1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/pk11wrap/secmodt.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,448 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +#ifndef _SECMODT_H_
1.8 +#define _SECMODT_H_ 1
1.9 +
1.10 +#include "nssrwlkt.h"
1.11 +#include "nssilckt.h"
1.12 +#include "secoid.h"
1.13 +#include "secasn1.h"
1.14 +#include "pkcs11t.h"
1.15 +#include "utilmodt.h"
1.16 +
1.17 +SEC_BEGIN_PROTOS
1.18 +
1.19 +/* find a better home for these... */
1.20 +extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
1.21 +SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
1.22 +extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
1.23 +SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
1.24 +extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
1.25 +SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
1.26 +extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
1.27 +SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
1.28 +
1.29 +SEC_END_PROTOS
1.30 +
1.31 +/* PKCS11 needs to be included */
1.32 +typedef struct SECMODModuleStr SECMODModule;
1.33 +typedef struct SECMODModuleListStr SECMODModuleList;
1.34 +typedef NSSRWLock SECMODListLock;
1.35 +typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
1.36 +typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
1.37 +typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
1.38 +typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
1.39 +typedef struct PK11SlotListStr PK11SlotList;
1.40 +typedef struct PK11SlotListElementStr PK11SlotListElement;
1.41 +typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
1.42 +typedef unsigned long SECMODModuleID;
1.43 +typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
1.44 +typedef struct PK11GenericObjectStr PK11GenericObject;
1.45 +typedef void (*PK11FreeDataFunc)(void *);
1.46 +
1.47 +struct SECMODModuleStr {
1.48 + PLArenaPool *arena;
1.49 + PRBool internal; /* true of internally linked modules, false
1.50 + * for the loaded modules */
1.51 + PRBool loaded; /* Set to true if module has been loaded */
1.52 + PRBool isFIPS; /* Set to true if module is finst internal */
1.53 + char *dllName; /* name of the shared library which implements
1.54 + * this module */
1.55 + char *commonName; /* name of the module to display to the user */
1.56 + void *library; /* pointer to the library. opaque. used only by
1.57 + * pk11load.c */
1.58 + void *functionList; /* The PKCS #11 function table */
1.59 + PZLock *refLock; /* only used pk11db.c */
1.60 + int refCount; /* Module reference count */
1.61 + PK11SlotInfo **slots; /* array of slot points attached to this mod*/
1.62 + int slotCount; /* count of slot in above array */
1.63 + PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
1.64 + int slotInfoCount; /* count */
1.65 + SECMODModuleID moduleID; /* ID so we can find this module again */
1.66 + PRBool isThreadSafe;
1.67 + unsigned long ssl[2]; /* SSL cipher enable flags */
1.68 + char *libraryParams; /* Module specific parameters */
1.69 + void *moduleDBFunc; /* function to return module configuration data*/
1.70 + SECMODModule *parent; /* module that loaded us */
1.71 + PRBool isCritical; /* This module must load successfully */
1.72 + PRBool isModuleDB; /* this module has lists of PKCS #11 modules */
1.73 + PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */
1.74 + int trustOrder; /* order for this module's certificate trust rollup */
1.75 + int cipherOrder; /* order for cipher operations */
1.76 + unsigned long evControlMask; /* control the running and shutdown of slot
1.77 + * events (SECMOD_WaitForAnyTokenEvent) */
1.78 + CK_VERSION cryptokiVersion; /* version of this library */
1.79 +};
1.80 +
1.81 +/* evControlMask flags */
1.82 +/*
1.83 + * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
1.84 + *
1.85 + * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
1.86 + * C_WaitForSlotEvent().
1.87 + * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
1.88 + * which polls for token insertion and removal events.
1.89 + * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
1.90 + * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
1.91 + * should return immediately to it's caller.
1.92 + */
1.93 +#define SECMOD_END_WAIT 0x01
1.94 +#define SECMOD_WAIT_SIMULATED_EVENT 0x02
1.95 +#define SECMOD_WAIT_PKCS11_EVENT 0x04
1.96 +
1.97 +struct SECMODModuleListStr {
1.98 + SECMODModuleList *next;
1.99 + SECMODModule *module;
1.100 +};
1.101 +
1.102 +struct PK11SlotListStr {
1.103 + PK11SlotListElement *head;
1.104 + PK11SlotListElement *tail;
1.105 + PZLock *lock;
1.106 +};
1.107 +
1.108 +struct PK11SlotListElementStr {
1.109 + PK11SlotListElement *next;
1.110 + PK11SlotListElement *prev;
1.111 + PK11SlotInfo *slot;
1.112 + int refCount;
1.113 +};
1.114 +
1.115 +struct PK11RSAGenParamsStr {
1.116 + int keySizeInBits;
1.117 + unsigned long pe;
1.118 +};
1.119 +
1.120 +typedef enum {
1.121 + PK11CertListUnique = 0, /* get one instance of all certs */
1.122 + PK11CertListUser = 1, /* get all instances of user certs */
1.123 + PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
1.124 + * deprecated. Use PK11CertListCAUnique
1.125 + */
1.126 + PK11CertListCA = 3, /* get all instances of CA certs */
1.127 + PK11CertListCAUnique = 4, /* get one instance of CA certs */
1.128 + PK11CertListUserUnique = 5, /* get one instance of user certs */
1.129 + PK11CertListAll = 6 /* get all instances of all certs */
1.130 +} PK11CertListType;
1.131 +
1.132 +/*
1.133 + * Entry into the array which lists all the legal bits for the default flags
1.134 + * in the slot, their definition, and the PKCS #11 mechanism they represent.
1.135 + * Always statically allocated.
1.136 + */
1.137 +struct PK11DefaultArrayEntryStr {
1.138 + const char *name;
1.139 + unsigned long flag;
1.140 + unsigned long mechanism; /* this is a long so we don't include the
1.141 + * whole pkcs 11 world to use this header */
1.142 +};
1.143 +
1.144 +/*
1.145 + * PK11AttrFlags
1.146 + *
1.147 + * A 32-bit bitmask of PK11_ATTR_XXX flags
1.148 + */
1.149 +typedef PRUint32 PK11AttrFlags;
1.150 +
1.151 +/*
1.152 + * PK11_ATTR_XXX
1.153 + *
1.154 + * The following PK11_ATTR_XXX bitflags are used to specify
1.155 + * PKCS #11 object attributes that have Boolean values. Some NSS
1.156 + * functions have a "PK11AttrFlags attrFlags" parameter whose value
1.157 + * is the logical OR of these bitflags. NSS use these bitflags on
1.158 + * private keys or secret keys. Some of these bitflags also apply
1.159 + * to the public keys associated with the private keys.
1.160 + *
1.161 + * For each PKCS #11 object attribute, we need two bitflags to
1.162 + * specify not only "true" and "false" but also "default". For
1.163 + * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
1.164 + * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add
1.165 + * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
1.166 + * to the template. If PK11_ATTR_PUBLIC is set, we add
1.167 + * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
1.168 + * to the template. If neither flag is set, we don't add any
1.169 + * CKA_PRIVATE entry to the template.
1.170 + */
1.171 +
1.172 +/*
1.173 + * Attributes for PKCS #11 storage objects, which include not only
1.174 + * keys but also certificates and domain parameters.
1.175 + */
1.176 +
1.177 +/*
1.178 + * PK11_ATTR_TOKEN
1.179 + * PK11_ATTR_SESSION
1.180 + *
1.181 + * These two flags determine whether the object is a token or
1.182 + * session object.
1.183 + *
1.184 + * These two flags are related and cannot both be set.
1.185 + * If the PK11_ATTR_TOKEN flag is set, the object is a token
1.186 + * object. If the PK11_ATTR_SESSION flag is set, the object is
1.187 + * a session object. If neither flag is set, the object is *by
1.188 + * default* a session object.
1.189 + *
1.190 + * These two flags specify the value of the PKCS #11 CKA_TOKEN
1.191 + * attribute.
1.192 + */
1.193 +#define PK11_ATTR_TOKEN 0x00000001L
1.194 +#define PK11_ATTR_SESSION 0x00000002L
1.195 +
1.196 +/*
1.197 + * PK11_ATTR_PRIVATE
1.198 + * PK11_ATTR_PUBLIC
1.199 + *
1.200 + * These two flags determine whether the object is a private or
1.201 + * public object. A user may not access a private object until the
1.202 + * user has authenticated to the token.
1.203 + *
1.204 + * These two flags are related and cannot both be set.
1.205 + * If the PK11_ATTR_PRIVATE flag is set, the object is a private
1.206 + * object. If the PK11_ATTR_PUBLIC flag is set, the object is a
1.207 + * public object. If neither flag is set, it is token-specific
1.208 + * whether the object is private or public.
1.209 + *
1.210 + * These two flags specify the value of the PKCS #11 CKA_PRIVATE
1.211 + * attribute. NSS only uses this attribute on private and secret
1.212 + * keys, so public keys created by NSS get the token-specific
1.213 + * default value of the CKA_PRIVATE attribute.
1.214 + */
1.215 +#define PK11_ATTR_PRIVATE 0x00000004L
1.216 +#define PK11_ATTR_PUBLIC 0x00000008L
1.217 +
1.218 +/*
1.219 + * PK11_ATTR_MODIFIABLE
1.220 + * PK11_ATTR_UNMODIFIABLE
1.221 + *
1.222 + * These two flags determine whether the object is modifiable or
1.223 + * read-only.
1.224 + *
1.225 + * These two flags are related and cannot both be set.
1.226 + * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
1.227 + * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object
1.228 + * is read-only. If neither flag is set, the object is *by default*
1.229 + * modifiable.
1.230 + *
1.231 + * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
1.232 + * attribute.
1.233 + */
1.234 +#define PK11_ATTR_MODIFIABLE 0x00000010L
1.235 +#define PK11_ATTR_UNMODIFIABLE 0x00000020L
1.236 +
1.237 +/* Attributes for PKCS #11 key objects. */
1.238 +
1.239 +/*
1.240 + * PK11_ATTR_SENSITIVE
1.241 + * PK11_ATTR_INSENSITIVE
1.242 + *
1.243 + * These two flags are related and cannot both be set.
1.244 + * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
1.245 + * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
1.246 + * sensitive. If neither flag is set, it is token-specific whether
1.247 + * the key is sensitive or not.
1.248 + *
1.249 + * If a key is sensitive, certain attributes of the key cannot be
1.250 + * revealed in plaintext outside the token.
1.251 + *
1.252 + * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
1.253 + * attribute. Although the default value of the CKA_SENSITIVE
1.254 + * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
1.255 + * tokens set the default value to CK_TRUE because only CK_TRUE
1.256 + * is allowed. So in practice the default value of this attribute
1.257 + * is token-specific, hence the need for two bitflags.
1.258 + */
1.259 +#define PK11_ATTR_SENSITIVE 0x00000040L
1.260 +#define PK11_ATTR_INSENSITIVE 0x00000080L
1.261 +
1.262 +/*
1.263 + * PK11_ATTR_EXTRACTABLE
1.264 + * PK11_ATTR_UNEXTRACTABLE
1.265 + *
1.266 + * These two flags are related and cannot both be set.
1.267 + * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
1.268 + * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set,
1.269 + * the key is not extractable, and certain attributes of the key
1.270 + * cannot be revealed in plaintext outside the token (just like a
1.271 + * sensitive key). If neither flag is set, it is token-specific
1.272 + * whether the key is extractable or not.
1.273 + *
1.274 + * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
1.275 + * attribute.
1.276 + */
1.277 +#define PK11_ATTR_EXTRACTABLE 0x00000100L
1.278 +#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
1.279 +
1.280 +/* Cryptographic module types */
1.281 +#define SECMOD_EXTERNAL 0 /* external module */
1.282 +#define SECMOD_INTERNAL 1 /* internal default module */
1.283 +#define SECMOD_FIPS 2 /* internal fips module */
1.284 +
1.285 +/* default module configuration strings */
1.286 +#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
1.287 +
1.288 +#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
1.289 +"Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
1.290 +
1.291 +#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
1.292 +#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
1.293 +#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
1.294 +#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
1.295 +
1.296 +/*
1.297 + * What is the origin of a given Key. Normally this doesn't matter, but
1.298 + * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
1.299 + * hack.
1.300 + */
1.301 +typedef enum {
1.302 + PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */
1.303 + PK11_OriginDerive = 1, /* Key was derived from some other key */
1.304 + PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */
1.305 + PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
1.306 + PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */
1.307 +} PK11Origin;
1.308 +
1.309 +/* PKCS #11 disable reasons */
1.310 +typedef enum {
1.311 + PK11_DIS_NONE = 0,
1.312 + PK11_DIS_USER_SELECTED = 1,
1.313 + PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
1.314 + PK11_DIS_TOKEN_VERIFY_FAILED = 3,
1.315 + PK11_DIS_TOKEN_NOT_PRESENT = 4
1.316 +} PK11DisableReasons;
1.317 +
1.318 +/* types of PKCS #11 objects
1.319 + * used to identify which NSS data structure is
1.320 + * passed to the PK11_Raw* functions. Types map as follows:
1.321 + * PK11_TypeGeneric PK11GenericObject *
1.322 + * PK11_TypePrivKey SECKEYPrivateKey *
1.323 + * PK11_TypePubKey SECKEYPublicKey *
1.324 + * PK11_TypeSymKey PK11SymKey *
1.325 + * PK11_TypeCert CERTCertificate * (currently not used).
1.326 + */
1.327 +typedef enum {
1.328 + PK11_TypeGeneric = 0,
1.329 + PK11_TypePrivKey = 1,
1.330 + PK11_TypePubKey = 2,
1.331 + PK11_TypeCert = 3,
1.332 + PK11_TypeSymKey = 4
1.333 +} PK11ObjectType;
1.334 +
1.335 +
1.336 +
1.337 +/* function pointer type for password callback function.
1.338 + * This type is passed in to PK11_SetPasswordFunc()
1.339 + */
1.340 +typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
1.341 +typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
1.342 +typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
1.343 +
1.344 +/*
1.345 + * Special strings the password callback function can return only if
1.346 + * the slot is an protected auth path slot.
1.347 + */
1.348 +#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate
1.349 + * has already been made, just retry
1.350 + * the operation */
1.351 +#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate
1.352 + * has completed. Continue without
1.353 + * another call to C_Login */
1.354 +/* All other non-null values mean that that NSS could call C_Login to force
1.355 + * the authentication. The following define is to aid applications in
1.356 + * documenting that is what it's trying to do */
1.357 +#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented
1.358 + * to the user, initiate a C_Login
1.359 + * to authenticate the token */
1.360 +
1.361 +/*
1.362 + * PKCS #11 key structures
1.363 + */
1.364 +
1.365 +/*
1.366 +** Attributes
1.367 +*/
1.368 +struct SECKEYAttributeStr {
1.369 + SECItem attrType;
1.370 + SECItem **attrValue;
1.371 +};
1.372 +typedef struct SECKEYAttributeStr SECKEYAttribute;
1.373 +
1.374 +/*
1.375 +** A PKCS#8 private key info object
1.376 +*/
1.377 +struct SECKEYPrivateKeyInfoStr {
1.378 + PLArenaPool *arena;
1.379 + SECItem version;
1.380 + SECAlgorithmID algorithm;
1.381 + SECItem privateKey;
1.382 + SECKEYAttribute **attributes;
1.383 +};
1.384 +typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
1.385 +
1.386 +/*
1.387 +** A PKCS#8 private key info object
1.388 +*/
1.389 +struct SECKEYEncryptedPrivateKeyInfoStr {
1.390 + PLArenaPool *arena;
1.391 + SECAlgorithmID algorithm;
1.392 + SECItem encryptedData;
1.393 +};
1.394 +typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
1.395 +
1.396 +/*
1.397 + * token removal detection
1.398 + */
1.399 +typedef enum {
1.400 + PK11TokenNotRemovable = 0,
1.401 + PK11TokenPresent = 1,
1.402 + PK11TokenChanged = 2,
1.403 + PK11TokenRemoved = 3
1.404 +} PK11TokenStatus;
1.405 +
1.406 +typedef enum {
1.407 + PK11TokenRemovedOrChangedEvent = 0,
1.408 + PK11TokenPresentEvent = 1
1.409 +} PK11TokenEvent;
1.410 +
1.411 +/*
1.412 + * CRL Import Flags
1.413 + */
1.414 +#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
1.415 +#define CRL_IMPORT_BYPASS_CHECKS 0x00000001
1.416 +
1.417 +
1.418 +/*
1.419 + * Merge Error Log
1.420 + */
1.421 +typedef struct PK11MergeLogStr PK11MergeLog;
1.422 +typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
1.423 +
1.424 +/* These need to be global, leave some open fields so we can 'expand'
1.425 + * these without breaking binary compatibility */
1.426 +struct PK11MergeLogNodeStr {
1.427 + PK11MergeLogNode *next; /* next entry in the list */
1.428 + PK11MergeLogNode *prev; /* last entry in the list */
1.429 + PK11GenericObject *object; /* object that failed */
1.430 + int error; /* what the error was */
1.431 + CK_RV reserved1;
1.432 + unsigned long reserved2; /* future flags */
1.433 + unsigned long reserved3; /* future scalar */
1.434 + void *reserved4; /* future pointer */
1.435 + void *reserved5; /* future expansion pointer */
1.436 +};
1.437 +
1.438 +struct PK11MergeLogStr {
1.439 + PK11MergeLogNode *head;
1.440 + PK11MergeLogNode *tail;
1.441 + PLArenaPool *arena;
1.442 + int version;
1.443 + unsigned long reserved1;
1.444 + unsigned long reserved2;
1.445 + unsigned long reserved3;
1.446 + void *reserverd4;
1.447 + void *reserverd5;
1.448 +};
1.449 +
1.450 +
1.451 +#endif /*_SECMODT_H_ */
