock contention.
1.212 + */
1.213 +PK11SlotInfo *SECMOD_OpenUserDB(const char *moduleSpec);
1.214 +SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot);
1.215 +
1.216 +/*
1.217 + * This is exactly the same as OpenUserDB except it can be called on any
1.218 + * module that understands softoken style new slot entries. The resulting
1.219 + * slot can be closed using SECMOD_CloseUserDB above. Value of moduleSpec
1.220 + * is token specific.
1.221 + */
1.222 +PK11SlotInfo *SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec);
1.223 +
1.224 +
1.225 +/*
1.226 + * merge the permanent objects from on token to another
1.227 + */
1.228 +SECStatus PK11_MergeTokens(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
1.229 + PK11MergeLog *log, void *targetPwArg, void *sourcePwArg);
1.230 +
1.231 +/*
1.232 + * create and destroy merge logs needed by PK11_MergeTokens
1.233 + */
1.234 +PK11MergeLog * PK11_CreateMergeLog(void);
1.235 +void PK11_DestroyMergeLog(PK11MergeLog *log);
1.236 +
1.237 +
1.238 +
1.239 +/*********************************************************************
1.240 + * Mechanism Mapping functions
1.241 + *********************************************************************/
1.242 +CK_KEY_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len);
1.243 +CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
1.244 +int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params);
1.245 +int PK11_GetIVLength(CK_MECHANISM_TYPE type);
1.246 +SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv);
1.247 +unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len);
1.248 +SECItem * PK11_BlockData(SECItem *data,unsigned long size);
1.249 +
1.250 +/* PKCS #11 to DER mapping functions */
1.251 +SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
1.252 +SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
1.253 +CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
1.254 +SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
1.255 +SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
1.256 +SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
1.257 + PLArenaPool *arena, SECAlgorithmID *algid);
1.258 +SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
1.259 +SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo *,unsigned char *data,int len);
1.260 +SECStatus PK11_RandomUpdate(void *data, size_t bytes);
1.261 +SECStatus PK11_GenerateRandom(unsigned char *data,int len);
1.262 +
1.263 +/* warning: cannot work with pkcs 5 v2
1.264 + * use algorithm ID s instead of pkcs #11 mechanism pointers */
1.265 +CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
1.266 + CK_MECHANISM_PTR pCryptoMechanism,
1.267 + SECItem *pbe_pwd, PRBool bad3DES);
1.268 +CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
1.269 +CK_MECHANISM_TYPE PK11_MapSignKeyType(KeyType keyType);
1.270 +
1.271 +/**********************************************************************
1.272 + * Symmetric, Public, and Private Keys
1.273 + **********************************************************************/
1.274 +void PK11_FreeSymKey(PK11SymKey *key);
1.275 +PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
1.276 +PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
1.277 + PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx);
1.278 +PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot,
1.279 + CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
1.280 + SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx);
1.281 +PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
1.282 + PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID,
1.283 + PRBool owner, void *wincx);
1.284 +PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
1.285 + CK_MECHANISM_TYPE type,int series, void *wincx);
1.286 +/*
1.287 + * This function is not thread-safe. It can only be called when only
1.288 + * one thread has a reference to wrapKey.
1.289 + */
1.290 +void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
1.291 +CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
1.292 +/*
1.293 + * import a public key into the desired slot
1.294 + *
1.295 + * This function takes a public key structure and creates a public key in a
1.296 + * given slot. If isToken is set, then a persistant public key is created.
1.297 + *
1.298 + * Note: it is possible for this function to return a handle for a key which
1.299 + * is persistant, even if isToken is not set.
1.300 + */
1.301 +CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot,
1.302 + SECKEYPublicKey *pubKey, PRBool isToken);
1.303 +PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
1.304 + SECItem *param, int keySize,void *wincx);
1.305 +PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
1.306 + SECItem *param, int keySize, SECItem *keyid,
1.307 + PRBool isToken, void *wincx);
1.308 +PK11SymKey *PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot,
1.309 + CK_MECHANISM_TYPE type, SECItem *param,
1.310 + int keySize, SECItem *keyid, CK_FLAGS opFlags,
1.311 + PK11AttrFlags attrFlags, void *wincx);
1.312 +/* Generates a key using the exact template supplied by the caller. The other
1.313 + * PK11_[Token]KeyGen mechanisms should be used instead of this one whenever
1.314 + * they work because they include/exclude the CKA_VALUE_LEN template value
1.315 + * based on the mechanism type as required by many tokens.
1.316 + *
1.317 + * keyGenType should be PK11_GetKeyGenWithSize(type, <key size>) or it should
1.318 + * be equal to type if PK11_GetKeyGenWithSize cannot be used (e.g. because
1.319 + * pk11wrap does not know about the mechanisms).
1.320 + */
1.321 +PK11SymKey *PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
1.322 + CK_MECHANISM_TYPE keyGenType,
1.323 + SECItem *param, CK_ATTRIBUTE * attrs,
1.324 + unsigned int attrsCount, void *wincx);
1.325 +PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname,
1.326 + void *wincx);
1.327 +PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey);
1.328 +CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *key);
1.329 +CK_OBJECT_HANDLE PK11_GetSymKeyHandle(PK11SymKey *symKey);
1.330 +
1.331 +
1.332 +/*
1.333 + * PK11_SetSymKeyUserData
1.334 + * sets generic user data on keys (usually a pointer to a data structure)
1.335 + * that can later be retrieved by PK11_GetSymKeyUserData().
1.336 + * symKey - key where data will be set.
1.337 + * data - data to be set.
1.338 + * freefunc - function used to free the data.
1.339 + * Setting user data on symKeys with existing user data already set will cause
1.340 + * the existing user data to be freed before the new user data is set.
1.341 + * Freeing user data is done by calling the user specified freefunc.
1.342 + * If freefunc is NULL, the user data is assumed to be global or static an
1.343 + * not freed. Passing NULL for user data to PK11_SetSymKeyUserData has the
1.344 + * effect of freeing any existing user data, and clearing the user data
1.345 + * pointer. If user data exists when the symKey is finally freed, that
1.346 + * data will be freed with freefunc.
1.347 + *
1.348 + * Applications should only use this function on keys which the application
1.349 + * has created directly, as there is only one user data value per key.
1.350 + */
1.351 +void PK11_SetSymKeyUserData(PK11SymKey *symKey, void *data,
1.352 + PK11FreeDataFunc freefunc);
1.353 +/* PK11_GetSymKeyUserData
1.354 + * retrieves generic user data which was set on a key by
1.355 + * PK11_SetSymKeyUserData.
1.356 + * symKey - key with data to be fetched
1.357 + *
1.358 + * If no data exists, or the data has been cleared, PK11_GetSymKeyUserData
1.359 + * will return NULL. Returned data is still owned and managed by the SymKey,
1.360 + * the caller should not free the data.
1.361 + *
1.362 + */
1.363 +void *PK11_GetSymKeyUserData(PK11SymKey *symKey);
1.364 +
1.365 +SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
1.366 + PK11SymKey *symKey, SECItem *wrappedKey);
1.367 +SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
1.368 + PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
1.369 +/* move a key to 'slot' optionally set the key attributes according to either
1.370 + * operation or the flags and making the key permanent at the same time.
1.371 + * If the key is moved to the same slot, operation and flags values are
1.372 + * currently ignored */
1.373 +PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation,
1.374 + CK_FLAGS flags, PRBool perm, PK11SymKey *symKey);
1.375 +/*
1.376 + * derive a new key from the base key.
1.377 + * PK11_Derive returns a key which can do exactly one operation, and is
1.378 + * ephemeral (session key).
1.379 + * PK11_DeriveWithFlags is the same as PK11_Derive, except you can use
1.380 + * CKF_ flags to enable more than one operation.
1.381 + * PK11_DeriveWithFlagsPerm is the same as PK11_DeriveWithFlags except you can
1.382 + * (optionally) make the key permanent (token key).
1.383 + */
1.384 +PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
1.385 + SECItem *param, CK_MECHANISM_TYPE target,
1.386 + CK_ATTRIBUTE_TYPE operation, int keySize);
1.387 +PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey,
1.388 + CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target,
1.389 + CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
1.390 +PK11SymKey * PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey,
1.391 + CK_MECHANISM_TYPE derive,
1.392 + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
1.393 + int keySize, CK_FLAGS flags, PRBool isPerm);
1.394 +PK11SymKey *
1.395 +PK11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive,
1.396 + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
1.397 + int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs,
1.398 + PRBool isPerm);
1.399 +
1.400 +
1.401 +PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey,
1.402 + SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
1.403 + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
1.404 + CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ;
1.405 +PK11SymKey *PK11_PubDeriveWithKDF( SECKEYPrivateKey *privKey,
1.406 + SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
1.407 + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
1.408 + CK_ATTRIBUTE_TYPE operation, int keySize,
1.409 + CK_ULONG kdf, SECItem *sharedData, void *wincx);
1.410 +
1.411 +/*
1.412 + * unwrap a new key with a symetric key.
1.413 + * PK11_Unwrap returns a key which can do exactly one operation, and is
1.414 + * ephemeral (session key).
1.415 + * PK11_UnwrapWithFlags is the same as PK11_Unwrap, except you can use
1.416 + * CKF_ flags to enable more than one operation.
1.417 + * PK11_UnwrapWithFlagsPerm is the same as PK11_UnwrapWithFlags except you can
1.418 + * (optionally) make the key permanent (token key).
1.419 + */
1.420 +PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key,
1.421 + CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,
1.422 + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
1.423 +PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey,
1.424 + CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey,
1.425 + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize,
1.426 + CK_FLAGS flags);
1.427 +PK11SymKey * PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey,
1.428 + CK_MECHANISM_TYPE wrapType,
1.429 + SECItem *param, SECItem *wrappedKey,
1.430 + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
1.431 + int keySize, CK_FLAGS flags, PRBool isPerm);
1.432 +
1.433 +/*
1.434 + * unwrap a new key with a private key.
1.435 + * PK11_PubUnwrap returns a key which can do exactly one operation, and is
1.436 + * ephemeral (session key).
1.437 + * PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can
1.438 + * use * CKF_ flags to enable more than one operation, and optionally make
1.439 + * the key permanent (token key).
1.440 + */
1.441 +PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
1.442 + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
1.443 +PK11SymKey * PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey,
1.444 + SECItem *wrappedKey, CK_MECHANISM_TYPE target,
1.445 + CK_ATTRIBUTE_TYPE operation, int keySize,
1.446 + CK_FLAGS flags, PRBool isPerm);
1.447 +PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
1.448 + SECItem *keyID, void *wincx);
1.449 +SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force);
1.450 +SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
1.451 +SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
1.452 +SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx);
1.453 +SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot,
1.454 + SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
1.455 + PRBool token, PRBool sensitive);
1.456 +char * PK11_GetSymKeyNickname(PK11SymKey *symKey);
1.457 +char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
1.458 +char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
1.459 +SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
1.460 +SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey,
1.461 + const char *nickname);
1.462 +SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey,
1.463 + const char *nickname);
1.464 +
1.465 +/* size to hold key in bytes */
1.466 +unsigned int PK11_GetKeyLength(PK11SymKey *key);
1.467 +/* size of actual secret parts of key in bits */
1.468 +/* algid is because RC4 strength is determined by the effective bits as well
1.469 + * as the key bits */
1.470 +unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
1.471 +SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
1.472 +SECItem * PK11_GetKeyData(PK11SymKey *symKey);
1.473 +PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey);
1.474 +void *PK11_GetWindow(PK11SymKey *symKey);
1.475 +
1.476 +/*
1.477 + * Explicitly set the key usage for the generated private key.
1.478 + *
1.479 + * This allows us to specify single use EC and RSA keys whose usage
1.480 + * can be regulated by the underlying token.
1.481 + *
1.482 + * The underlying key usage is set using opFlags. opFlagsMask specifies
1.483 + * which operations are specified by opFlags. For instance to turn encrypt
1.484 + * on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and
1.485 + * opFlagsMask would be CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_VERIFY. You
1.486 + * need to specify both the public and private key flags,
1.487 + * PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the
1.488 + * correct key type. Flags not specified in opFlagMask will be defaulted
1.489 + * according to mechanism type and token capabilities.
1.490 + */
1.491 +SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,
1.492 + CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
1.493 + PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask,
1.494 + void *wincx);
1.495 +/*
1.496 + * The attrFlags is the logical OR of the PK11_ATTR_XXX bitflags.
1.497 + * These flags apply to the private key. The PK11_ATTR_TOKEN,
1.498 + * PK11_ATTR_SESSION, PK11_ATTR_MODIFIABLE, and PK11_ATTR_UNMODIFIABLE
1.499 + * flags also apply to the public key.
1.500 + */
1.501 +SECKEYPrivateKey *PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot,
1.502 + CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
1.503 + PK11AttrFlags attrFlags, void *wincx);
1.504 +SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
1.505 + CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
1.506 + PRBool isPerm, PRBool isSensitive, void *wincx);
1.507 +SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
1.508 + CERTCertificate *cert, void *wincx);
1.509 +SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
1.510 +SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
1.511 + void *wincx);
1.512 +int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key);
1.513 +
1.514 +SECStatus PK11_Decrypt(PK11SymKey *symkey,
1.515 + CK_MECHANISM_TYPE mechanism, SECItem *param,
1.516 + unsigned char *out, unsigned int *outLen,
1.517 + unsigned int maxLen,
1.518 + const unsigned char *enc, unsigned int encLen);
1.519 +SECStatus PK11_Encrypt(PK11SymKey *symKey,
1.520 + CK_MECHANISM_TYPE mechanism, SECItem *param,
1.521 + unsigned char *out, unsigned int *outLen,
1.522 + unsigned int maxLen,
1.523 + const unsigned char *data, unsigned int dataLen);
1.524 +
1.525 +/* note: despite the name, this function takes a private key. */
1.526 +SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key,
1.527 + unsigned char *data, unsigned *outLen,
1.528 + unsigned int maxLen,
1.529 + const unsigned char *enc, unsigned encLen);
1.530 +#define PK11_PrivDecryptRaw PK11_PubDecryptRaw
1.531 +/* The encrypt function that complements the above decrypt function. */
1.532 +SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key,
1.533 + unsigned char *enc,
1.534 + const unsigned char *data, unsigned dataLen,
1.535 + void *wincx);
1.536 +
1.537 +SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key,
1.538 + unsigned char *data, unsigned *outLen,
1.539 + unsigned int maxLen,
1.540 + const unsigned char *enc, unsigned encLen);
1.541 +/* The encrypt function that complements the above decrypt function. */
1.542 +SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key,
1.543 + unsigned char *enc,
1.544 + const unsigned char *data, unsigned dataLen,
1.545 + void *wincx);
1.546 +
1.547 +SECStatus PK11_PrivDecrypt(SECKEYPrivateKey *key,
1.548 + CK_MECHANISM_TYPE mechanism, SECItem *param,
1.549 + unsigned char *out, unsigned int *outLen,
1.550 + unsigned int maxLen,
1.551 + const unsigned char *enc, unsigned int encLen);
1.552 +SECStatus PK11_PubEncrypt(SECKEYPublicKey *key,
1.553 + CK_MECHANISM_TYPE mechanism, SECItem *param,
1.554 + unsigned char *out, unsigned int *outLen,
1.555 + unsigned int maxLen,
1.556 + const unsigned char *data, unsigned int dataLen,
1.557 + void *wincx);
1.558 +
1.559 +SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot,
1.560 + SECKEYPrivateKeyInfo *pki, SECItem *nickname,
1.561 + SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
1.562 + unsigned int usage, void *wincx);
1.563 +SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
1.564 + SECKEYPrivateKeyInfo *pki, SECItem *nickname,
1.565 + SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
1.566 + unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
1.567 +SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot,
1.568 + SECItem *derPKI, SECItem *nickname,
1.569 + SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
1.570 + unsigned int usage, void *wincx);
1.571 +SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
1.572 + SECItem *derPKI, SECItem *nickname,
1.573 + SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
1.574 + unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
1.575 +SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
1.576 + SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
1.577 + SECItem *nickname, SECItem *publicValue, PRBool isPerm,
1.578 + PRBool isPrivate, KeyType type,
1.579 + unsigned int usage, void *wincx);
1.580 +SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
1.581 + SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
1.582 + SECItem *nickname, SECItem *publicValue, PRBool isPerm,
1.583 + PRBool isPrivate, KeyType type,
1.584 + unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
1.585 +SECItem *PK11_ExportDERPrivateKeyInfo(SECKEYPrivateKey *pk, void *wincx);
1.586 +SECKEYPrivateKeyInfo *PK11_ExportPrivKeyInfo(
1.587 + SECKEYPrivateKey *pk, void *wincx);
1.588 +SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
1.589 + CERTCertificate *cert, void *wincx);
1.590 +SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
1.591 + PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
1.592 + SECKEYPrivateKey *pk, int iteration, void *wincx);
1.593 +SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
1.594 + PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
1.595 + CERTCertificate *cert, int iteration, void *wincx);
1.596 +SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot,
1.597 + CERTCertificate *cert, void *wincx);
1.598 +SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
1.599 +SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
1.600 +PRBool PK11_VerifyKeyOK(PK11SymKey *key);
1.601 +SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot,
1.602 + PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
1.603 + SECItem *param, SECItem *wrappedKey, SECItem *label,
1.604 + SECItem *publicValue, PRBool token, PRBool sensitive,
1.605 + CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
1.606 + void *wincx);
1.607 +SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
1.608 + SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
1.609 + SECItem *param, SECItem *wrappedKey, void *wincx);
1.610 +/*
1.611 + * The caller of PK11_DEREncodePublicKey should free the returned SECItem with
1.612 + * a SECITEM_FreeItem(..., PR_TRUE) call.
1.613 + */
1.614 +SECItem* PK11_DEREncodePublicKey(const SECKEYPublicKey *pubk);
1.615 +PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
1.616 + CK_MECHANISM_TYPE mech);
1.617 +SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot,
1.618 + char *nickname, void *wincx);
1.619 +SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot,
1.620 + char *nickname);
1.621 +SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey);
1.622 +/* deprecated */
1.623 +SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot);
1.624 +
1.625 +PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk,
1.626 + void *wincx);
1.627 +SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey(
1.628 + SECKEYPrivateKey *privk, void* wincx);
1.629 +SECKEYPrivateKey * PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot,
1.630 + SECKEYPrivateKey *privKey);
1.631 +
1.632 +/**********************************************************************
1.633 + * Certs
1.634 + **********************************************************************/
1.635 +SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
1.636 +SECStatus PK11_TraverseSlotCerts(
1.637 + SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
1.638 + void *arg, void *wincx);
1.639 +CERTCertificate * PK11_FindCertFromNickname(const char *nickname, void *wincx);
1.640 +CERTCertList * PK11_FindCertsFromEmailAddress(const char *email, void *wincx);
1.641 +CERTCertList * PK11_FindCertsFromNickname(const char *nickname, void *wincx);
1.642 +CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
1.643 +SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
1.644 + CK_OBJECT_HANDLE key, const char *nickname,
1.645 + PRBool includeTrust);
1.646 +SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
1.647 + CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
1.648 +PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert,
1.649 + const char *nickname, void *wincx);
1.650 +PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
1.651 + void *wincx);
1.652 +PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
1.653 + CK_OBJECT_HANDLE *keyPtr, void *wincx);
1.654 +PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert,
1.655 + CK_OBJECT_HANDLE *keyPtr, void *wincx);
1.656 +CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
1.657 + CERTIssuerAndSN *sn, void *wincx);
1.658 +CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
1.659 + SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
1.660 + SECKEYPrivateKey**privKey, void *wincx);
1.661 +int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
1.662 + void *wincx);
1.663 +SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
1.664 + PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
1.665 + void *arg);
1.666 +CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot,
1.667 + CERTCertificate *cert, void *wincx);
1.668 +CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot,
1.669 + const SECItem *derCert, void *wincx);
1.670 +SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
1.671 + char *nickname, PRBool addUsage,
1.672 + void *wincx);
1.673 +CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx);
1.674 +PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
1.675 +CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
1.676 + void *wincx);
1.677 +SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
1.678 + PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
1.679 + void *arg);
1.680 +CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg);
1.681 +CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot);
1.682 +CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
1.683 + int type, void *wincx, PRInt32 importOptions, PLArenaPool* arena, PRInt32 decodeOptions);
1.684 +
1.685 +/**********************************************************************
1.686 + * Sign/Verify
1.687 + **********************************************************************/
1.688 +
1.689 +/*
1.690 + * Return the length in bytes of a signature generated with the
1.691 + * private key.
1.692 + *
1.693 + * Return 0 or -1 on failure. (XXX Should we fix it to always return
1.694 + * -1 on failure?)
1.695 + */
1.696 +int PK11_SignatureLen(SECKEYPrivateKey *key);
1.697 +PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
1.698 +SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig,
1.699 + const SECItem *hash);
1.700 +SECStatus PK11_SignWithSymKey(PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism,
1.701 + SECItem *param, SECItem *sig, const SECItem *data);
1.702 +SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, const SECItem *sig,
1.703 + SECItem *dsig, void * wincx);
1.704 +SECStatus PK11_Verify(SECKEYPublicKey *key, const SECItem *sig,
1.705 + const SECItem *hash, void *wincx);
1.706 +
1.707 +
1.708 +
1.709 +/**********************************************************************
1.710 + * Crypto Contexts
1.711 + **********************************************************************/
1.712 +void PK11_DestroyContext(PK11Context *context, PRBool freeit);
1.713 +PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
1.714 + CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
1.715 +PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
1.716 +PK11Context *PK11_CloneContext(PK11Context *old);
1.717 +SECStatus PK11_DigestBegin(PK11Context *cx);
1.718 +/*
1.719 + * The output buffer 'out' must be big enough to hold the output of
1.720 + * the hash algorithm 'hashAlg'.
1.721 + */
1.722 +SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out,
1.723 + const unsigned char *in, PRInt32 len);
1.724 +SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in,
1.725 + unsigned len);
1.726 +SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen,
1.727 + int maxout, const unsigned char *in, int inlen);
1.728 +SECStatus PK11_Finalize(PK11Context *context);
1.729 +SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data,
1.730 + unsigned int *outLen, unsigned int length);
1.731 +#define PK11_CipherFinal PK11_DigestFinal
1.732 +SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
1.733 + int *len, int saveLength);
1.734 +
1.735 +/* Save the context's state, with possible allocation.
1.736 + * The caller may supply an already allocated buffer in preAllocBuf,
1.737 + * with length pabLen. If the buffer is large enough for the context's
1.738 + * state, it will receive the state.
1.739 + * If the buffer is not large enough (or NULL), then a new buffer will
1.740 + * be allocated with PORT_Alloc.
1.741 + * In either case, the state will be returned as a buffer, and the length
1.742 + * of the state will be given in *stateLen.
1.743 + */
1.744 +unsigned char *
1.745 +PK11_SaveContextAlloc(PK11Context *cx,
1.746 + unsigned char *preAllocBuf, unsigned int pabLen,
1.747 + unsigned int *stateLen);
1.748 +
1.749 +SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len);
1.750 +SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len);
1.751 +void PK11_SetFortezzaHack(PK11SymKey *symKey) ;
1.752 +
1.753 +
1.754 +/**********************************************************************
1.755 + * PBE functions
1.756 + **********************************************************************/
1.757 +
1.758 +/* This function creates PBE parameters from the given inputs. The result
1.759 + * can be used to create a password integrity key for PKCS#12, by sending
1.760 + * the return value to PK11_KeyGen along with the appropriate mechanism.
1.761 + */
1.762 +SECItem *
1.763 +PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations);
1.764 +
1.765 +/* free params created above (can be called after keygen is done */
1.766 +void PK11_DestroyPBEParams(SECItem *params);
1.767 +
1.768 +SECAlgorithmID *
1.769 +PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
1.770 +
1.771 +/* use to create PKCS5 V2 algorithms with finder control than that provided
1.772 + * by PK11_CreatePBEAlgorithmID. */
1.773 +SECAlgorithmID *
1.774 +PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag,
1.775 + SECOidTag prfAlgTag, int keyLength, int iteration,
1.776 + SECItem *salt);
1.777 +PK11SymKey *
1.778 +PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
1.779 + PRBool faulty3DES, void *wincx);
1.780 +
1.781 +/* warning: cannot work with PKCS 5 v2 use PK11_PBEKeyGen instead */
1.782 +PK11SymKey *
1.783 +PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
1.784 + SECItem *pwitem, PRBool faulty3DES, void *wincx);
1.785 +SECItem *
1.786 +PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
1.787 +/*
1.788 + * Get the Mechanism and parameter of the base encryption or mac scheme from
1.789 + * a PBE algorithm ID.
1.790 + * Caller is responsible for freeing the return parameter (param).
1.791 + */
1.792 +CK_MECHANISM_TYPE
1.793 +PK11_GetPBECryptoMechanism(SECAlgorithmID *algid,
1.794 + SECItem **param, SECItem *pwd);
1.795 +
1.796 +/**********************************************************************
1.797 + * Functions to manage secmod flags
1.798 + **********************************************************************/
1.799 +const PK11DefaultArrayEntry *PK11_GetDefaultArray(int *size);
1.800 +SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
1.801 + const PK11DefaultArrayEntry *entry,
1.802 + PRBool add);
1.803 +
1.804 +/**********************************************************************
1.805 + * Functions to look at PKCS #11 dependent data
1.806 + **********************************************************************/
1.807 +PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot,
1.808 + CK_OBJECT_CLASS objClass);
1.809 +PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object);
1.810 +PK11GenericObject *PK11_GetPrevGenericObject(PK11GenericObject *object);
1.811 +SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object);
1.812 +SECStatus PK11_LinkGenericObject(PK11GenericObject *list,
1.813 + PK11GenericObject *object);
1.814 +SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object);
1.815 +SECStatus PK11_DestroyGenericObject(PK11GenericObject *object);
1.816 +PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot,
1.817 + const CK_ATTRIBUTE *pTemplate,
1.818 + int count, PRBool token);
1.819 +
1.820 +/*
1.821 + * PK11_ReadRawAttribute and PK11_WriteRawAttribute are generic
1.822 + * functions to read and modify the actual PKCS #11 attributes of
1.823 + * the underlying pkcs #11 object.
1.824 + *
1.825 + * object is a pointer to an NSS object that represents the underlying
1.826 + * PKCS #11 object. It's type must match the type of PK11ObjectType
1.827 + * as follows:
1.828 + *
1.829 + * type object
1.830 + * PK11_TypeGeneric PK11GenericObject *
1.831 + * PK11_TypePrivKey SECKEYPrivateKey *
1.832 + * PK11_TypePubKey SECKEYPublicKey *
1.833 + * PK11_TypeSymKey PK11SymKey *
1.834 + *
1.835 + * All other types are considered invalid. If type does not match the object
1.836 + * passed, unpredictable results will occur.
1.837 + *
1.838 + * PK11_ReadRawAttribute allocates the buffer for returning the attribute
1.839 + * value. The caller of PK11_ReadRawAttribute should free the data buffer
1.840 + * pointed to by item using a SECITEM_FreeItem(item, PR_FALSE) or
1.841 + * PORT_Free(item->data) call.
1.842 + */
1.843 +SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object,
1.844 + CK_ATTRIBUTE_TYPE attr, SECItem *item);
1.845 +SECStatus PK11_WriteRawAttribute(PK11ObjectType type, void *object,
1.846 + CK_ATTRIBUTE_TYPE attr, SECItem *item);
1.847 +
1.848 +/*
1.849 + * PK11_GetAllSlotsForCert returns all the slots that a given certificate
1.850 + * exists on, since it's possible for a cert to exist on more than one
1.851 + * PKCS#11 token.
1.852 + */
1.853 +PK11SlotList *
1.854 +PK11_GetAllSlotsForCert(CERTCertificate *cert, void *arg);
1.855 +
1.856 +/**********************************************************************
1.857 + * New functions which are already deprecated....
1.858 + **********************************************************************/
1.859 +SECItem *
1.860 +PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
1.861 + CERTCertificate *cert, void *pwarg);
1.862 +SECItem *
1.863 +PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
1.864 +
1.865 +PRBool SECMOD_HasRootCerts(void);
1.866 +
1.867 +SEC_END_PROTOS
1.868 +
1.869 +#endif
