1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/util/pkcs11n.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,466 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#ifndef _PKCS11N_H_
1.9 +#define _PKCS11N_H_
1.10 +
1.11 +/*
1.12 + * pkcs11n.h
1.13 + *
1.14 + * This file contains the NSS-specific type definitions for Cryptoki
1.15 + * (PKCS#11).
1.16 + */
1.17 +
1.18 +/*
1.19 + * NSSCK_VENDOR_NSS
1.20 + *
1.21 + * Cryptoki reserves the high half of all the number spaces for
1.22 + * vendor-defined use. I'd like to keep all of our NSS-
1.23 + * specific values together, but not in the oh-so-obvious
1.24 + * 0x80000001, 0x80000002, etc. area. So I've picked an offset,
1.25 + * and constructed values for the beginnings of our spaces.
1.26 + *
1.27 + * Note that some "historical" Netscape values don't fall within
1.28 + * this range.
1.29 + */
1.30 +#define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */
1.31 +
1.32 +/*
1.33 + * NSS-defined object classes
1.34 + *
1.35 + */
1.36 +#define CKO_NSS (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
1.37 +
1.38 +#define CKO_NSS_CRL (CKO_NSS + 1)
1.39 +#define CKO_NSS_SMIME (CKO_NSS + 2)
1.40 +#define CKO_NSS_TRUST (CKO_NSS + 3)
1.41 +#define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4)
1.42 +#define CKO_NSS_NEWSLOT (CKO_NSS + 5)
1.43 +#define CKO_NSS_DELSLOT (CKO_NSS + 6)
1.44 +
1.45 +
1.46 +/*
1.47 + * NSS-defined key types
1.48 + *
1.49 + */
1.50 +#define CKK_NSS (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
1.51 +
1.52 +#define CKK_NSS_PKCS8 (CKK_NSS + 1)
1.53 +
1.54 +#define CKK_NSS_JPAKE_ROUND1 (CKK_NSS + 2)
1.55 +#define CKK_NSS_JPAKE_ROUND2 (CKK_NSS + 3)
1.56 +
1.57 +/*
1.58 + * NSS-defined certificate types
1.59 + *
1.60 + */
1.61 +#define CKC_NSS (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
1.62 +
1.63 +/* FAKE PKCS #11 defines */
1.64 +#define CKA_DIGEST 0x81000000L
1.65 +#define CKA_FLAGS_ONLY 0 /* CKA_CLASS */
1.66 +
1.67 +/*
1.68 + * NSS-defined object attributes
1.69 + *
1.70 + */
1.71 +#define CKA_NSS (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
1.72 +
1.73 +#define CKA_NSS_URL (CKA_NSS + 1)
1.74 +#define CKA_NSS_EMAIL (CKA_NSS + 2)
1.75 +#define CKA_NSS_SMIME_INFO (CKA_NSS + 3)
1.76 +#define CKA_NSS_SMIME_TIMESTAMP (CKA_NSS + 4)
1.77 +#define CKA_NSS_PKCS8_SALT (CKA_NSS + 5)
1.78 +#define CKA_NSS_PASSWORD_CHECK (CKA_NSS + 6)
1.79 +#define CKA_NSS_EXPIRES (CKA_NSS + 7)
1.80 +#define CKA_NSS_KRL (CKA_NSS + 8)
1.81 +
1.82 +#define CKA_NSS_PQG_COUNTER (CKA_NSS + 20)
1.83 +#define CKA_NSS_PQG_SEED (CKA_NSS + 21)
1.84 +#define CKA_NSS_PQG_H (CKA_NSS + 22)
1.85 +#define CKA_NSS_PQG_SEED_BITS (CKA_NSS + 23)
1.86 +#define CKA_NSS_MODULE_SPEC (CKA_NSS + 24)
1.87 +#define CKA_NSS_OVERRIDE_EXTENSIONS (CKA_NSS + 25)
1.88 +
1.89 +#define CKA_NSS_JPAKE_SIGNERID (CKA_NSS + 26)
1.90 +#define CKA_NSS_JPAKE_PEERID (CKA_NSS + 27)
1.91 +#define CKA_NSS_JPAKE_GX1 (CKA_NSS + 28)
1.92 +#define CKA_NSS_JPAKE_GX2 (CKA_NSS + 29)
1.93 +#define CKA_NSS_JPAKE_GX3 (CKA_NSS + 30)
1.94 +#define CKA_NSS_JPAKE_GX4 (CKA_NSS + 31)
1.95 +#define CKA_NSS_JPAKE_X2 (CKA_NSS + 32)
1.96 +#define CKA_NSS_JPAKE_X2S (CKA_NSS + 33)
1.97 +
1.98 +/*
1.99 + * Trust attributes:
1.100 + *
1.101 + * If trust goes standard, these probably will too. So I'll
1.102 + * put them all in one place.
1.103 + */
1.104 +
1.105 +#define CKA_TRUST (CKA_NSS + 0x2000)
1.106 +
1.107 +/* "Usage" key information */
1.108 +#define CKA_TRUST_DIGITAL_SIGNATURE (CKA_TRUST + 1)
1.109 +#define CKA_TRUST_NON_REPUDIATION (CKA_TRUST + 2)
1.110 +#define CKA_TRUST_KEY_ENCIPHERMENT (CKA_TRUST + 3)
1.111 +#define CKA_TRUST_DATA_ENCIPHERMENT (CKA_TRUST + 4)
1.112 +#define CKA_TRUST_KEY_AGREEMENT (CKA_TRUST + 5)
1.113 +#define CKA_TRUST_KEY_CERT_SIGN (CKA_TRUST + 6)
1.114 +#define CKA_TRUST_CRL_SIGN (CKA_TRUST + 7)
1.115 +
1.116 +/* "Purpose" trust information */
1.117 +#define CKA_TRUST_SERVER_AUTH (CKA_TRUST + 8)
1.118 +#define CKA_TRUST_CLIENT_AUTH (CKA_TRUST + 9)
1.119 +#define CKA_TRUST_CODE_SIGNING (CKA_TRUST + 10)
1.120 +#define CKA_TRUST_EMAIL_PROTECTION (CKA_TRUST + 11)
1.121 +#define CKA_TRUST_IPSEC_END_SYSTEM (CKA_TRUST + 12)
1.122 +#define CKA_TRUST_IPSEC_TUNNEL (CKA_TRUST + 13)
1.123 +#define CKA_TRUST_IPSEC_USER (CKA_TRUST + 14)
1.124 +#define CKA_TRUST_TIME_STAMPING (CKA_TRUST + 15)
1.125 +#define CKA_TRUST_STEP_UP_APPROVED (CKA_TRUST + 16)
1.126 +
1.127 +#define CKA_CERT_SHA1_HASH (CKA_TRUST + 100)
1.128 +#define CKA_CERT_MD5_HASH (CKA_TRUST + 101)
1.129 +
1.130 +/* NSS trust stuff */
1.131 +
1.132 +/* HISTORICAL: define used to pass in the database key for DSA private keys */
1.133 +#define CKA_NETSCAPE_DB 0xD5A0DB00L
1.134 +#define CKA_NETSCAPE_TRUST 0x80000001L
1.135 +
1.136 +/* FAKE PKCS #11 defines */
1.137 +#define CKM_FAKE_RANDOM 0x80000efeUL
1.138 +#define CKM_INVALID_MECHANISM 0xffffffffUL
1.139 +
1.140 +/*
1.141 + * NSS-defined crypto mechanisms
1.142 + *
1.143 + */
1.144 +#define CKM_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
1.145 +
1.146 +#define CKM_NSS_AES_KEY_WRAP (CKM_NSS + 1)
1.147 +#define CKM_NSS_AES_KEY_WRAP_PAD (CKM_NSS + 2)
1.148 +
1.149 +/* HKDF key derivation mechanisms. See CK_NSS_HKDFParams for documentation. */
1.150 +#define CKM_NSS_HKDF_SHA1 (CKM_NSS + 3)
1.151 +#define CKM_NSS_HKDF_SHA256 (CKM_NSS + 4)
1.152 +#define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5)
1.153 +#define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6)
1.154 +
1.155 +/* J-PAKE round 1 key generation mechanisms.
1.156 + *
1.157 + * Required template attributes: CKA_PRIME, CKA_SUBPRIME, CKA_BASE,
1.158 + * CKA_NSS_JPAKE_SIGNERID
1.159 + * Output key type: CKK_NSS_JPAKE_ROUND1
1.160 + * Output key class: CKO_PRIVATE_KEY
1.161 + * Parameter type: CK_NSS_JPAKERound1Params
1.162 + *
1.163 + */
1.164 +#define CKM_NSS_JPAKE_ROUND1_SHA1 (CKM_NSS + 7)
1.165 +#define CKM_NSS_JPAKE_ROUND1_SHA256 (CKM_NSS + 8)
1.166 +#define CKM_NSS_JPAKE_ROUND1_SHA384 (CKM_NSS + 9)
1.167 +#define CKM_NSS_JPAKE_ROUND1_SHA512 (CKM_NSS + 10)
1.168 +
1.169 +/* J-PAKE round 2 key derivation mechanisms.
1.170 + *
1.171 + * Required template attributes: CKA_NSS_JPAKE_PEERID
1.172 + * Input key type: CKK_NSS_JPAKE_ROUND1
1.173 + * Output key type: CKK_NSS_JPAKE_ROUND2
1.174 + * Output key class: CKO_PRIVATE_KEY
1.175 + * Parameter type: CK_NSS_JPAKERound2Params
1.176 + */
1.177 +#define CKM_NSS_JPAKE_ROUND2_SHA1 (CKM_NSS + 11)
1.178 +#define CKM_NSS_JPAKE_ROUND2_SHA256 (CKM_NSS + 12)
1.179 +#define CKM_NSS_JPAKE_ROUND2_SHA384 (CKM_NSS + 13)
1.180 +#define CKM_NSS_JPAKE_ROUND2_SHA512 (CKM_NSS + 14)
1.181 +
1.182 +/* J-PAKE final key material derivation mechanisms
1.183 + *
1.184 + * Input key type: CKK_NSS_JPAKE_ROUND2
1.185 + * Output key type: CKK_GENERIC_SECRET
1.186 + * Output key class: CKO_SECRET_KEY
1.187 + * Parameter type: CK_NSS_JPAKEFinalParams
1.188 + *
1.189 + * You must apply a KDF (e.g. CKM_NSS_HKDF_*) to resultant keying material
1.190 + * to get a key with uniformly distributed bits.
1.191 + */
1.192 +#define CKM_NSS_JPAKE_FINAL_SHA1 (CKM_NSS + 15)
1.193 +#define CKM_NSS_JPAKE_FINAL_SHA256 (CKM_NSS + 16)
1.194 +#define CKM_NSS_JPAKE_FINAL_SHA384 (CKM_NSS + 17)
1.195 +#define CKM_NSS_JPAKE_FINAL_SHA512 (CKM_NSS + 18)
1.196 +
1.197 +/* Constant-time MAC mechanisms:
1.198 + *
1.199 + * These operations verify a padded, MAC-then-encrypt block of data in
1.200 + * constant-time. Because of the order of operations, the padding bytes are not
1.201 + * protected by the MAC. However, disclosing the value of the padding bytes
1.202 + * gives an attacker the ability to decrypt ciphertexts. Such disclosure can be
1.203 + * as subtle as taking slightly less time to perform the MAC when the padding
1.204 + * is one byte longer. See https://www.isg.rhul.ac.uk/tls/
1.205 + *
1.206 + * CKM_NSS_HMAC_CONSTANT_TIME: performs an HMAC authentication.
1.207 + * CKM_NSS_SSL3_MAC_CONSTANT_TIME: performs an authentication with SSLv3 MAC.
1.208 + *
1.209 + * Parameter type: CK_NSS_MAC_CONSTANT_TIME_PARAMS
1.210 + */
1.211 +#define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19)
1.212 +#define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20)
1.213 +
1.214 +/* TLS 1.2 mechanisms */
1.215 +#define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21)
1.216 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22)
1.217 +#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23)
1.218 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
1.219 +
1.220 +/*
1.221 + * HISTORICAL:
1.222 + * Do not attempt to use these. They are only used by NETSCAPE's internal
1.223 + * PKCS #11 interface. Most of these are place holders for other mechanism
1.224 + * and will change in the future.
1.225 + */
1.226 +#define CKM_NETSCAPE_PBE_SHA1_DES_CBC 0x80000002UL
1.227 +#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC 0x80000003UL
1.228 +#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC 0x80000004UL
1.229 +#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC 0x80000005UL
1.230 +#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4 0x80000006UL
1.231 +#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4 0x80000007UL
1.232 +#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC 0x80000008UL
1.233 +#define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN 0x80000009UL
1.234 +#define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN 0x8000000aUL
1.235 +#define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN 0x8000000bUL
1.236 +
1.237 +#define CKM_TLS_PRF_GENERAL 0x80000373UL
1.238 +
1.239 +typedef struct CK_NSS_JPAKEPublicValue {
1.240 + CK_BYTE * pGX;
1.241 + CK_ULONG ulGXLen;
1.242 + CK_BYTE * pGV;
1.243 + CK_ULONG ulGVLen;
1.244 + CK_BYTE * pR;
1.245 + CK_ULONG ulRLen;
1.246 +} CK_NSS_JPAKEPublicValue;
1.247 +
1.248 +typedef struct CK_NSS_JPAKERound1Params {
1.249 + CK_NSS_JPAKEPublicValue gx1; /* out */
1.250 + CK_NSS_JPAKEPublicValue gx2; /* out */
1.251 +} CK_NSS_JPAKERound1Params;
1.252 +
1.253 +typedef struct CK_NSS_JPAKERound2Params {
1.254 + CK_BYTE * pSharedKey; /* in */
1.255 + CK_ULONG ulSharedKeyLen; /* in */
1.256 + CK_NSS_JPAKEPublicValue gx3; /* in */
1.257 + CK_NSS_JPAKEPublicValue gx4; /* in */
1.258 + CK_NSS_JPAKEPublicValue A; /* out */
1.259 +} CK_NSS_JPAKERound2Params;
1.260 +
1.261 +typedef struct CK_NSS_JPAKEFinalParams {
1.262 + CK_NSS_JPAKEPublicValue B; /* in */
1.263 +} CK_NSS_JPAKEFinalParams;
1.264 +
1.265 +/* macAlg: the MAC algorithm to use. This determines the hash function used in
1.266 + * the HMAC/SSLv3 MAC calculations.
1.267 + * ulBodyTotalLen: the total length of the data, including padding bytes and
1.268 + * padding length.
1.269 + * pHeader: points to a block of data that contains additional data to
1.270 + * authenticate. For TLS this includes the sequence number etc. For SSLv3,
1.271 + * this also includes the initial padding bytes.
1.272 + *
1.273 + * NOTE: the softoken's implementation of CKM_NSS_HMAC_CONSTANT_TIME and
1.274 + * CKM_NSS_SSL3_MAC_CONSTANT_TIME requires that the sum of ulBodyTotalLen
1.275 + * and ulHeaderLen be much smaller than 2^32 / 8 bytes because it uses an
1.276 + * unsigned int variable to represent the length in bits. This should not
1.277 + * be a problem because the SSL/TLS protocol limits the size of an SSL
1.278 + * record to something considerably less than 2^32 bytes.
1.279 + */
1.280 +typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS {
1.281 + CK_MECHANISM_TYPE macAlg; /* in */
1.282 + CK_ULONG ulBodyTotalLen; /* in */
1.283 + CK_BYTE * pHeader; /* in */
1.284 + CK_ULONG ulHeaderLen; /* in */
1.285 +} CK_NSS_MAC_CONSTANT_TIME_PARAMS;
1.286 +
1.287 +/*
1.288 + * NSS-defined return values
1.289 + *
1.290 + */
1.291 +#define CKR_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
1.292 +
1.293 +#define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1)
1.294 +#define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2)
1.295 +
1.296 +/* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms.
1.297 + See RFC 5869.
1.298 +
1.299 + bExtract: If set, HKDF-Extract will be applied to the input key. If
1.300 + the optional salt is given, it is used; otherwise, the salt is
1.301 + set to a sequence of zeros equal in length to the HMAC output.
1.302 + If bExpand is not set, then the key template given to
1.303 + C_DeriveKey must indicate an output key size less than or equal
1.304 + to the output size of the HMAC.
1.305 +
1.306 + bExpand: If set, HKDF-Expand will be applied to the input key (if
1.307 + bExtract is not set) or to the result of HKDF-Extract (if
1.308 + bExtract is set). Any info given in the optional pInfo field will
1.309 + be included in the calculation.
1.310 +
1.311 + The size of the output key must be specified in the template passed to
1.312 + C_DeriveKey.
1.313 +*/
1.314 +typedef struct CK_NSS_HKDFParams {
1.315 + CK_BBOOL bExtract;
1.316 + CK_BYTE_PTR pSalt;
1.317 + CK_ULONG ulSaltLen;
1.318 + CK_BBOOL bExpand;
1.319 + CK_BYTE_PTR pInfo;
1.320 + CK_ULONG ulInfoLen;
1.321 +} CK_NSS_HKDFParams;
1.322 +
1.323 +/*
1.324 + * Trust info
1.325 + *
1.326 + * This isn't part of the Cryptoki standard (yet), so I'm putting
1.327 + * all the definitions here. Some of this would move to nssckt.h
1.328 + * if trust info were made part of the standard. In view of this
1.329 + * possibility, I'm putting my (NSS) values in the NSS
1.330 + * vendor space, like everything else.
1.331 + */
1.332 +
1.333 +typedef CK_ULONG CK_TRUST;
1.334 +
1.335 +/* The following trust types are defined: */
1.336 +#define CKT_VENDOR_DEFINED 0x80000000
1.337 +
1.338 +#define CKT_NSS (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
1.339 +
1.340 +/* If trust goes standard, these'll probably drop out of vendor space. */
1.341 +#define CKT_NSS_TRUSTED (CKT_NSS + 1)
1.342 +#define CKT_NSS_TRUSTED_DELEGATOR (CKT_NSS + 2)
1.343 +#define CKT_NSS_MUST_VERIFY_TRUST (CKT_NSS + 3)
1.344 +#define CKT_NSS_NOT_TRUSTED (CKT_NSS + 10)
1.345 +#define CKT_NSS_TRUST_UNKNOWN (CKT_NSS + 5) /* default */
1.346 +
1.347 +/*
1.348 + * These may well remain NSS-specific; I'm only using them
1.349 + * to cache resolution data.
1.350 + */
1.351 +#define CKT_NSS_VALID_DELEGATOR (CKT_NSS + 11)
1.352 +
1.353 +
1.354 +/*
1.355 + * old definitions. They still exist, but the plain meaning of the
1.356 + * labels have never been accurate to what was really implemented.
1.357 + * The new labels correctly reflect what the values effectively mean.
1.358 + */
1.359 +#if defined(__GNUC__) && (__GNUC__ > 3)
1.360 +/* make GCC warn when we use these #defines */
1.361 +/*
1.362 + * This is really painful because GCC doesn't allow us to mark random
1.363 + * #defines as deprecated. We can only mark the following:
1.364 + * functions, variables, and types.
1.365 + * const variables will create extra storage for everyone including this
1.366 + * header file, so it's undesirable.
1.367 + * functions could be inlined to prevent storage creation, but will fail
1.368 + * when constant values are expected (like switch statements).
1.369 + * enum types do not seem to pay attention to the deprecated attribute.
1.370 + *
1.371 + * That leaves typedefs. We declare new types that we then deprecate, then
1.372 + * cast the resulting value to the deprecated type in the #define, thus
1.373 + * producting the warning when the #define is used.
1.374 + */
1.375 +#if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
1.376 +/* The mac doesn't like the friendlier deprecate messages. I'm assuming this
1.377 + * is a gcc version issue rather than mac or ppc specific */
1.378 +typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated));
1.379 +typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated));
1.380 +typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated));
1.381 +#else
1.382 +/* when possible, get a full deprecation warning. This works on gcc 4.5
1.383 + * it may work on earlier versions of gcc */
1.384 +typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated
1.385 + ("CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST")));
1.386 +typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated
1.387 + ("CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED")));
1.388 +typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated
1.389 + ("CKT_NSS_MUST_VERIFY really functions as CKT_NSS_TRUST_UNKNOWN")));
1.390 +#endif
1.391 +#define CKT_NSS_UNTRUSTED ((__CKT_NSS_UNTRUSTED)CKT_NSS_MUST_VERIFY_TRUST)
1.392 +#define CKT_NSS_VALID ((__CKT_NSS_VALID) CKT_NSS_NOT_TRUSTED)
1.393 +/* keep the old value for compatibility reasons*/
1.394 +#define CKT_NSS_MUST_VERIFY ((__CKT_NSS_MUST_VERIFY)(CKT_NSS +4))
1.395 +#else
1.396 +#ifdef _WIN32
1.397 +/* This magic gets the windows compiler to give us a deprecation
1.398 + * warning */
1.399 +#pragma deprecated(CKT_NSS_UNTRUSTED, CKT_NSS_MUST_VERIFY, CKT_NSS_VALID)
1.400 +#endif
1.401 +/* CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST */
1.402 +#define CKT_NSS_UNTRUSTED CKT_NSS_MUST_VERIFY_TRUST
1.403 +/* CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED */
1.404 +#define CKT_NSS_VALID CKT_NSS_NOT_TRUSTED
1.405 +/* CKT_NSS_MUST_VERIFY was always treated as CKT_NSS_TRUST_UNKNOWN */
1.406 +#define CKT_NSS_MUST_VERIFY (CKT_NSS + 4) /*really means trust unknown*/
1.407 +#endif
1.408 +
1.409 +/* don't leave old programs in a lurch just yet, give them the old NETSCAPE
1.410 + * synonym */
1.411 +#define CKO_NETSCAPE_CRL CKO_NSS_CRL
1.412 +#define CKO_NETSCAPE_SMIME CKO_NSS_SMIME
1.413 +#define CKO_NETSCAPE_TRUST CKO_NSS_TRUST
1.414 +#define CKO_NETSCAPE_BUILTIN_ROOT_LIST CKO_NSS_BUILTIN_ROOT_LIST
1.415 +#define CKO_NETSCAPE_NEWSLOT CKO_NSS_NEWSLOT
1.416 +#define CKO_NETSCAPE_DELSLOT CKO_NSS_DELSLOT
1.417 +#define CKK_NETSCAPE_PKCS8 CKK_NSS_PKCS8
1.418 +#define CKA_NETSCAPE_URL CKA_NSS_URL
1.419 +#define CKA_NETSCAPE_EMAIL CKA_NSS_EMAIL
1.420 +#define CKA_NETSCAPE_SMIME_INFO CKA_NSS_SMIME_INFO
1.421 +#define CKA_NETSCAPE_SMIME_TIMESTAMP CKA_NSS_SMIME_TIMESTAMP
1.422 +#define CKA_NETSCAPE_PKCS8_SALT CKA_NSS_PKCS8_SALT
1.423 +#define CKA_NETSCAPE_PASSWORD_CHECK CKA_NSS_PASSWORD_CHECK
1.424 +#define CKA_NETSCAPE_EXPIRES CKA_NSS_EXPIRES
1.425 +#define CKA_NETSCAPE_KRL CKA_NSS_KRL
1.426 +#define CKA_NETSCAPE_PQG_COUNTER CKA_NSS_PQG_COUNTER
1.427 +#define CKA_NETSCAPE_PQG_SEED CKA_NSS_PQG_SEED
1.428 +#define CKA_NETSCAPE_PQG_H CKA_NSS_PQG_H
1.429 +#define CKA_NETSCAPE_PQG_SEED_BITS CKA_NSS_PQG_SEED_BITS
1.430 +#define CKA_NETSCAPE_MODULE_SPEC CKA_NSS_MODULE_SPEC
1.431 +#define CKM_NETSCAPE_AES_KEY_WRAP CKM_NSS_AES_KEY_WRAP
1.432 +#define CKM_NETSCAPE_AES_KEY_WRAP_PAD CKM_NSS_AES_KEY_WRAP_PAD
1.433 +#define CKR_NETSCAPE_CERTDB_FAILED CKR_NSS_CERTDB_FAILED
1.434 +#define CKR_NETSCAPE_KEYDB_FAILED CKR_NSS_KEYDB_FAILED
1.435 +
1.436 +#define CKT_NETSCAPE_TRUSTED CKT_NSS_TRUSTED
1.437 +#define CKT_NETSCAPE_TRUSTED_DELEGATOR CKT_NSS_TRUSTED_DELEGATOR
1.438 +#define CKT_NETSCAPE_UNTRUSTED CKT_NSS_UNTRUSTED
1.439 +#define CKT_NETSCAPE_MUST_VERIFY CKT_NSS_MUST_VERIFY
1.440 +#define CKT_NETSCAPE_TRUST_UNKNOWN CKT_NSS_TRUST_UNKNOWN
1.441 +#define CKT_NETSCAPE_VALID CKT_NSS_VALID
1.442 +#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
1.443 +
1.444 +/*
1.445 + * These are not really PKCS #11 values specifically. They are the 'loadable'
1.446 + * module spec NSS uses. The are available for others to use as well, but not
1.447 + * part of the formal PKCS #11 spec.
1.448 + *
1.449 + * The function 'FIND' returns an array of PKCS #11 initialization strings
1.450 + * The function 'ADD' takes a PKCS #11 initialization string and stores it.
1.451 + * The function 'DEL' takes a 'name= library=' value and deletes the associated
1.452 + * string.
1.453 + * The function 'RELEASE' frees the array returned by 'FIND'
1.454 + */
1.455 +#define SECMOD_MODULE_DB_FUNCTION_FIND 0
1.456 +#define SECMOD_MODULE_DB_FUNCTION_ADD 1
1.457 +#define SECMOD_MODULE_DB_FUNCTION_DEL 2
1.458 +#define SECMOD_MODULE_DB_FUNCTION_RELEASE 3
1.459 +typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function,
1.460 + char *parameters, void *moduleSpec);
1.461 +
1.462 +/* softoken slot ID's */
1.463 +#define SFTK_MIN_USER_SLOT_ID 4
1.464 +#define SFTK_MAX_USER_SLOT_ID 100
1.465 +#define SFTK_MIN_FIPS_USER_SLOT_ID 101
1.466 +#define SFTK_MAX_FIPS_USER_SLOT_ID 127
1.467 +
1.468 +
1.469 +#endif /* _PKCS11N_H_ */
