1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/util/secoid.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,2197 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#include "secoid.h"
1.9 +#include "pkcs11t.h"
1.10 +#include "secitem.h"
1.11 +#include "secerr.h"
1.12 +#include "prenv.h"
1.13 +#include "plhash.h"
1.14 +#include "nssrwlk.h"
1.15 +#include "nssutil.h"
1.16 +
1.17 +/* Library identity and versioning */
1.18 +
1.19 +#if defined(DEBUG)
1.20 +#define _DEBUG_STRING " (debug)"
1.21 +#else
1.22 +#define _DEBUG_STRING ""
1.23 +#endif
1.24 +
1.25 +/*
1.26 + * Version information for the 'ident' and 'what commands
1.27 + *
1.28 + * NOTE: the first component of the concatenated rcsid string
1.29 + * must not end in a '$' to prevent rcs keyword substitution.
1.30 + */
1.31 +const char __nss_util_rcsid[] = "$Header: NSS " NSSUTIL_VERSION _DEBUG_STRING
1.32 + " " __DATE__ " " __TIME__ " $";
1.33 +const char __nss_util_sccsid[] = "@(#)NSS " NSSUTIL_VERSION _DEBUG_STRING
1.34 + " " __DATE__ " " __TIME__;
1.35 +
1.36 +/* MISSI Mosaic Object ID space */
1.37 +/* USGov algorithm OID space: { 2 16 840 1 101 } */
1.38 +#define USGOV 0x60, 0x86, 0x48, 0x01, 0x65
1.39 +#define MISSI USGOV, 0x02, 0x01, 0x01
1.40 +#define MISSI_OLD_KEA_DSS MISSI, 0x0c
1.41 +#define MISSI_OLD_DSS MISSI, 0x02
1.42 +#define MISSI_KEA_DSS MISSI, 0x14
1.43 +#define MISSI_DSS MISSI, 0x13
1.44 +#define MISSI_KEA MISSI, 0x0a
1.45 +#define MISSI_ALT_KEA MISSI, 0x16
1.46 +
1.47 +#define NISTALGS USGOV, 3, 4
1.48 +#define AES NISTALGS, 1
1.49 +#define SHAXXX NISTALGS, 2
1.50 +#define DSA2 NISTALGS, 3
1.51 +
1.52 +/**
1.53 + ** The Netscape OID space is allocated by Terry Hayes. If you need
1.54 + ** a piece of the space, contact him at thayes@netscape.com.
1.55 + **/
1.56 +
1.57 +/* Netscape Communications Corporation Object ID space */
1.58 +/* { 2 16 840 1 113730 } */
1.59 +#define NETSCAPE_OID 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42
1.60 +#define NETSCAPE_CERT_EXT NETSCAPE_OID, 0x01
1.61 +#define NETSCAPE_DATA_TYPE NETSCAPE_OID, 0x02
1.62 +/* netscape directory oid - owned by Mark Smith (mcs@netscape.com) */
1.63 +#define NETSCAPE_DIRECTORY NETSCAPE_OID, 0x03
1.64 +#define NETSCAPE_POLICY NETSCAPE_OID, 0x04
1.65 +#define NETSCAPE_CERT_SERVER NETSCAPE_OID, 0x05
1.66 +#define NETSCAPE_ALGS NETSCAPE_OID, 0x06 /* algorithm OIDs */
1.67 +#define NETSCAPE_NAME_COMPONENTS NETSCAPE_OID, 0x07
1.68 +
1.69 +#define NETSCAPE_CERT_EXT_AIA NETSCAPE_CERT_EXT, 0x10
1.70 +#define NETSCAPE_CERT_SERVER_CRMF NETSCAPE_CERT_SERVER, 0x01
1.71 +
1.72 +/* these are old and should go away soon */
1.73 +#define OLD_NETSCAPE 0x60, 0x86, 0x48, 0xd8, 0x6a
1.74 +#define NS_CERT_EXT OLD_NETSCAPE, 0x01
1.75 +#define NS_FILE_TYPE OLD_NETSCAPE, 0x02
1.76 +#define NS_IMAGE_TYPE OLD_NETSCAPE, 0x03
1.77 +
1.78 +/* RSA OID name space */
1.79 +#define RSADSI 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d
1.80 +#define PKCS RSADSI, 0x01
1.81 +#define DIGEST RSADSI, 0x02
1.82 +#define CIPHER RSADSI, 0x03
1.83 +#define PKCS1 PKCS, 0x01
1.84 +#define PKCS5 PKCS, 0x05
1.85 +#define PKCS7 PKCS, 0x07
1.86 +#define PKCS9 PKCS, 0x09
1.87 +#define PKCS12 PKCS, 0x0c
1.88 +
1.89 +/* Other OID name spaces */
1.90 +#define ALGORITHM 0x2b, 0x0e, 0x03, 0x02
1.91 +#define X500 0x55
1.92 +#define X520_ATTRIBUTE_TYPE X500, 0x04
1.93 +#define X500_ALG X500, 0x08
1.94 +#define X500_ALG_ENCRYPTION X500_ALG, 0x01
1.95 +
1.96 +/** X.509 v3 Extension OID
1.97 + ** {joint-iso-ccitt (2) ds(5) 29}
1.98 + **/
1.99 +#define ID_CE_OID X500, 0x1d
1.100 +
1.101 +#define RFC1274_ATTR_TYPE 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
1.102 +/* #define RFC2247_ATTR_TYPE 0x09, 0x92, 0x26, 0xf5, 0x98, 0x1e, 0x64, 0x1 this is WRONG! */
1.103 +
1.104 +/* PKCS #12 name spaces */
1.105 +#define PKCS12_MODE_IDS PKCS12, 0x01
1.106 +#define PKCS12_ESPVK_IDS PKCS12, 0x02
1.107 +#define PKCS12_BAG_IDS PKCS12, 0x03
1.108 +#define PKCS12_CERT_BAG_IDS PKCS12, 0x04
1.109 +#define PKCS12_OIDS PKCS12, 0x05
1.110 +#define PKCS12_PBE_IDS PKCS12_OIDS, 0x01
1.111 +#define PKCS12_ENVELOPING_IDS PKCS12_OIDS, 0x02
1.112 +#define PKCS12_SIGNATURE_IDS PKCS12_OIDS, 0x03
1.113 +#define PKCS12_V2_PBE_IDS PKCS12, 0x01
1.114 +#define PKCS9_CERT_TYPES PKCS9, 0x16
1.115 +#define PKCS9_CRL_TYPES PKCS9, 0x17
1.116 +#define PKCS9_SMIME_IDS PKCS9, 0x10
1.117 +#define PKCS9_SMIME_ATTRS PKCS9_SMIME_IDS, 2
1.118 +#define PKCS9_SMIME_ALGS PKCS9_SMIME_IDS, 3
1.119 +#define PKCS12_VERSION1 PKCS12, 0x0a
1.120 +#define PKCS12_V1_BAG_IDS PKCS12_VERSION1, 1
1.121 +
1.122 +/* for DSA algorithm */
1.123 +/* { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) } */
1.124 +#define ANSI_X9_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x38, 0x4
1.125 +
1.126 +/* for DH algorithm */
1.127 +/* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */
1.128 +/* need real OID person to look at this, copied the above line
1.129 + * and added 6 to second to last value (and changed '4' to '2' */
1.130 +#define ANSI_X942_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2
1.131 +
1.132 +#define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
1.133 +
1.134 +#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
1.135 +#define PKIX_CERT_EXTENSIONS PKIX, 1
1.136 +#define PKIX_POLICY_QUALIFIERS PKIX, 2
1.137 +#define PKIX_KEY_USAGE PKIX, 3
1.138 +#define PKIX_ACCESS_DESCRIPTION PKIX, 0x30
1.139 +#define PKIX_OCSP PKIX_ACCESS_DESCRIPTION, 1
1.140 +#define PKIX_CA_ISSUERS PKIX_ACCESS_DESCRIPTION, 2
1.141 +
1.142 +#define PKIX_ID_PKIP PKIX, 5
1.143 +#define PKIX_ID_REGCTRL PKIX_ID_PKIP, 1
1.144 +#define PKIX_ID_REGINFO PKIX_ID_PKIP, 2
1.145 +
1.146 +/* Microsoft Object ID space */
1.147 +/* { 1.3.6.1.4.1.311 } */
1.148 +#define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37
1.149 +#define EV_NAME_ATTRIBUTE MICROSOFT_OID, 60, 2, 1
1.150 +
1.151 +/* Microsoft Crypto 2.0 ID space */
1.152 +/* { 1.3.6.1.4.1.311.10 } */
1.153 +#define MS_CRYPTO_20 MICROSOFT_OID, 10
1.154 +/* Microsoft Crypto 2.0 Extended Key Usage ID space */
1.155 +/* { 1.3.6.1.4.1.311.10.3 } */
1.156 +#define MS_CRYPTO_EKU MS_CRYPTO_20, 3
1.157 +
1.158 +#define CERTICOM_OID 0x2b, 0x81, 0x04
1.159 +#define SECG_OID CERTICOM_OID, 0x00
1.160 +
1.161 +#define ANSI_X962_OID 0x2a, 0x86, 0x48, 0xce, 0x3d
1.162 +#define ANSI_X962_CURVE_OID ANSI_X962_OID, 0x03
1.163 +#define ANSI_X962_GF2m_OID ANSI_X962_CURVE_OID, 0x00
1.164 +#define ANSI_X962_GFp_OID ANSI_X962_CURVE_OID, 0x01
1.165 +#define ANSI_X962_SIGNATURE_OID ANSI_X962_OID, 0x04
1.166 +#define ANSI_X962_SPECIFY_OID ANSI_X962_SIGNATURE_OID, 0x03
1.167 +
1.168 +/* for Camellia: iso(1) member-body(2) jisc(392)
1.169 + * mitsubishi(200011) isl(61) security(1) algorithm(1)
1.170 + */
1.171 +#define MITSUBISHI_ALG 0x2a,0x83,0x08,0x8c,0x9a,0x4b,0x3d,0x01,0x01
1.172 +#define CAMELLIA_ENCRYPT_OID MITSUBISHI_ALG,1
1.173 +#define CAMELLIA_WRAP_OID MITSUBISHI_ALG,3
1.174 +
1.175 +/* for SEED : iso(1) member-body(2) korea(410)
1.176 + * kisa(200004) algorithm(1)
1.177 + */
1.178 +#define SEED_OID 0x2a,0x83,0x1a,0x8c,0x9a,0x44,0x01
1.179 +
1.180 +#define CONST_OID static const unsigned char
1.181 +
1.182 +CONST_OID md2[] = { DIGEST, 0x02 };
1.183 +CONST_OID md4[] = { DIGEST, 0x04 };
1.184 +CONST_OID md5[] = { DIGEST, 0x05 };
1.185 +CONST_OID hmac_sha1[] = { DIGEST, 7 };
1.186 +CONST_OID hmac_sha224[] = { DIGEST, 8 };
1.187 +CONST_OID hmac_sha256[] = { DIGEST, 9 };
1.188 +CONST_OID hmac_sha384[] = { DIGEST, 10 };
1.189 +CONST_OID hmac_sha512[] = { DIGEST, 11 };
1.190 +
1.191 +CONST_OID rc2cbc[] = { CIPHER, 0x02 };
1.192 +CONST_OID rc4[] = { CIPHER, 0x04 };
1.193 +CONST_OID desede3cbc[] = { CIPHER, 0x07 };
1.194 +CONST_OID rc5cbcpad[] = { CIPHER, 0x09 };
1.195 +
1.196 +CONST_OID desecb[] = { ALGORITHM, 0x06 };
1.197 +CONST_OID descbc[] = { ALGORITHM, 0x07 };
1.198 +CONST_OID desofb[] = { ALGORITHM, 0x08 };
1.199 +CONST_OID descfb[] = { ALGORITHM, 0x09 };
1.200 +CONST_OID desmac[] = { ALGORITHM, 0x0a };
1.201 +CONST_OID sdn702DSASignature[] = { ALGORITHM, 0x0c };
1.202 +CONST_OID isoSHAWithRSASignature[] = { ALGORITHM, 0x0f };
1.203 +CONST_OID desede[] = { ALGORITHM, 0x11 };
1.204 +CONST_OID sha1[] = { ALGORITHM, 0x1a };
1.205 +CONST_OID bogusDSASignaturewithSHA1Digest[] = { ALGORITHM, 0x1b };
1.206 +CONST_OID isoSHA1WithRSASignature[] = { ALGORITHM, 0x1d };
1.207 +
1.208 +CONST_OID pkcs1RSAEncryption[] = { PKCS1, 0x01 };
1.209 +CONST_OID pkcs1MD2WithRSAEncryption[] = { PKCS1, 0x02 };
1.210 +CONST_OID pkcs1MD4WithRSAEncryption[] = { PKCS1, 0x03 };
1.211 +CONST_OID pkcs1MD5WithRSAEncryption[] = { PKCS1, 0x04 };
1.212 +CONST_OID pkcs1SHA1WithRSAEncryption[] = { PKCS1, 0x05 };
1.213 +CONST_OID pkcs1RSAOAEPEncryption[] = { PKCS1, 0x07 };
1.214 +CONST_OID pkcs1MGF1[] = { PKCS1, 0x08 };
1.215 +CONST_OID pkcs1PSpecified[] = { PKCS1, 0x09 };
1.216 +CONST_OID pkcs1RSAPSSSignature[] = { PKCS1, 10 };
1.217 +CONST_OID pkcs1SHA256WithRSAEncryption[] = { PKCS1, 11 };
1.218 +CONST_OID pkcs1SHA384WithRSAEncryption[] = { PKCS1, 12 };
1.219 +CONST_OID pkcs1SHA512WithRSAEncryption[] = { PKCS1, 13 };
1.220 +CONST_OID pkcs1SHA224WithRSAEncryption[] = { PKCS1, 14 };
1.221 +
1.222 +CONST_OID pkcs5PbeWithMD2AndDEScbc[] = { PKCS5, 0x01 };
1.223 +CONST_OID pkcs5PbeWithMD5AndDEScbc[] = { PKCS5, 0x03 };
1.224 +CONST_OID pkcs5PbeWithSha1AndDEScbc[] = { PKCS5, 0x0a };
1.225 +CONST_OID pkcs5Pbkdf2[] = { PKCS5, 12 };
1.226 +CONST_OID pkcs5Pbes2[] = { PKCS5, 13 };
1.227 +CONST_OID pkcs5Pbmac1[] = { PKCS5, 14 };
1.228 +
1.229 +CONST_OID pkcs7[] = { PKCS7 };
1.230 +CONST_OID pkcs7Data[] = { PKCS7, 0x01 };
1.231 +CONST_OID pkcs7SignedData[] = { PKCS7, 0x02 };
1.232 +CONST_OID pkcs7EnvelopedData[] = { PKCS7, 0x03 };
1.233 +CONST_OID pkcs7SignedEnvelopedData[] = { PKCS7, 0x04 };
1.234 +CONST_OID pkcs7DigestedData[] = { PKCS7, 0x05 };
1.235 +CONST_OID pkcs7EncryptedData[] = { PKCS7, 0x06 };
1.236 +
1.237 +CONST_OID pkcs9EmailAddress[] = { PKCS9, 0x01 };
1.238 +CONST_OID pkcs9UnstructuredName[] = { PKCS9, 0x02 };
1.239 +CONST_OID pkcs9ContentType[] = { PKCS9, 0x03 };
1.240 +CONST_OID pkcs9MessageDigest[] = { PKCS9, 0x04 };
1.241 +CONST_OID pkcs9SigningTime[] = { PKCS9, 0x05 };
1.242 +CONST_OID pkcs9CounterSignature[] = { PKCS9, 0x06 };
1.243 +CONST_OID pkcs9ChallengePassword[] = { PKCS9, 0x07 };
1.244 +CONST_OID pkcs9UnstructuredAddress[] = { PKCS9, 0x08 };
1.245 +CONST_OID pkcs9ExtendedCertificateAttributes[] = { PKCS9, 0x09 };
1.246 +CONST_OID pkcs9ExtensionRequest[] = { PKCS9, 14 };
1.247 +CONST_OID pkcs9SMIMECapabilities[] = { PKCS9, 15 };
1.248 +CONST_OID pkcs9FriendlyName[] = { PKCS9, 20 };
1.249 +CONST_OID pkcs9LocalKeyID[] = { PKCS9, 21 };
1.250 +
1.251 +CONST_OID pkcs9X509Certificate[] = { PKCS9_CERT_TYPES, 1 };
1.252 +CONST_OID pkcs9SDSICertificate[] = { PKCS9_CERT_TYPES, 2 };
1.253 +CONST_OID pkcs9X509CRL[] = { PKCS9_CRL_TYPES, 1 };
1.254 +
1.255 +/* RFC2630 (CMS) OIDs */
1.256 +CONST_OID cmsESDH[] = { PKCS9_SMIME_ALGS, 5 };
1.257 +CONST_OID cms3DESwrap[] = { PKCS9_SMIME_ALGS, 6 };
1.258 +CONST_OID cmsRC2wrap[] = { PKCS9_SMIME_ALGS, 7 };
1.259 +
1.260 +/* RFC2633 SMIME message attributes */
1.261 +CONST_OID smimeEncryptionKeyPreference[] = { PKCS9_SMIME_ATTRS, 11 };
1.262 +CONST_OID ms_smimeEncryptionKeyPreference[] = { MICROSOFT_OID, 0x10, 0x4 };
1.263 +
1.264 +CONST_OID x520CommonName[] = { X520_ATTRIBUTE_TYPE, 3 };
1.265 +CONST_OID x520SurName[] = { X520_ATTRIBUTE_TYPE, 4 };
1.266 +CONST_OID x520SerialNumber[] = { X520_ATTRIBUTE_TYPE, 5 };
1.267 +CONST_OID x520CountryName[] = { X520_ATTRIBUTE_TYPE, 6 };
1.268 +CONST_OID x520LocalityName[] = { X520_ATTRIBUTE_TYPE, 7 };
1.269 +CONST_OID x520StateOrProvinceName[] = { X520_ATTRIBUTE_TYPE, 8 };
1.270 +CONST_OID x520StreetAddress[] = { X520_ATTRIBUTE_TYPE, 9 };
1.271 +CONST_OID x520OrgName[] = { X520_ATTRIBUTE_TYPE, 10 };
1.272 +CONST_OID x520OrgUnitName[] = { X520_ATTRIBUTE_TYPE, 11 };
1.273 +CONST_OID x520Title[] = { X520_ATTRIBUTE_TYPE, 12 };
1.274 +CONST_OID x520BusinessCategory[] = { X520_ATTRIBUTE_TYPE, 15 };
1.275 +CONST_OID x520PostalAddress[] = { X520_ATTRIBUTE_TYPE, 16 };
1.276 +CONST_OID x520PostalCode[] = { X520_ATTRIBUTE_TYPE, 17 };
1.277 +CONST_OID x520PostOfficeBox[] = { X520_ATTRIBUTE_TYPE, 18 };
1.278 +CONST_OID x520Name[] = { X520_ATTRIBUTE_TYPE, 41 };
1.279 +CONST_OID x520GivenName[] = { X520_ATTRIBUTE_TYPE, 42 };
1.280 +CONST_OID x520Initials[] = { X520_ATTRIBUTE_TYPE, 43 };
1.281 +CONST_OID x520GenerationQualifier[] = { X520_ATTRIBUTE_TYPE, 44 };
1.282 +CONST_OID x520DnQualifier[] = { X520_ATTRIBUTE_TYPE, 46 };
1.283 +CONST_OID x520HouseIdentifier[] = { X520_ATTRIBUTE_TYPE, 51 };
1.284 +CONST_OID x520Pseudonym[] = { X520_ATTRIBUTE_TYPE, 65 };
1.285 +
1.286 +CONST_OID nsTypeGIF[] = { NETSCAPE_DATA_TYPE, 0x01 };
1.287 +CONST_OID nsTypeJPEG[] = { NETSCAPE_DATA_TYPE, 0x02 };
1.288 +CONST_OID nsTypeURL[] = { NETSCAPE_DATA_TYPE, 0x03 };
1.289 +CONST_OID nsTypeHTML[] = { NETSCAPE_DATA_TYPE, 0x04 };
1.290 +CONST_OID nsTypeCertSeq[] = { NETSCAPE_DATA_TYPE, 0x05 };
1.291 +
1.292 +CONST_OID missiCertKEADSSOld[] = { MISSI_OLD_KEA_DSS };
1.293 +CONST_OID missiCertDSSOld[] = { MISSI_OLD_DSS };
1.294 +CONST_OID missiCertKEADSS[] = { MISSI_KEA_DSS };
1.295 +CONST_OID missiCertDSS[] = { MISSI_DSS };
1.296 +CONST_OID missiCertKEA[] = { MISSI_KEA };
1.297 +CONST_OID missiCertAltKEA[] = { MISSI_ALT_KEA };
1.298 +CONST_OID x500RSAEncryption[] = { X500_ALG_ENCRYPTION, 0x01 };
1.299 +
1.300 +/* added for alg 1485 */
1.301 +CONST_OID rfc1274Uid[] = { RFC1274_ATTR_TYPE, 1 };
1.302 +CONST_OID rfc1274Mail[] = { RFC1274_ATTR_TYPE, 3 };
1.303 +CONST_OID rfc2247DomainComponent[] = { RFC1274_ATTR_TYPE, 25 };
1.304 +
1.305 +/* Netscape private certificate extensions */
1.306 +CONST_OID nsCertExtNetscapeOK[] = { NS_CERT_EXT, 1 };
1.307 +CONST_OID nsCertExtIssuerLogo[] = { NS_CERT_EXT, 2 };
1.308 +CONST_OID nsCertExtSubjectLogo[] = { NS_CERT_EXT, 3 };
1.309 +CONST_OID nsExtCertType[] = { NETSCAPE_CERT_EXT, 0x01 };
1.310 +CONST_OID nsExtBaseURL[] = { NETSCAPE_CERT_EXT, 0x02 };
1.311 +CONST_OID nsExtRevocationURL[] = { NETSCAPE_CERT_EXT, 0x03 };
1.312 +CONST_OID nsExtCARevocationURL[] = { NETSCAPE_CERT_EXT, 0x04 };
1.313 +CONST_OID nsExtCACRLURL[] = { NETSCAPE_CERT_EXT, 0x05 };
1.314 +CONST_OID nsExtCACertURL[] = { NETSCAPE_CERT_EXT, 0x06 };
1.315 +CONST_OID nsExtCertRenewalURL[] = { NETSCAPE_CERT_EXT, 0x07 };
1.316 +CONST_OID nsExtCAPolicyURL[] = { NETSCAPE_CERT_EXT, 0x08 };
1.317 +CONST_OID nsExtHomepageURL[] = { NETSCAPE_CERT_EXT, 0x09 };
1.318 +CONST_OID nsExtEntityLogo[] = { NETSCAPE_CERT_EXT, 0x0a };
1.319 +CONST_OID nsExtUserPicture[] = { NETSCAPE_CERT_EXT, 0x0b };
1.320 +CONST_OID nsExtSSLServerName[] = { NETSCAPE_CERT_EXT, 0x0c };
1.321 +CONST_OID nsExtComment[] = { NETSCAPE_CERT_EXT, 0x0d };
1.322 +
1.323 +/* the following 2 extensions are defined for and used by Cartman(NSM) */
1.324 +CONST_OID nsExtLostPasswordURL[] = { NETSCAPE_CERT_EXT, 0x0e };
1.325 +CONST_OID nsExtCertRenewalTime[] = { NETSCAPE_CERT_EXT, 0x0f };
1.326 +
1.327 +CONST_OID nsExtAIACertRenewal[] = { NETSCAPE_CERT_EXT_AIA, 0x01 };
1.328 +CONST_OID nsExtCertScopeOfUse[] = { NETSCAPE_CERT_EXT, 0x11 };
1.329 +/* Reserved Netscape (2 16 840 1 113730 1 18) = { NETSCAPE_CERT_EXT, 0x12 }; */
1.330 +
1.331 +/* Netscape policy values */
1.332 +CONST_OID nsKeyUsageGovtApproved[] = { NETSCAPE_POLICY, 0x01 };
1.333 +
1.334 +/* Netscape other name types */
1.335 +CONST_OID netscapeNickname[] = { NETSCAPE_NAME_COMPONENTS, 0x01 };
1.336 +CONST_OID netscapeAOLScreenname[] = { NETSCAPE_NAME_COMPONENTS, 0x02 };
1.337 +
1.338 +/* OIDs needed for cert server */
1.339 +CONST_OID netscapeRecoveryRequest[] = { NETSCAPE_CERT_SERVER_CRMF, 0x01 };
1.340 +
1.341 +
1.342 +/* Standard x.509 v3 Certificate & CRL Extensions */
1.343 +CONST_OID x509SubjectDirectoryAttr[] = { ID_CE_OID, 9 };
1.344 +CONST_OID x509SubjectKeyID[] = { ID_CE_OID, 14 };
1.345 +CONST_OID x509KeyUsage[] = { ID_CE_OID, 15 };
1.346 +CONST_OID x509PrivateKeyUsagePeriod[] = { ID_CE_OID, 16 };
1.347 +CONST_OID x509SubjectAltName[] = { ID_CE_OID, 17 };
1.348 +CONST_OID x509IssuerAltName[] = { ID_CE_OID, 18 };
1.349 +CONST_OID x509BasicConstraints[] = { ID_CE_OID, 19 };
1.350 +CONST_OID x509CRLNumber[] = { ID_CE_OID, 20 };
1.351 +CONST_OID x509ReasonCode[] = { ID_CE_OID, 21 };
1.352 +CONST_OID x509HoldInstructionCode[] = { ID_CE_OID, 23 };
1.353 +CONST_OID x509InvalidDate[] = { ID_CE_OID, 24 };
1.354 +CONST_OID x509DeltaCRLIndicator[] = { ID_CE_OID, 27 };
1.355 +CONST_OID x509IssuingDistributionPoint[] = { ID_CE_OID, 28 };
1.356 +CONST_OID x509CertIssuer[] = { ID_CE_OID, 29 };
1.357 +CONST_OID x509NameConstraints[] = { ID_CE_OID, 30 };
1.358 +CONST_OID x509CRLDistPoints[] = { ID_CE_OID, 31 };
1.359 +CONST_OID x509CertificatePolicies[] = { ID_CE_OID, 32 };
1.360 +CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 };
1.361 +CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 };
1.362 +CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 36 };
1.363 +CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 };
1.364 +CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
1.365 +CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
1.366 +
1.367 +CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 };
1.368 +
1.369 +CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
1.370 +CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
1.371 +
1.372 +CONST_OID x509SIATimeStamping[] = {PKIX_ACCESS_DESCRIPTION, 0x03};
1.373 +CONST_OID x509SIACaRepository[] = {PKIX_ACCESS_DESCRIPTION, 0x05};
1.374 +
1.375 +/* pkcs 12 additions */
1.376 +CONST_OID pkcs12[] = { PKCS12 };
1.377 +CONST_OID pkcs12ModeIDs[] = { PKCS12_MODE_IDS };
1.378 +CONST_OID pkcs12ESPVKIDs[] = { PKCS12_ESPVK_IDS };
1.379 +CONST_OID pkcs12BagIDs[] = { PKCS12_BAG_IDS };
1.380 +CONST_OID pkcs12CertBagIDs[] = { PKCS12_CERT_BAG_IDS };
1.381 +CONST_OID pkcs12OIDs[] = { PKCS12_OIDS };
1.382 +CONST_OID pkcs12PBEIDs[] = { PKCS12_PBE_IDS };
1.383 +CONST_OID pkcs12EnvelopingIDs[] = { PKCS12_ENVELOPING_IDS };
1.384 +CONST_OID pkcs12SignatureIDs[] = { PKCS12_SIGNATURE_IDS };
1.385 +CONST_OID pkcs12PKCS8KeyShrouding[] = { PKCS12_ESPVK_IDS, 0x01 };
1.386 +CONST_OID pkcs12KeyBagID[] = { PKCS12_BAG_IDS, 0x01 };
1.387 +CONST_OID pkcs12CertAndCRLBagID[] = { PKCS12_BAG_IDS, 0x02 };
1.388 +CONST_OID pkcs12SecretBagID[] = { PKCS12_BAG_IDS, 0x03 };
1.389 +CONST_OID pkcs12X509CertCRLBag[] = { PKCS12_CERT_BAG_IDS, 0x01 };
1.390 +CONST_OID pkcs12SDSICertBag[] = { PKCS12_CERT_BAG_IDS, 0x02 };
1.391 +CONST_OID pkcs12PBEWithSha1And128BitRC4[] = { PKCS12_PBE_IDS, 0x01 };
1.392 +CONST_OID pkcs12PBEWithSha1And40BitRC4[] = { PKCS12_PBE_IDS, 0x02 };
1.393 +CONST_OID pkcs12PBEWithSha1AndTripleDESCBC[] = { PKCS12_PBE_IDS, 0x03 };
1.394 +CONST_OID pkcs12PBEWithSha1And128BitRC2CBC[] = { PKCS12_PBE_IDS, 0x04 };
1.395 +CONST_OID pkcs12PBEWithSha1And40BitRC2CBC[] = { PKCS12_PBE_IDS, 0x05 };
1.396 +CONST_OID pkcs12RSAEncryptionWith128BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x01 };
1.397 +CONST_OID pkcs12RSAEncryptionWith40BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x02 };
1.398 +CONST_OID pkcs12RSAEncryptionWithTripleDES[] = { PKCS12_ENVELOPING_IDS, 0x03 };
1.399 +CONST_OID pkcs12RSASignatureWithSHA1Digest[] = { PKCS12_SIGNATURE_IDS, 0x01 };
1.400 +
1.401 +/* pkcs 12 version 1.0 ids */
1.402 +CONST_OID pkcs12V2PBEWithSha1And128BitRC4[] = { PKCS12_V2_PBE_IDS, 0x01 };
1.403 +CONST_OID pkcs12V2PBEWithSha1And40BitRC4[] = { PKCS12_V2_PBE_IDS, 0x02 };
1.404 +CONST_OID pkcs12V2PBEWithSha1And3KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x03 };
1.405 +CONST_OID pkcs12V2PBEWithSha1And2KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x04 };
1.406 +CONST_OID pkcs12V2PBEWithSha1And128BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x05 };
1.407 +CONST_OID pkcs12V2PBEWithSha1And40BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x06 };
1.408 +
1.409 +CONST_OID pkcs12SafeContentsID[] = { PKCS12_BAG_IDS, 0x04 };
1.410 +CONST_OID pkcs12PKCS8ShroudedKeyBagID[] = { PKCS12_BAG_IDS, 0x05 };
1.411 +
1.412 +CONST_OID pkcs12V1KeyBag[] = { PKCS12_V1_BAG_IDS, 0x01 };
1.413 +CONST_OID pkcs12V1PKCS8ShroudedKeyBag[] = { PKCS12_V1_BAG_IDS, 0x02 };
1.414 +CONST_OID pkcs12V1CertBag[] = { PKCS12_V1_BAG_IDS, 0x03 };
1.415 +CONST_OID pkcs12V1CRLBag[] = { PKCS12_V1_BAG_IDS, 0x04 };
1.416 +CONST_OID pkcs12V1SecretBag[] = { PKCS12_V1_BAG_IDS, 0x05 };
1.417 +CONST_OID pkcs12V1SafeContentsBag[] = { PKCS12_V1_BAG_IDS, 0x06 };
1.418 +
1.419 +/* The following encoding is INCORRECT, but correcting it would create a
1.420 + * duplicate OID in the table. So, we will leave it alone.
1.421 + */
1.422 +CONST_OID pkcs12KeyUsageAttr[] = { 2, 5, 29, 15 };
1.423 +
1.424 +CONST_OID ansix9DSASignature[] = { ANSI_X9_ALGORITHM, 0x01 };
1.425 +CONST_OID ansix9DSASignaturewithSHA1Digest[] = { ANSI_X9_ALGORITHM, 0x03 };
1.426 +CONST_OID nistDSASignaturewithSHA224Digest[] = { DSA2, 0x01 };
1.427 +CONST_OID nistDSASignaturewithSHA256Digest[] = { DSA2, 0x02 };
1.428 +
1.429 +/* verisign OIDs */
1.430 +CONST_OID verisignUserNotices[] = { VERISIGN, 1, 7, 1, 1 };
1.431 +
1.432 +/* pkix OIDs */
1.433 +CONST_OID pkixCPSPointerQualifier[] = { PKIX_POLICY_QUALIFIERS, 1 };
1.434 +CONST_OID pkixUserNoticeQualifier[] = { PKIX_POLICY_QUALIFIERS, 2 };
1.435 +
1.436 +CONST_OID pkixOCSP[] = { PKIX_OCSP };
1.437 +CONST_OID pkixOCSPBasicResponse[] = { PKIX_OCSP, 1 };
1.438 +CONST_OID pkixOCSPNonce[] = { PKIX_OCSP, 2 };
1.439 +CONST_OID pkixOCSPCRL[] = { PKIX_OCSP, 3 };
1.440 +CONST_OID pkixOCSPResponse[] = { PKIX_OCSP, 4 };
1.441 +CONST_OID pkixOCSPNoCheck[] = { PKIX_OCSP, 5 };
1.442 +CONST_OID pkixOCSPArchiveCutoff[] = { PKIX_OCSP, 6 };
1.443 +CONST_OID pkixOCSPServiceLocator[] = { PKIX_OCSP, 7 };
1.444 +
1.445 +CONST_OID pkixCAIssuers[] = { PKIX_CA_ISSUERS };
1.446 +
1.447 +CONST_OID pkixRegCtrlRegToken[] = { PKIX_ID_REGCTRL, 1};
1.448 +CONST_OID pkixRegCtrlAuthenticator[] = { PKIX_ID_REGCTRL, 2};
1.449 +CONST_OID pkixRegCtrlPKIPubInfo[] = { PKIX_ID_REGCTRL, 3};
1.450 +CONST_OID pkixRegCtrlPKIArchOptions[] = { PKIX_ID_REGCTRL, 4};
1.451 +CONST_OID pkixRegCtrlOldCertID[] = { PKIX_ID_REGCTRL, 5};
1.452 +CONST_OID pkixRegCtrlProtEncKey[] = { PKIX_ID_REGCTRL, 6};
1.453 +CONST_OID pkixRegInfoUTF8Pairs[] = { PKIX_ID_REGINFO, 1};
1.454 +CONST_OID pkixRegInfoCertReq[] = { PKIX_ID_REGINFO, 2};
1.455 +
1.456 +CONST_OID pkixExtendedKeyUsageServerAuth[] = { PKIX_KEY_USAGE, 1 };
1.457 +CONST_OID pkixExtendedKeyUsageClientAuth[] = { PKIX_KEY_USAGE, 2 };
1.458 +CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 };
1.459 +CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 };
1.460 +CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 };
1.461 +CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 };
1.462 +CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 };
1.463 +
1.464 +/* OIDs for Netscape defined algorithms */
1.465 +CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 };
1.466 +
1.467 +/* Fortezza algorithm OIDs */
1.468 +CONST_OID skipjackCBC[] = { MISSI, 0x04 };
1.469 +CONST_OID dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 };
1.470 +
1.471 +CONST_OID aes128_ECB[] = { AES, 1 };
1.472 +CONST_OID aes128_CBC[] = { AES, 2 };
1.473 +#ifdef DEFINE_ALL_AES_CIPHERS
1.474 +CONST_OID aes128_OFB[] = { AES, 3 };
1.475 +CONST_OID aes128_CFB[] = { AES, 4 };
1.476 +#endif
1.477 +CONST_OID aes128_KEY_WRAP[] = { AES, 5 };
1.478 +
1.479 +CONST_OID aes192_ECB[] = { AES, 21 };
1.480 +CONST_OID aes192_CBC[] = { AES, 22 };
1.481 +#ifdef DEFINE_ALL_AES_CIPHERS
1.482 +CONST_OID aes192_OFB[] = { AES, 23 };
1.483 +CONST_OID aes192_CFB[] = { AES, 24 };
1.484 +#endif
1.485 +CONST_OID aes192_KEY_WRAP[] = { AES, 25 };
1.486 +
1.487 +CONST_OID aes256_ECB[] = { AES, 41 };
1.488 +CONST_OID aes256_CBC[] = { AES, 42 };
1.489 +#ifdef DEFINE_ALL_AES_CIPHERS
1.490 +CONST_OID aes256_OFB[] = { AES, 43 };
1.491 +CONST_OID aes256_CFB[] = { AES, 44 };
1.492 +#endif
1.493 +CONST_OID aes256_KEY_WRAP[] = { AES, 45 };
1.494 +
1.495 +CONST_OID camellia128_CBC[] = { CAMELLIA_ENCRYPT_OID, 2};
1.496 +CONST_OID camellia192_CBC[] = { CAMELLIA_ENCRYPT_OID, 3};
1.497 +CONST_OID camellia256_CBC[] = { CAMELLIA_ENCRYPT_OID, 4};
1.498 +CONST_OID camellia128_KEY_WRAP[] = { CAMELLIA_WRAP_OID, 2};
1.499 +CONST_OID camellia192_KEY_WRAP[] = { CAMELLIA_WRAP_OID, 3};
1.500 +CONST_OID camellia256_KEY_WRAP[] = { CAMELLIA_WRAP_OID, 4};
1.501 +
1.502 +CONST_OID sha256[] = { SHAXXX, 1 };
1.503 +CONST_OID sha384[] = { SHAXXX, 2 };
1.504 +CONST_OID sha512[] = { SHAXXX, 3 };
1.505 +CONST_OID sha224[] = { SHAXXX, 4 };
1.506 +
1.507 +CONST_OID ansix962ECPublicKey[] = { ANSI_X962_OID, 0x02, 0x01 };
1.508 +CONST_OID ansix962SignaturewithSHA1Digest[] = { ANSI_X962_SIGNATURE_OID, 0x01 };
1.509 +CONST_OID ansix962SignatureRecommended[] = { ANSI_X962_SIGNATURE_OID, 0x02 };
1.510 +CONST_OID ansix962SignatureSpecified[] = { ANSI_X962_SPECIFY_OID };
1.511 +CONST_OID ansix962SignaturewithSHA224Digest[] = { ANSI_X962_SPECIFY_OID, 0x01 };
1.512 +CONST_OID ansix962SignaturewithSHA256Digest[] = { ANSI_X962_SPECIFY_OID, 0x02 };
1.513 +CONST_OID ansix962SignaturewithSHA384Digest[] = { ANSI_X962_SPECIFY_OID, 0x03 };
1.514 +CONST_OID ansix962SignaturewithSHA512Digest[] = { ANSI_X962_SPECIFY_OID, 0x04 };
1.515 +
1.516 +/* ANSI X9.62 prime curve OIDs */
1.517 +/* NOTE: prime192v1 is the same as secp192r1, prime256v1 is the
1.518 + * same as secp256r1
1.519 + */
1.520 +CONST_OID ansiX962prime192v1[] = { ANSI_X962_GFp_OID, 0x01 };
1.521 +CONST_OID ansiX962prime192v2[] = { ANSI_X962_GFp_OID, 0x02 };
1.522 +CONST_OID ansiX962prime192v3[] = { ANSI_X962_GFp_OID, 0x03 };
1.523 +CONST_OID ansiX962prime239v1[] = { ANSI_X962_GFp_OID, 0x04 };
1.524 +CONST_OID ansiX962prime239v2[] = { ANSI_X962_GFp_OID, 0x05 };
1.525 +CONST_OID ansiX962prime239v3[] = { ANSI_X962_GFp_OID, 0x06 };
1.526 +CONST_OID ansiX962prime256v1[] = { ANSI_X962_GFp_OID, 0x07 };
1.527 +
1.528 +/* SECG prime curve OIDs */
1.529 +CONST_OID secgECsecp112r1[] = { SECG_OID, 0x06 };
1.530 +CONST_OID secgECsecp112r2[] = { SECG_OID, 0x07 };
1.531 +CONST_OID secgECsecp128r1[] = { SECG_OID, 0x1c };
1.532 +CONST_OID secgECsecp128r2[] = { SECG_OID, 0x1d };
1.533 +CONST_OID secgECsecp160k1[] = { SECG_OID, 0x09 };
1.534 +CONST_OID secgECsecp160r1[] = { SECG_OID, 0x08 };
1.535 +CONST_OID secgECsecp160r2[] = { SECG_OID, 0x1e };
1.536 +CONST_OID secgECsecp192k1[] = { SECG_OID, 0x1f };
1.537 +CONST_OID secgECsecp224k1[] = { SECG_OID, 0x20 };
1.538 +CONST_OID secgECsecp224r1[] = { SECG_OID, 0x21 };
1.539 +CONST_OID secgECsecp256k1[] = { SECG_OID, 0x0a };
1.540 +CONST_OID secgECsecp384r1[] = { SECG_OID, 0x22 };
1.541 +CONST_OID secgECsecp521r1[] = { SECG_OID, 0x23 };
1.542 +
1.543 +/* ANSI X9.62 characteristic two curve OIDs */
1.544 +CONST_OID ansiX962c2pnb163v1[] = { ANSI_X962_GF2m_OID, 0x01 };
1.545 +CONST_OID ansiX962c2pnb163v2[] = { ANSI_X962_GF2m_OID, 0x02 };
1.546 +CONST_OID ansiX962c2pnb163v3[] = { ANSI_X962_GF2m_OID, 0x03 };
1.547 +CONST_OID ansiX962c2pnb176v1[] = { ANSI_X962_GF2m_OID, 0x04 };
1.548 +CONST_OID ansiX962c2tnb191v1[] = { ANSI_X962_GF2m_OID, 0x05 };
1.549 +CONST_OID ansiX962c2tnb191v2[] = { ANSI_X962_GF2m_OID, 0x06 };
1.550 +CONST_OID ansiX962c2tnb191v3[] = { ANSI_X962_GF2m_OID, 0x07 };
1.551 +CONST_OID ansiX962c2onb191v4[] = { ANSI_X962_GF2m_OID, 0x08 };
1.552 +CONST_OID ansiX962c2onb191v5[] = { ANSI_X962_GF2m_OID, 0x09 };
1.553 +CONST_OID ansiX962c2pnb208w1[] = { ANSI_X962_GF2m_OID, 0x0a };
1.554 +CONST_OID ansiX962c2tnb239v1[] = { ANSI_X962_GF2m_OID, 0x0b };
1.555 +CONST_OID ansiX962c2tnb239v2[] = { ANSI_X962_GF2m_OID, 0x0c };
1.556 +CONST_OID ansiX962c2tnb239v3[] = { ANSI_X962_GF2m_OID, 0x0d };
1.557 +CONST_OID ansiX962c2onb239v4[] = { ANSI_X962_GF2m_OID, 0x0e };
1.558 +CONST_OID ansiX962c2onb239v5[] = { ANSI_X962_GF2m_OID, 0x0f };
1.559 +CONST_OID ansiX962c2pnb272w1[] = { ANSI_X962_GF2m_OID, 0x10 };
1.560 +CONST_OID ansiX962c2pnb304w1[] = { ANSI_X962_GF2m_OID, 0x11 };
1.561 +CONST_OID ansiX962c2tnb359v1[] = { ANSI_X962_GF2m_OID, 0x12 };
1.562 +CONST_OID ansiX962c2pnb368w1[] = { ANSI_X962_GF2m_OID, 0x13 };
1.563 +CONST_OID ansiX962c2tnb431r1[] = { ANSI_X962_GF2m_OID, 0x14 };
1.564 +
1.565 +/* SECG characterisitic two curve OIDs */
1.566 +CONST_OID secgECsect113r1[] = {SECG_OID, 0x04 };
1.567 +CONST_OID secgECsect113r2[] = {SECG_OID, 0x05 };
1.568 +CONST_OID secgECsect131r1[] = {SECG_OID, 0x16 };
1.569 +CONST_OID secgECsect131r2[] = {SECG_OID, 0x17 };
1.570 +CONST_OID secgECsect163k1[] = {SECG_OID, 0x01 };
1.571 +CONST_OID secgECsect163r1[] = {SECG_OID, 0x02 };
1.572 +CONST_OID secgECsect163r2[] = {SECG_OID, 0x0f };
1.573 +CONST_OID secgECsect193r1[] = {SECG_OID, 0x18 };
1.574 +CONST_OID secgECsect193r2[] = {SECG_OID, 0x19 };
1.575 +CONST_OID secgECsect233k1[] = {SECG_OID, 0x1a };
1.576 +CONST_OID secgECsect233r1[] = {SECG_OID, 0x1b };
1.577 +CONST_OID secgECsect239k1[] = {SECG_OID, 0x03 };
1.578 +CONST_OID secgECsect283k1[] = {SECG_OID, 0x10 };
1.579 +CONST_OID secgECsect283r1[] = {SECG_OID, 0x11 };
1.580 +CONST_OID secgECsect409k1[] = {SECG_OID, 0x24 };
1.581 +CONST_OID secgECsect409r1[] = {SECG_OID, 0x25 };
1.582 +CONST_OID secgECsect571k1[] = {SECG_OID, 0x26 };
1.583 +CONST_OID secgECsect571r1[] = {SECG_OID, 0x27 };
1.584 +
1.585 +CONST_OID seed_CBC[] = { SEED_OID, 4 };
1.586 +
1.587 +CONST_OID evIncorporationLocality[] = { EV_NAME_ATTRIBUTE, 1 };
1.588 +CONST_OID evIncorporationState[] = { EV_NAME_ATTRIBUTE, 2 };
1.589 +CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 };
1.590 +
1.591 +#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
1.592 +#ifndef SECOID_NO_STRINGS
1.593 +#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext }
1.594 +#else
1.595 +#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, 0, mech, ext }
1.596 +#endif
1.597 +
1.598 +#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
1.599 +#define FAKE_SUPPORTED_CERT_EXTENSION SUPPORTED_CERT_EXTENSION
1.600 +#else
1.601 +#define FAKE_SUPPORTED_CERT_EXTENSION UNSUPPORTED_CERT_EXTENSION
1.602 +#endif
1.603 +
1.604 +/*
1.605 + * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
1.606 + */
1.607 +const static SECOidData oids[SEC_OID_TOTAL] = {
1.608 + { { siDEROID, NULL, 0 }, SEC_OID_UNKNOWN,
1.609 + "Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
1.610 + OD( md2, SEC_OID_MD2, "MD2", CKM_MD2, INVALID_CERT_EXTENSION ),
1.611 + OD( md4, SEC_OID_MD4,
1.612 + "MD4", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.613 + OD( md5, SEC_OID_MD5, "MD5", CKM_MD5, INVALID_CERT_EXTENSION ),
1.614 + OD( sha1, SEC_OID_SHA1, "SHA-1", CKM_SHA_1, INVALID_CERT_EXTENSION ),
1.615 + OD( rc2cbc, SEC_OID_RC2_CBC,
1.616 + "RC2-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION ),
1.617 + OD( rc4, SEC_OID_RC4, "RC4", CKM_RC4, INVALID_CERT_EXTENSION ),
1.618 + OD( desede3cbc, SEC_OID_DES_EDE3_CBC,
1.619 + "DES-EDE3-CBC", CKM_DES3_CBC, INVALID_CERT_EXTENSION ),
1.620 + OD( rc5cbcpad, SEC_OID_RC5_CBC_PAD,
1.621 + "RC5-CBCPad", CKM_RC5_CBC, INVALID_CERT_EXTENSION ),
1.622 + OD( desecb, SEC_OID_DES_ECB,
1.623 + "DES-ECB", CKM_DES_ECB, INVALID_CERT_EXTENSION ),
1.624 + OD( descbc, SEC_OID_DES_CBC,
1.625 + "DES-CBC", CKM_DES_CBC, INVALID_CERT_EXTENSION ),
1.626 + OD( desofb, SEC_OID_DES_OFB,
1.627 + "DES-OFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.628 + OD( descfb, SEC_OID_DES_CFB,
1.629 + "DES-CFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.630 + OD( desmac, SEC_OID_DES_MAC,
1.631 + "DES-MAC", CKM_DES_MAC, INVALID_CERT_EXTENSION ),
1.632 + OD( desede, SEC_OID_DES_EDE,
1.633 + "DES-EDE", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.634 + OD( isoSHAWithRSASignature, SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE,
1.635 + "ISO SHA with RSA Signature",
1.636 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.637 + OD( pkcs1RSAEncryption, SEC_OID_PKCS1_RSA_ENCRYPTION,
1.638 + "PKCS #1 RSA Encryption", CKM_RSA_PKCS, INVALID_CERT_EXTENSION ),
1.639 +
1.640 + /* the following Signing mechanisms should get new CKM_ values when
1.641 + * values for CKM_RSA_WITH_MDX and CKM_RSA_WITH_SHA_1 get defined in
1.642 + * PKCS #11.
1.643 + */
1.644 + OD( pkcs1MD2WithRSAEncryption, SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION,
1.645 + "PKCS #1 MD2 With RSA Encryption", CKM_MD2_RSA_PKCS,
1.646 + INVALID_CERT_EXTENSION ),
1.647 + OD( pkcs1MD4WithRSAEncryption, SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION,
1.648 + "PKCS #1 MD4 With RSA Encryption",
1.649 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.650 + OD( pkcs1MD5WithRSAEncryption, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
1.651 + "PKCS #1 MD5 With RSA Encryption", CKM_MD5_RSA_PKCS,
1.652 + INVALID_CERT_EXTENSION ),
1.653 + OD( pkcs1SHA1WithRSAEncryption, SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
1.654 + "PKCS #1 SHA-1 With RSA Encryption", CKM_SHA1_RSA_PKCS,
1.655 + INVALID_CERT_EXTENSION ),
1.656 +
1.657 + OD( pkcs5PbeWithMD2AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC,
1.658 + "PKCS #5 Password Based Encryption with MD2 and DES-CBC",
1.659 + CKM_PBE_MD2_DES_CBC, INVALID_CERT_EXTENSION ),
1.660 + OD( pkcs5PbeWithMD5AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
1.661 + "PKCS #5 Password Based Encryption with MD5 and DES-CBC",
1.662 + CKM_PBE_MD5_DES_CBC, INVALID_CERT_EXTENSION ),
1.663 + OD( pkcs5PbeWithSha1AndDEScbc, SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
1.664 + "PKCS #5 Password Based Encryption with SHA-1 and DES-CBC",
1.665 + CKM_NETSCAPE_PBE_SHA1_DES_CBC, INVALID_CERT_EXTENSION ),
1.666 + OD( pkcs7, SEC_OID_PKCS7,
1.667 + "PKCS #7", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.668 + OD( pkcs7Data, SEC_OID_PKCS7_DATA,
1.669 + "PKCS #7 Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.670 + OD( pkcs7SignedData, SEC_OID_PKCS7_SIGNED_DATA,
1.671 + "PKCS #7 Signed Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.672 + OD( pkcs7EnvelopedData, SEC_OID_PKCS7_ENVELOPED_DATA,
1.673 + "PKCS #7 Enveloped Data",
1.674 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.675 + OD( pkcs7SignedEnvelopedData, SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA,
1.676 + "PKCS #7 Signed And Enveloped Data",
1.677 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.678 + OD( pkcs7DigestedData, SEC_OID_PKCS7_DIGESTED_DATA,
1.679 + "PKCS #7 Digested Data",
1.680 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.681 + OD( pkcs7EncryptedData, SEC_OID_PKCS7_ENCRYPTED_DATA,
1.682 + "PKCS #7 Encrypted Data",
1.683 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.684 + OD( pkcs9EmailAddress, SEC_OID_PKCS9_EMAIL_ADDRESS,
1.685 + "PKCS #9 Email Address",
1.686 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.687 + OD( pkcs9UnstructuredName, SEC_OID_PKCS9_UNSTRUCTURED_NAME,
1.688 + "PKCS #9 Unstructured Name",
1.689 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.690 + OD( pkcs9ContentType, SEC_OID_PKCS9_CONTENT_TYPE,
1.691 + "PKCS #9 Content Type",
1.692 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.693 + OD( pkcs9MessageDigest, SEC_OID_PKCS9_MESSAGE_DIGEST,
1.694 + "PKCS #9 Message Digest",
1.695 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.696 + OD( pkcs9SigningTime, SEC_OID_PKCS9_SIGNING_TIME,
1.697 + "PKCS #9 Signing Time",
1.698 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.699 + OD( pkcs9CounterSignature, SEC_OID_PKCS9_COUNTER_SIGNATURE,
1.700 + "PKCS #9 Counter Signature",
1.701 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.702 + OD( pkcs9ChallengePassword, SEC_OID_PKCS9_CHALLENGE_PASSWORD,
1.703 + "PKCS #9 Challenge Password",
1.704 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.705 + OD( pkcs9UnstructuredAddress, SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS,
1.706 + "PKCS #9 Unstructured Address",
1.707 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.708 + OD( pkcs9ExtendedCertificateAttributes,
1.709 + SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES,
1.710 + "PKCS #9 Extended Certificate Attributes",
1.711 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.712 + OD( pkcs9SMIMECapabilities, SEC_OID_PKCS9_SMIME_CAPABILITIES,
1.713 + "PKCS #9 S/MIME Capabilities",
1.714 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.715 + OD( x520CommonName, SEC_OID_AVA_COMMON_NAME,
1.716 + "X520 Common Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.717 + OD( x520CountryName, SEC_OID_AVA_COUNTRY_NAME,
1.718 + "X520 Country Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.719 + OD( x520LocalityName, SEC_OID_AVA_LOCALITY,
1.720 + "X520 Locality Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.721 + OD( x520StateOrProvinceName, SEC_OID_AVA_STATE_OR_PROVINCE,
1.722 + "X520 State Or Province Name",
1.723 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.724 + OD( x520OrgName, SEC_OID_AVA_ORGANIZATION_NAME,
1.725 + "X520 Organization Name",
1.726 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.727 + OD( x520OrgUnitName, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
1.728 + "X520 Organizational Unit Name",
1.729 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.730 + OD( x520DnQualifier, SEC_OID_AVA_DN_QUALIFIER,
1.731 + "X520 DN Qualifier", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.732 + OD( rfc2247DomainComponent, SEC_OID_AVA_DC,
1.733 + "RFC 2247 Domain Component",
1.734 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.735 +
1.736 + OD( nsTypeGIF, SEC_OID_NS_TYPE_GIF,
1.737 + "GIF", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.738 + OD( nsTypeJPEG, SEC_OID_NS_TYPE_JPEG,
1.739 + "JPEG", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.740 + OD( nsTypeURL, SEC_OID_NS_TYPE_URL,
1.741 + "URL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.742 + OD( nsTypeHTML, SEC_OID_NS_TYPE_HTML,
1.743 + "HTML", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.744 + OD( nsTypeCertSeq, SEC_OID_NS_TYPE_CERT_SEQUENCE,
1.745 + "Certificate Sequence",
1.746 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.747 + OD( missiCertKEADSSOld, SEC_OID_MISSI_KEA_DSS_OLD,
1.748 + "MISSI KEA and DSS Algorithm (Old)",
1.749 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.750 + OD( missiCertDSSOld, SEC_OID_MISSI_DSS_OLD,
1.751 + "MISSI DSS Algorithm (Old)",
1.752 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.753 + OD( missiCertKEADSS, SEC_OID_MISSI_KEA_DSS,
1.754 + "MISSI KEA and DSS Algorithm",
1.755 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.756 + OD( missiCertDSS, SEC_OID_MISSI_DSS,
1.757 + "MISSI DSS Algorithm",
1.758 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.759 + OD( missiCertKEA, SEC_OID_MISSI_KEA,
1.760 + "MISSI KEA Algorithm",
1.761 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.762 + OD( missiCertAltKEA, SEC_OID_MISSI_ALT_KEA,
1.763 + "MISSI Alternate KEA Algorithm",
1.764 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.765 +
1.766 + /* Netscape private extensions */
1.767 + OD( nsCertExtNetscapeOK, SEC_OID_NS_CERT_EXT_NETSCAPE_OK,
1.768 + "Netscape says this cert is OK",
1.769 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.770 + OD( nsCertExtIssuerLogo, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
1.771 + "Certificate Issuer Logo",
1.772 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.773 + OD( nsCertExtSubjectLogo, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
1.774 + "Certificate Subject Logo",
1.775 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.776 + OD( nsExtCertType, SEC_OID_NS_CERT_EXT_CERT_TYPE,
1.777 + "Certificate Type",
1.778 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.779 + OD( nsExtBaseURL, SEC_OID_NS_CERT_EXT_BASE_URL,
1.780 + "Certificate Extension Base URL",
1.781 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.782 + OD( nsExtRevocationURL, SEC_OID_NS_CERT_EXT_REVOCATION_URL,
1.783 + "Certificate Revocation URL",
1.784 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.785 + OD( nsExtCARevocationURL, SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL,
1.786 + "Certificate Authority Revocation URL",
1.787 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.788 + OD( nsExtCACRLURL, SEC_OID_NS_CERT_EXT_CA_CRL_URL,
1.789 + "Certificate Authority CRL Download URL",
1.790 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.791 + OD( nsExtCACertURL, SEC_OID_NS_CERT_EXT_CA_CERT_URL,
1.792 + "Certificate Authority Certificate Download URL",
1.793 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.794 + OD( nsExtCertRenewalURL, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL,
1.795 + "Certificate Renewal URL",
1.796 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.797 + OD( nsExtCAPolicyURL, SEC_OID_NS_CERT_EXT_CA_POLICY_URL,
1.798 + "Certificate Authority Policy URL",
1.799 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.800 + OD( nsExtHomepageURL, SEC_OID_NS_CERT_EXT_HOMEPAGE_URL,
1.801 + "Certificate Homepage URL",
1.802 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.803 + OD( nsExtEntityLogo, SEC_OID_NS_CERT_EXT_ENTITY_LOGO,
1.804 + "Certificate Entity Logo",
1.805 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.806 + OD( nsExtUserPicture, SEC_OID_NS_CERT_EXT_USER_PICTURE,
1.807 + "Certificate User Picture",
1.808 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.809 + OD( nsExtSSLServerName, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME,
1.810 + "Certificate SSL Server Name",
1.811 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.812 + OD( nsExtComment, SEC_OID_NS_CERT_EXT_COMMENT,
1.813 + "Certificate Comment",
1.814 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.815 + OD( nsExtLostPasswordURL, SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL,
1.816 + "Lost Password URL",
1.817 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.818 + OD( nsExtCertRenewalTime, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME,
1.819 + "Certificate Renewal Time",
1.820 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.821 + OD( nsKeyUsageGovtApproved, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED,
1.822 + "Strong Crypto Export Approved",
1.823 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.824 +
1.825 +
1.826 + /* x.509 v3 certificate extensions */
1.827 + OD( x509SubjectDirectoryAttr, SEC_OID_X509_SUBJECT_DIRECTORY_ATTR,
1.828 + "Certificate Subject Directory Attributes",
1.829 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
1.830 + OD( x509SubjectKeyID, SEC_OID_X509_SUBJECT_KEY_ID,
1.831 + "Certificate Subject Key ID",
1.832 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.833 + OD( x509KeyUsage, SEC_OID_X509_KEY_USAGE,
1.834 + "Certificate Key Usage",
1.835 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.836 + OD( x509PrivateKeyUsagePeriod, SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD,
1.837 + "Certificate Private Key Usage Period",
1.838 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.839 + OD( x509SubjectAltName, SEC_OID_X509_SUBJECT_ALT_NAME,
1.840 + "Certificate Subject Alt Name",
1.841 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.842 + OD( x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME,
1.843 + "Certificate Issuer Alt Name",
1.844 + CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
1.845 + OD( x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS,
1.846 + "Certificate Basic Constraints",
1.847 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.848 + OD( x509NameConstraints, SEC_OID_X509_NAME_CONSTRAINTS,
1.849 + "Certificate Name Constraints",
1.850 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.851 + OD( x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS,
1.852 + "CRL Distribution Points",
1.853 + CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
1.854 + OD( x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES,
1.855 + "Certificate Policies",
1.856 + CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
1.857 + OD( x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS,
1.858 + "Certificate Policy Mappings",
1.859 + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
1.860 + OD( x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS,
1.861 + "Certificate Policy Constraints",
1.862 + CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
1.863 + OD( x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID,
1.864 + "Certificate Authority Key Identifier",
1.865 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.866 + OD( x509ExtKeyUsage, SEC_OID_X509_EXT_KEY_USAGE,
1.867 + "Extended Key Usage",
1.868 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.869 + OD( x509AuthInfoAccess, SEC_OID_X509_AUTH_INFO_ACCESS,
1.870 + "Authority Information Access",
1.871 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.872 +
1.873 + /* x.509 v3 CRL extensions */
1.874 + OD( x509CRLNumber, SEC_OID_X509_CRL_NUMBER,
1.875 + "CRL Number", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.876 + OD( x509ReasonCode, SEC_OID_X509_REASON_CODE,
1.877 + "CRL reason code", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.878 + OD( x509InvalidDate, SEC_OID_X509_INVALID_DATE,
1.879 + "Invalid Date", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.880 +
1.881 + OD( x500RSAEncryption, SEC_OID_X500_RSA_ENCRYPTION,
1.882 + "X500 RSA Encryption", CKM_RSA_X_509, INVALID_CERT_EXTENSION ),
1.883 +
1.884 + /* added for alg 1485 */
1.885 + OD( rfc1274Uid, SEC_OID_RFC1274_UID,
1.886 + "RFC1274 User Id", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.887 + OD( rfc1274Mail, SEC_OID_RFC1274_MAIL,
1.888 + "RFC1274 E-mail Address",
1.889 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.890 +
1.891 + /* pkcs 12 additions */
1.892 + OD( pkcs12, SEC_OID_PKCS12,
1.893 + "PKCS #12", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.894 + OD( pkcs12ModeIDs, SEC_OID_PKCS12_MODE_IDS,
1.895 + "PKCS #12 Mode IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.896 + OD( pkcs12ESPVKIDs, SEC_OID_PKCS12_ESPVK_IDS,
1.897 + "PKCS #12 ESPVK IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.898 + OD( pkcs12BagIDs, SEC_OID_PKCS12_BAG_IDS,
1.899 + "PKCS #12 Bag IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.900 + OD( pkcs12CertBagIDs, SEC_OID_PKCS12_CERT_BAG_IDS,
1.901 + "PKCS #12 Cert Bag IDs",
1.902 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.903 + OD( pkcs12OIDs, SEC_OID_PKCS12_OIDS,
1.904 + "PKCS #12 OIDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.905 + OD( pkcs12PBEIDs, SEC_OID_PKCS12_PBE_IDS,
1.906 + "PKCS #12 PBE IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.907 + OD( pkcs12SignatureIDs, SEC_OID_PKCS12_SIGNATURE_IDS,
1.908 + "PKCS #12 Signature IDs",
1.909 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.910 + OD( pkcs12EnvelopingIDs, SEC_OID_PKCS12_ENVELOPING_IDS,
1.911 + "PKCS #12 Enveloping IDs",
1.912 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.913 + OD( pkcs12PKCS8KeyShrouding, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING,
1.914 + "PKCS #12 Key Shrouding",
1.915 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.916 + OD( pkcs12KeyBagID, SEC_OID_PKCS12_KEY_BAG_ID,
1.917 + "PKCS #12 Key Bag ID",
1.918 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.919 + OD( pkcs12CertAndCRLBagID, SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
1.920 + "PKCS #12 Cert And CRL Bag ID",
1.921 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.922 + OD( pkcs12SecretBagID, SEC_OID_PKCS12_SECRET_BAG_ID,
1.923 + "PKCS #12 Secret Bag ID",
1.924 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.925 + OD( pkcs12X509CertCRLBag, SEC_OID_PKCS12_X509_CERT_CRL_BAG,
1.926 + "PKCS #12 X509 Cert CRL Bag",
1.927 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.928 + OD( pkcs12SDSICertBag, SEC_OID_PKCS12_SDSI_CERT_BAG,
1.929 + "PKCS #12 SDSI Cert Bag",
1.930 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.931 + OD( pkcs12PBEWithSha1And128BitRC4,
1.932 + SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4,
1.933 + "PKCS #12 PBE With SHA-1 and 128 Bit RC4",
1.934 + CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, INVALID_CERT_EXTENSION ),
1.935 + OD( pkcs12PBEWithSha1And40BitRC4,
1.936 + SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4,
1.937 + "PKCS #12 PBE With SHA-1 and 40 Bit RC4",
1.938 + CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, INVALID_CERT_EXTENSION ),
1.939 + OD( pkcs12PBEWithSha1AndTripleDESCBC,
1.940 + SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC,
1.941 + "PKCS #12 PBE With SHA-1 and Triple DES-CBC",
1.942 + CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, INVALID_CERT_EXTENSION ),
1.943 + OD( pkcs12PBEWithSha1And128BitRC2CBC,
1.944 + SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
1.945 + "PKCS #12 PBE With SHA-1 and 128 Bit RC2 CBC",
1.946 + CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
1.947 + OD( pkcs12PBEWithSha1And40BitRC2CBC,
1.948 + SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
1.949 + "PKCS #12 PBE With SHA-1 and 40 Bit RC2 CBC",
1.950 + CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
1.951 + OD( pkcs12RSAEncryptionWith128BitRC4,
1.952 + SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4,
1.953 + "PKCS #12 RSA Encryption with 128 Bit RC4",
1.954 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.955 + OD( pkcs12RSAEncryptionWith40BitRC4,
1.956 + SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4,
1.957 + "PKCS #12 RSA Encryption with 40 Bit RC4",
1.958 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.959 + OD( pkcs12RSAEncryptionWithTripleDES,
1.960 + SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES,
1.961 + "PKCS #12 RSA Encryption with Triple DES",
1.962 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.963 + OD( pkcs12RSASignatureWithSHA1Digest,
1.964 + SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST,
1.965 + "PKCS #12 RSA Encryption with Triple DES",
1.966 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.967 +
1.968 + /* DSA signatures */
1.969 + OD( ansix9DSASignature, SEC_OID_ANSIX9_DSA_SIGNATURE,
1.970 + "ANSI X9.57 DSA Signature", CKM_DSA, INVALID_CERT_EXTENSION ),
1.971 + OD( ansix9DSASignaturewithSHA1Digest,
1.972 + SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST,
1.973 + "ANSI X9.57 DSA Signature with SHA-1 Digest",
1.974 + CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
1.975 + OD( bogusDSASignaturewithSHA1Digest,
1.976 + SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST,
1.977 + "FORTEZZA DSA Signature with SHA-1 Digest",
1.978 + CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
1.979 +
1.980 + /* verisign oids */
1.981 + OD( verisignUserNotices, SEC_OID_VERISIGN_USER_NOTICES,
1.982 + "Verisign User Notices",
1.983 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.984 +
1.985 + /* pkix oids */
1.986 + OD( pkixCPSPointerQualifier, SEC_OID_PKIX_CPS_POINTER_QUALIFIER,
1.987 + "PKIX CPS Pointer Qualifier",
1.988 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.989 + OD( pkixUserNoticeQualifier, SEC_OID_PKIX_USER_NOTICE_QUALIFIER,
1.990 + "PKIX User Notice Qualifier",
1.991 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.992 +
1.993 + OD( pkixOCSP, SEC_OID_PKIX_OCSP,
1.994 + "PKIX Online Certificate Status Protocol",
1.995 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.996 + OD( pkixOCSPBasicResponse, SEC_OID_PKIX_OCSP_BASIC_RESPONSE,
1.997 + "OCSP Basic Response", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.998 + OD( pkixOCSPNonce, SEC_OID_PKIX_OCSP_NONCE,
1.999 + "OCSP Nonce Extension", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1000 + OD( pkixOCSPCRL, SEC_OID_PKIX_OCSP_CRL,
1.1001 + "OCSP CRL Reference Extension",
1.1002 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1003 + OD( pkixOCSPResponse, SEC_OID_PKIX_OCSP_RESPONSE,
1.1004 + "OCSP Response Types Extension",
1.1005 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1006 + OD( pkixOCSPNoCheck, SEC_OID_PKIX_OCSP_NO_CHECK,
1.1007 + "OCSP No Check Extension",
1.1008 + CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
1.1009 + OD( pkixOCSPArchiveCutoff, SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF,
1.1010 + "OCSP Archive Cutoff Extension",
1.1011 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1012 + OD( pkixOCSPServiceLocator, SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
1.1013 + "OCSP Service Locator Extension",
1.1014 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1015 +
1.1016 + OD( pkixRegCtrlRegToken, SEC_OID_PKIX_REGCTRL_REGTOKEN,
1.1017 + "PKIX CRMF Registration Control, Registration Token",
1.1018 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1019 + OD( pkixRegCtrlAuthenticator, SEC_OID_PKIX_REGCTRL_AUTHENTICATOR,
1.1020 + "PKIX CRMF Registration Control, Registration Authenticator",
1.1021 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1022 + OD( pkixRegCtrlPKIPubInfo, SEC_OID_PKIX_REGCTRL_PKIPUBINFO,
1.1023 + "PKIX CRMF Registration Control, PKI Publication Info",
1.1024 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1025 + OD( pkixRegCtrlPKIArchOptions,
1.1026 + SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
1.1027 + "PKIX CRMF Registration Control, PKI Archive Options",
1.1028 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1029 + OD( pkixRegCtrlOldCertID, SEC_OID_PKIX_REGCTRL_OLD_CERT_ID,
1.1030 + "PKIX CRMF Registration Control, Old Certificate ID",
1.1031 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1032 + OD( pkixRegCtrlProtEncKey, SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY,
1.1033 + "PKIX CRMF Registration Control, Protocol Encryption Key",
1.1034 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1035 + OD( pkixRegInfoUTF8Pairs, SEC_OID_PKIX_REGINFO_UTF8_PAIRS,
1.1036 + "PKIX CRMF Registration Info, UTF8 Pairs",
1.1037 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1038 + OD( pkixRegInfoCertReq, SEC_OID_PKIX_REGINFO_CERT_REQUEST,
1.1039 + "PKIX CRMF Registration Info, Certificate Request",
1.1040 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1041 + OD( pkixExtendedKeyUsageServerAuth,
1.1042 + SEC_OID_EXT_KEY_USAGE_SERVER_AUTH,
1.1043 + "TLS Web Server Authentication Certificate",
1.1044 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1045 + OD( pkixExtendedKeyUsageClientAuth,
1.1046 + SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH,
1.1047 + "TLS Web Client Authentication Certificate",
1.1048 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1049 + OD( pkixExtendedKeyUsageCodeSign, SEC_OID_EXT_KEY_USAGE_CODE_SIGN,
1.1050 + "Code Signing Certificate",
1.1051 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1052 + OD( pkixExtendedKeyUsageEMailProtect,
1.1053 + SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT,
1.1054 + "E-Mail Protection Certificate",
1.1055 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1056 + OD( pkixExtendedKeyUsageTimeStamp,
1.1057 + SEC_OID_EXT_KEY_USAGE_TIME_STAMP,
1.1058 + "Time Stamping Certifcate",
1.1059 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1060 + OD( pkixOCSPResponderExtendedKeyUsage, SEC_OID_OCSP_RESPONDER,
1.1061 + "OCSP Responder Certificate",
1.1062 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1.1063 +
1.1064 + /* Netscape Algorithm OIDs */
1.1065 +
1.1066 + OD( netscapeSMimeKEA, SEC_OID_NETSCAPE_SMIME_KEA,
1.1067 + "Netscape S/MIME KEA", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1068 +
1.1069 + /* Skipjack OID -- ### mwelch temporary */
1.1070 + OD( skipjackCBC, SEC_OID_FORTEZZA_SKIPJACK,
1.1071 + "Skipjack CBC64", CKM_SKIPJACK_CBC64, INVALID_CERT_EXTENSION ),
1.1072 +
1.1073 + /* pkcs12 v2 oids */
1.1074 + OD( pkcs12V2PBEWithSha1And128BitRC4,
1.1075 + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4,
1.1076 + "PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4",
1.1077 + CKM_PBE_SHA1_RC4_128, INVALID_CERT_EXTENSION ),
1.1078 + OD( pkcs12V2PBEWithSha1And40BitRC4,
1.1079 + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4,
1.1080 + "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4",
1.1081 + CKM_PBE_SHA1_RC4_40, INVALID_CERT_EXTENSION ),
1.1082 + OD( pkcs12V2PBEWithSha1And3KeyTripleDEScbc,
1.1083 + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
1.1084 + "PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC",
1.1085 + CKM_PBE_SHA1_DES3_EDE_CBC, INVALID_CERT_EXTENSION ),
1.1086 + OD( pkcs12V2PBEWithSha1And2KeyTripleDEScbc,
1.1087 + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC,
1.1088 + "PKCS #12 V2 PBE With SHA-1 And 2KEY Triple DES-CBC",
1.1089 + CKM_PBE_SHA1_DES2_EDE_CBC, INVALID_CERT_EXTENSION ),
1.1090 + OD( pkcs12V2PBEWithSha1And128BitRC2cbc,
1.1091 + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
1.1092 + "PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC",
1.1093 + CKM_PBE_SHA1_RC2_128_CBC, INVALID_CERT_EXTENSION ),
1.1094 + OD( pkcs12V2PBEWithSha1And40BitRC2cbc,
1.1095 + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
1.1096 + "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC",
1.1097 + CKM_PBE_SHA1_RC2_40_CBC, INVALID_CERT_EXTENSION ),
1.1098 + OD( pkcs12SafeContentsID, SEC_OID_PKCS12_SAFE_CONTENTS_ID,
1.1099 + "PKCS #12 Safe Contents ID",
1.1100 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1101 + OD( pkcs12PKCS8ShroudedKeyBagID,
1.1102 + SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID,
1.1103 + "PKCS #12 Safe Contents ID",
1.1104 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1105 + OD( pkcs12V1KeyBag, SEC_OID_PKCS12_V1_KEY_BAG_ID,
1.1106 + "PKCS #12 V1 Key Bag",
1.1107 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1108 + OD( pkcs12V1PKCS8ShroudedKeyBag,
1.1109 + SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID,
1.1110 + "PKCS #12 V1 PKCS8 Shrouded Key Bag",
1.1111 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1112 + OD( pkcs12V1CertBag, SEC_OID_PKCS12_V1_CERT_BAG_ID,
1.1113 + "PKCS #12 V1 Cert Bag",
1.1114 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1115 + OD( pkcs12V1CRLBag, SEC_OID_PKCS12_V1_CRL_BAG_ID,
1.1116 + "PKCS #12 V1 CRL Bag",
1.1117 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1118 + OD( pkcs12V1SecretBag, SEC_OID_PKCS12_V1_SECRET_BAG_ID,
1.1119 + "PKCS #12 V1 Secret Bag",
1.1120 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1121 + OD( pkcs12V1SafeContentsBag, SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
1.1122 + "PKCS #12 V1 Safe Contents Bag",
1.1123 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1124 +
1.1125 + OD( pkcs9X509Certificate, SEC_OID_PKCS9_X509_CERT,
1.1126 + "PKCS #9 X509 Certificate",
1.1127 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1128 + OD( pkcs9SDSICertificate, SEC_OID_PKCS9_SDSI_CERT,
1.1129 + "PKCS #9 SDSI Certificate",
1.1130 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1131 + OD( pkcs9X509CRL, SEC_OID_PKCS9_X509_CRL,
1.1132 + "PKCS #9 X509 CRL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1133 + OD( pkcs9FriendlyName, SEC_OID_PKCS9_FRIENDLY_NAME,
1.1134 + "PKCS #9 Friendly Name",
1.1135 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1136 + OD( pkcs9LocalKeyID, SEC_OID_PKCS9_LOCAL_KEY_ID,
1.1137 + "PKCS #9 Local Key ID",
1.1138 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1139 + OD( pkcs12KeyUsageAttr, SEC_OID_BOGUS_KEY_USAGE,
1.1140 + "Bogus Key Usage", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1141 + OD( dhPublicKey, SEC_OID_X942_DIFFIE_HELMAN_KEY,
1.1142 + "Diffie-Helman Public Key", CKM_DH_PKCS_DERIVE,
1.1143 + INVALID_CERT_EXTENSION ),
1.1144 + OD( netscapeNickname, SEC_OID_NETSCAPE_NICKNAME,
1.1145 + "Netscape Nickname", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1146 +
1.1147 + /* Cert Server specific OIDs */
1.1148 + OD( netscapeRecoveryRequest, SEC_OID_NETSCAPE_RECOVERY_REQUEST,
1.1149 + "Recovery Request OID",
1.1150 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1151 +
1.1152 + OD( nsExtAIACertRenewal, SEC_OID_CERT_RENEWAL_LOCATOR,
1.1153 + "Certificate Renewal Locator OID", CKM_INVALID_MECHANISM,
1.1154 + INVALID_CERT_EXTENSION ),
1.1155 +
1.1156 + OD( nsExtCertScopeOfUse, SEC_OID_NS_CERT_EXT_SCOPE_OF_USE,
1.1157 + "Certificate Scope-of-Use Extension", CKM_INVALID_MECHANISM,
1.1158 + SUPPORTED_CERT_EXTENSION ),
1.1159 +
1.1160 + /* CMS stuff */
1.1161 + OD( cmsESDH, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN,
1.1162 + "Ephemeral-Static Diffie-Hellman", CKM_INVALID_MECHANISM /* XXX */,
1.1163 + INVALID_CERT_EXTENSION ),
1.1164 + OD( cms3DESwrap, SEC_OID_CMS_3DES_KEY_WRAP,
1.1165 + "CMS Triple DES Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
1.1166 + INVALID_CERT_EXTENSION ),
1.1167 + OD( cmsRC2wrap, SEC_OID_CMS_RC2_KEY_WRAP,
1.1168 + "CMS RC2 Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
1.1169 + INVALID_CERT_EXTENSION ),
1.1170 + OD( smimeEncryptionKeyPreference, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE,
1.1171 + "S/MIME Encryption Key Preference",
1.1172 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1173 +
1.1174 + /* AES algorithm OIDs */
1.1175 + OD( aes128_ECB, SEC_OID_AES_128_ECB,
1.1176 + "AES-128-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
1.1177 + OD( aes128_CBC, SEC_OID_AES_128_CBC,
1.1178 + "AES-128-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
1.1179 + OD( aes192_ECB, SEC_OID_AES_192_ECB,
1.1180 + "AES-192-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
1.1181 + OD( aes192_CBC, SEC_OID_AES_192_CBC,
1.1182 + "AES-192-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
1.1183 + OD( aes256_ECB, SEC_OID_AES_256_ECB,
1.1184 + "AES-256-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
1.1185 + OD( aes256_CBC, SEC_OID_AES_256_CBC,
1.1186 + "AES-256-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
1.1187 +
1.1188 + /* More bogus DSA OIDs */
1.1189 + OD( sdn702DSASignature, SEC_OID_SDN702_DSA_SIGNATURE,
1.1190 + "SDN.702 DSA Signature", CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
1.1191 +
1.1192 + OD( ms_smimeEncryptionKeyPreference,
1.1193 + SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE,
1.1194 + "Microsoft S/MIME Encryption Key Preference",
1.1195 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1196 +
1.1197 + OD( sha256, SEC_OID_SHA256, "SHA-256", CKM_SHA256, INVALID_CERT_EXTENSION),
1.1198 + OD( sha384, SEC_OID_SHA384, "SHA-384", CKM_SHA384, INVALID_CERT_EXTENSION),
1.1199 + OD( sha512, SEC_OID_SHA512, "SHA-512", CKM_SHA512, INVALID_CERT_EXTENSION),
1.1200 +
1.1201 + OD( pkcs1SHA256WithRSAEncryption, SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
1.1202 + "PKCS #1 SHA-256 With RSA Encryption", CKM_SHA256_RSA_PKCS,
1.1203 + INVALID_CERT_EXTENSION ),
1.1204 + OD( pkcs1SHA384WithRSAEncryption, SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION,
1.1205 + "PKCS #1 SHA-384 With RSA Encryption", CKM_SHA384_RSA_PKCS,
1.1206 + INVALID_CERT_EXTENSION ),
1.1207 + OD( pkcs1SHA512WithRSAEncryption, SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION,
1.1208 + "PKCS #1 SHA-512 With RSA Encryption", CKM_SHA512_RSA_PKCS,
1.1209 + INVALID_CERT_EXTENSION ),
1.1210 +
1.1211 + OD( aes128_KEY_WRAP, SEC_OID_AES_128_KEY_WRAP,
1.1212 + "AES-128 Key Wrap", CKM_NSS_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1.1213 + OD( aes192_KEY_WRAP, SEC_OID_AES_192_KEY_WRAP,
1.1214 + "AES-192 Key Wrap", CKM_NSS_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1.1215 + OD( aes256_KEY_WRAP, SEC_OID_AES_256_KEY_WRAP,
1.1216 + "AES-256 Key Wrap", CKM_NSS_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1.1217 +
1.1218 + /* Elliptic Curve Cryptography (ECC) OIDs */
1.1219 + OD( ansix962ECPublicKey, SEC_OID_ANSIX962_EC_PUBLIC_KEY,
1.1220 + "X9.62 elliptic curve public key", CKM_ECDH1_DERIVE,
1.1221 + INVALID_CERT_EXTENSION ),
1.1222 + OD( ansix962SignaturewithSHA1Digest,
1.1223 + SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE,
1.1224 + "X9.62 ECDSA signature with SHA-1", CKM_ECDSA_SHA1,
1.1225 + INVALID_CERT_EXTENSION ),
1.1226 +
1.1227 + /* Named curves */
1.1228 +
1.1229 + /* ANSI X9.62 named elliptic curves (prime field) */
1.1230 + OD( ansiX962prime192v1, SEC_OID_ANSIX962_EC_PRIME192V1,
1.1231 + "ANSI X9.62 elliptic curve prime192v1 (aka secp192r1, NIST P-192)",
1.1232 + CKM_INVALID_MECHANISM,
1.1233 + INVALID_CERT_EXTENSION ),
1.1234 + OD( ansiX962prime192v2, SEC_OID_ANSIX962_EC_PRIME192V2,
1.1235 + "ANSI X9.62 elliptic curve prime192v2",
1.1236 + CKM_INVALID_MECHANISM,
1.1237 + INVALID_CERT_EXTENSION ),
1.1238 + OD( ansiX962prime192v3, SEC_OID_ANSIX962_EC_PRIME192V3,
1.1239 + "ANSI X9.62 elliptic curve prime192v3",
1.1240 + CKM_INVALID_MECHANISM,
1.1241 + INVALID_CERT_EXTENSION ),
1.1242 + OD( ansiX962prime239v1, SEC_OID_ANSIX962_EC_PRIME239V1,
1.1243 + "ANSI X9.62 elliptic curve prime239v1",
1.1244 + CKM_INVALID_MECHANISM,
1.1245 + INVALID_CERT_EXTENSION ),
1.1246 + OD( ansiX962prime239v2, SEC_OID_ANSIX962_EC_PRIME239V2,
1.1247 + "ANSI X9.62 elliptic curve prime239v2",
1.1248 + CKM_INVALID_MECHANISM,
1.1249 + INVALID_CERT_EXTENSION ),
1.1250 + OD( ansiX962prime239v3, SEC_OID_ANSIX962_EC_PRIME239V3,
1.1251 + "ANSI X9.62 elliptic curve prime239v3",
1.1252 + CKM_INVALID_MECHANISM,
1.1253 + INVALID_CERT_EXTENSION ),
1.1254 + OD( ansiX962prime256v1, SEC_OID_ANSIX962_EC_PRIME256V1,
1.1255 + "ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)",
1.1256 + CKM_INVALID_MECHANISM,
1.1257 + INVALID_CERT_EXTENSION ),
1.1258 +
1.1259 + /* SECG named elliptic curves (prime field) */
1.1260 + OD( secgECsecp112r1, SEC_OID_SECG_EC_SECP112R1,
1.1261 + "SECG elliptic curve secp112r1",
1.1262 + CKM_INVALID_MECHANISM,
1.1263 + INVALID_CERT_EXTENSION ),
1.1264 + OD( secgECsecp112r2, SEC_OID_SECG_EC_SECP112R2,
1.1265 + "SECG elliptic curve secp112r2",
1.1266 + CKM_INVALID_MECHANISM,
1.1267 + INVALID_CERT_EXTENSION ),
1.1268 + OD( secgECsecp128r1, SEC_OID_SECG_EC_SECP128R1,
1.1269 + "SECG elliptic curve secp128r1",
1.1270 + CKM_INVALID_MECHANISM,
1.1271 + INVALID_CERT_EXTENSION ),
1.1272 + OD( secgECsecp128r2, SEC_OID_SECG_EC_SECP128R2,
1.1273 + "SECG elliptic curve secp128r2",
1.1274 + CKM_INVALID_MECHANISM,
1.1275 + INVALID_CERT_EXTENSION ),
1.1276 + OD( secgECsecp160k1, SEC_OID_SECG_EC_SECP160K1,
1.1277 + "SECG elliptic curve secp160k1",
1.1278 + CKM_INVALID_MECHANISM,
1.1279 + INVALID_CERT_EXTENSION ),
1.1280 + OD( secgECsecp160r1, SEC_OID_SECG_EC_SECP160R1,
1.1281 + "SECG elliptic curve secp160r1",
1.1282 + CKM_INVALID_MECHANISM,
1.1283 + INVALID_CERT_EXTENSION ),
1.1284 + OD( secgECsecp160r2, SEC_OID_SECG_EC_SECP160R2,
1.1285 + "SECG elliptic curve secp160r2",
1.1286 + CKM_INVALID_MECHANISM,
1.1287 + INVALID_CERT_EXTENSION ),
1.1288 + OD( secgECsecp192k1, SEC_OID_SECG_EC_SECP192K1,
1.1289 + "SECG elliptic curve secp192k1",
1.1290 + CKM_INVALID_MECHANISM,
1.1291 + INVALID_CERT_EXTENSION ),
1.1292 + OD( secgECsecp224k1, SEC_OID_SECG_EC_SECP224K1,
1.1293 + "SECG elliptic curve secp224k1",
1.1294 + CKM_INVALID_MECHANISM,
1.1295 + INVALID_CERT_EXTENSION ),
1.1296 + OD( secgECsecp224r1, SEC_OID_SECG_EC_SECP224R1,
1.1297 + "SECG elliptic curve secp224r1 (aka NIST P-224)",
1.1298 + CKM_INVALID_MECHANISM,
1.1299 + INVALID_CERT_EXTENSION ),
1.1300 + OD( secgECsecp256k1, SEC_OID_SECG_EC_SECP256K1,
1.1301 + "SECG elliptic curve secp256k1",
1.1302 + CKM_INVALID_MECHANISM,
1.1303 + INVALID_CERT_EXTENSION ),
1.1304 + OD( secgECsecp384r1, SEC_OID_SECG_EC_SECP384R1,
1.1305 + "SECG elliptic curve secp384r1 (aka NIST P-384)",
1.1306 + CKM_INVALID_MECHANISM,
1.1307 + INVALID_CERT_EXTENSION ),
1.1308 + OD( secgECsecp521r1, SEC_OID_SECG_EC_SECP521R1,
1.1309 + "SECG elliptic curve secp521r1 (aka NIST P-521)",
1.1310 + CKM_INVALID_MECHANISM,
1.1311 + INVALID_CERT_EXTENSION ),
1.1312 +
1.1313 + /* ANSI X9.62 named elliptic curves (characteristic two field) */
1.1314 + OD( ansiX962c2pnb163v1, SEC_OID_ANSIX962_EC_C2PNB163V1,
1.1315 + "ANSI X9.62 elliptic curve c2pnb163v1",
1.1316 + CKM_INVALID_MECHANISM,
1.1317 + INVALID_CERT_EXTENSION ),
1.1318 + OD( ansiX962c2pnb163v2, SEC_OID_ANSIX962_EC_C2PNB163V2,
1.1319 + "ANSI X9.62 elliptic curve c2pnb163v2",
1.1320 + CKM_INVALID_MECHANISM,
1.1321 + INVALID_CERT_EXTENSION ),
1.1322 + OD( ansiX962c2pnb163v3, SEC_OID_ANSIX962_EC_C2PNB163V3,
1.1323 + "ANSI X9.62 elliptic curve c2pnb163v3",
1.1324 + CKM_INVALID_MECHANISM,
1.1325 + INVALID_CERT_EXTENSION ),
1.1326 + OD( ansiX962c2pnb176v1, SEC_OID_ANSIX962_EC_C2PNB176V1,
1.1327 + "ANSI X9.62 elliptic curve c2pnb176v1",
1.1328 + CKM_INVALID_MECHANISM,
1.1329 + INVALID_CERT_EXTENSION ),
1.1330 + OD( ansiX962c2tnb191v1, SEC_OID_ANSIX962_EC_C2TNB191V1,
1.1331 + "ANSI X9.62 elliptic curve c2tnb191v1",
1.1332 + CKM_INVALID_MECHANISM,
1.1333 + INVALID_CERT_EXTENSION ),
1.1334 + OD( ansiX962c2tnb191v2, SEC_OID_ANSIX962_EC_C2TNB191V2,
1.1335 + "ANSI X9.62 elliptic curve c2tnb191v2",
1.1336 + CKM_INVALID_MECHANISM,
1.1337 + INVALID_CERT_EXTENSION ),
1.1338 + OD( ansiX962c2tnb191v3, SEC_OID_ANSIX962_EC_C2TNB191V3,
1.1339 + "ANSI X9.62 elliptic curve c2tnb191v3",
1.1340 + CKM_INVALID_MECHANISM,
1.1341 + INVALID_CERT_EXTENSION ),
1.1342 + OD( ansiX962c2onb191v4, SEC_OID_ANSIX962_EC_C2ONB191V4,
1.1343 + "ANSI X9.62 elliptic curve c2onb191v4",
1.1344 + CKM_INVALID_MECHANISM,
1.1345 + INVALID_CERT_EXTENSION ),
1.1346 + OD( ansiX962c2onb191v5, SEC_OID_ANSIX962_EC_C2ONB191V5,
1.1347 + "ANSI X9.62 elliptic curve c2onb191v5",
1.1348 + CKM_INVALID_MECHANISM,
1.1349 + INVALID_CERT_EXTENSION ),
1.1350 + OD( ansiX962c2pnb208w1, SEC_OID_ANSIX962_EC_C2PNB208W1,
1.1351 + "ANSI X9.62 elliptic curve c2pnb208w1",
1.1352 + CKM_INVALID_MECHANISM,
1.1353 + INVALID_CERT_EXTENSION ),
1.1354 + OD( ansiX962c2tnb239v1, SEC_OID_ANSIX962_EC_C2TNB239V1,
1.1355 + "ANSI X9.62 elliptic curve c2tnb239v1",
1.1356 + CKM_INVALID_MECHANISM,
1.1357 + INVALID_CERT_EXTENSION ),
1.1358 + OD( ansiX962c2tnb239v2, SEC_OID_ANSIX962_EC_C2TNB239V2,
1.1359 + "ANSI X9.62 elliptic curve c2tnb239v2",
1.1360 + CKM_INVALID_MECHANISM,
1.1361 + INVALID_CERT_EXTENSION ),
1.1362 + OD( ansiX962c2tnb239v3, SEC_OID_ANSIX962_EC_C2TNB239V3,
1.1363 + "ANSI X9.62 elliptic curve c2tnb239v3",
1.1364 + CKM_INVALID_MECHANISM,
1.1365 + INVALID_CERT_EXTENSION ),
1.1366 + OD( ansiX962c2onb239v4, SEC_OID_ANSIX962_EC_C2ONB239V4,
1.1367 + "ANSI X9.62 elliptic curve c2onb239v4",
1.1368 + CKM_INVALID_MECHANISM,
1.1369 + INVALID_CERT_EXTENSION ),
1.1370 + OD( ansiX962c2onb239v5, SEC_OID_ANSIX962_EC_C2ONB239V5,
1.1371 + "ANSI X9.62 elliptic curve c2onb239v5",
1.1372 + CKM_INVALID_MECHANISM,
1.1373 + INVALID_CERT_EXTENSION ),
1.1374 + OD( ansiX962c2pnb272w1, SEC_OID_ANSIX962_EC_C2PNB272W1,
1.1375 + "ANSI X9.62 elliptic curve c2pnb272w1",
1.1376 + CKM_INVALID_MECHANISM,
1.1377 + INVALID_CERT_EXTENSION ),
1.1378 + OD( ansiX962c2pnb304w1, SEC_OID_ANSIX962_EC_C2PNB304W1,
1.1379 + "ANSI X9.62 elliptic curve c2pnb304w1",
1.1380 + CKM_INVALID_MECHANISM,
1.1381 + INVALID_CERT_EXTENSION ),
1.1382 + OD( ansiX962c2tnb359v1, SEC_OID_ANSIX962_EC_C2TNB359V1,
1.1383 + "ANSI X9.62 elliptic curve c2tnb359v1",
1.1384 + CKM_INVALID_MECHANISM,
1.1385 + INVALID_CERT_EXTENSION ),
1.1386 + OD( ansiX962c2pnb368w1, SEC_OID_ANSIX962_EC_C2PNB368W1,
1.1387 + "ANSI X9.62 elliptic curve c2pnb368w1",
1.1388 + CKM_INVALID_MECHANISM,
1.1389 + INVALID_CERT_EXTENSION ),
1.1390 + OD( ansiX962c2tnb431r1, SEC_OID_ANSIX962_EC_C2TNB431R1,
1.1391 + "ANSI X9.62 elliptic curve c2tnb431r1",
1.1392 + CKM_INVALID_MECHANISM,
1.1393 + INVALID_CERT_EXTENSION ),
1.1394 +
1.1395 + /* SECG named elliptic curves (characterisitic two field) */
1.1396 + OD( secgECsect113r1, SEC_OID_SECG_EC_SECT113R1,
1.1397 + "SECG elliptic curve sect113r1",
1.1398 + CKM_INVALID_MECHANISM,
1.1399 + INVALID_CERT_EXTENSION ),
1.1400 + OD( secgECsect113r2, SEC_OID_SECG_EC_SECT113R2,
1.1401 + "SECG elliptic curve sect113r2",
1.1402 + CKM_INVALID_MECHANISM,
1.1403 + INVALID_CERT_EXTENSION ),
1.1404 + OD( secgECsect131r1, SEC_OID_SECG_EC_SECT131R1,
1.1405 + "SECG elliptic curve sect131r1",
1.1406 + CKM_INVALID_MECHANISM,
1.1407 + INVALID_CERT_EXTENSION ),
1.1408 + OD( secgECsect131r2, SEC_OID_SECG_EC_SECT131R2,
1.1409 + "SECG elliptic curve sect131r2",
1.1410 + CKM_INVALID_MECHANISM,
1.1411 + INVALID_CERT_EXTENSION ),
1.1412 + OD( secgECsect163k1, SEC_OID_SECG_EC_SECT163K1,
1.1413 + "SECG elliptic curve sect163k1 (aka NIST K-163)",
1.1414 + CKM_INVALID_MECHANISM,
1.1415 + INVALID_CERT_EXTENSION ),
1.1416 + OD( secgECsect163r1, SEC_OID_SECG_EC_SECT163R1,
1.1417 + "SECG elliptic curve sect163r1",
1.1418 + CKM_INVALID_MECHANISM,
1.1419 + INVALID_CERT_EXTENSION ),
1.1420 + OD( secgECsect163r2, SEC_OID_SECG_EC_SECT163R2,
1.1421 + "SECG elliptic curve sect163r2 (aka NIST B-163)",
1.1422 + CKM_INVALID_MECHANISM,
1.1423 + INVALID_CERT_EXTENSION ),
1.1424 + OD( secgECsect193r1, SEC_OID_SECG_EC_SECT193R1,
1.1425 + "SECG elliptic curve sect193r1",
1.1426 + CKM_INVALID_MECHANISM,
1.1427 + INVALID_CERT_EXTENSION ),
1.1428 + OD( secgECsect193r2, SEC_OID_SECG_EC_SECT193R2,
1.1429 + "SECG elliptic curve sect193r2",
1.1430 + CKM_INVALID_MECHANISM,
1.1431 + INVALID_CERT_EXTENSION ),
1.1432 + OD( secgECsect233k1, SEC_OID_SECG_EC_SECT233K1,
1.1433 + "SECG elliptic curve sect233k1 (aka NIST K-233)",
1.1434 + CKM_INVALID_MECHANISM,
1.1435 + INVALID_CERT_EXTENSION ),
1.1436 + OD( secgECsect233r1, SEC_OID_SECG_EC_SECT233R1,
1.1437 + "SECG elliptic curve sect233r1 (aka NIST B-233)",
1.1438 + CKM_INVALID_MECHANISM,
1.1439 + INVALID_CERT_EXTENSION ),
1.1440 + OD( secgECsect239k1, SEC_OID_SECG_EC_SECT239K1,
1.1441 + "SECG elliptic curve sect239k1",
1.1442 + CKM_INVALID_MECHANISM,
1.1443 + INVALID_CERT_EXTENSION ),
1.1444 + OD( secgECsect283k1, SEC_OID_SECG_EC_SECT283K1,
1.1445 + "SECG elliptic curve sect283k1 (aka NIST K-283)",
1.1446 + CKM_INVALID_MECHANISM,
1.1447 + INVALID_CERT_EXTENSION ),
1.1448 + OD( secgECsect283r1, SEC_OID_SECG_EC_SECT283R1,
1.1449 + "SECG elliptic curve sect283r1 (aka NIST B-283)",
1.1450 + CKM_INVALID_MECHANISM,
1.1451 + INVALID_CERT_EXTENSION ),
1.1452 + OD( secgECsect409k1, SEC_OID_SECG_EC_SECT409K1,
1.1453 + "SECG elliptic curve sect409k1 (aka NIST K-409)",
1.1454 + CKM_INVALID_MECHANISM,
1.1455 + INVALID_CERT_EXTENSION ),
1.1456 + OD( secgECsect409r1, SEC_OID_SECG_EC_SECT409R1,
1.1457 + "SECG elliptic curve sect409r1 (aka NIST B-409)",
1.1458 + CKM_INVALID_MECHANISM,
1.1459 + INVALID_CERT_EXTENSION ),
1.1460 + OD( secgECsect571k1, SEC_OID_SECG_EC_SECT571K1,
1.1461 + "SECG elliptic curve sect571k1 (aka NIST K-571)",
1.1462 + CKM_INVALID_MECHANISM,
1.1463 + INVALID_CERT_EXTENSION ),
1.1464 + OD( secgECsect571r1, SEC_OID_SECG_EC_SECT571R1,
1.1465 + "SECG elliptic curve sect571r1 (aka NIST B-571)",
1.1466 + CKM_INVALID_MECHANISM,
1.1467 + INVALID_CERT_EXTENSION ),
1.1468 +
1.1469 + OD( netscapeAOLScreenname, SEC_OID_NETSCAPE_AOLSCREENNAME,
1.1470 + "AOL Screenname", CKM_INVALID_MECHANISM,
1.1471 + INVALID_CERT_EXTENSION ),
1.1472 +
1.1473 + OD( x520SurName, SEC_OID_AVA_SURNAME,
1.1474 + "X520 Title", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1475 + OD( x520SerialNumber, SEC_OID_AVA_SERIAL_NUMBER,
1.1476 + "X520 Serial Number", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1477 + OD( x520StreetAddress, SEC_OID_AVA_STREET_ADDRESS,
1.1478 + "X520 Street Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1479 + OD( x520Title, SEC_OID_AVA_TITLE,
1.1480 + "X520 Title", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1481 + OD( x520PostalAddress, SEC_OID_AVA_POSTAL_ADDRESS,
1.1482 + "X520 Postal Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1483 + OD( x520PostalCode, SEC_OID_AVA_POSTAL_CODE,
1.1484 + "X520 Postal Code", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1485 + OD( x520PostOfficeBox, SEC_OID_AVA_POST_OFFICE_BOX,
1.1486 + "X520 Post Office Box", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1487 + OD( x520GivenName, SEC_OID_AVA_GIVEN_NAME,
1.1488 + "X520 Given Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1489 + OD( x520Initials, SEC_OID_AVA_INITIALS,
1.1490 + "X520 Initials", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1491 + OD( x520GenerationQualifier, SEC_OID_AVA_GENERATION_QUALIFIER,
1.1492 + "X520 Generation Qualifier",
1.1493 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1494 + OD( x520HouseIdentifier, SEC_OID_AVA_HOUSE_IDENTIFIER,
1.1495 + "X520 House Identifier",
1.1496 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1497 + OD( x520Pseudonym, SEC_OID_AVA_PSEUDONYM,
1.1498 + "X520 Pseudonym", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1499 +
1.1500 + /* More OIDs */
1.1501 + OD( pkixCAIssuers, SEC_OID_PKIX_CA_ISSUERS,
1.1502 + "PKIX CA issuers access method",
1.1503 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1504 + OD( pkcs9ExtensionRequest, SEC_OID_PKCS9_EXTENSION_REQUEST,
1.1505 + "PKCS #9 Extension Request",
1.1506 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1507 +
1.1508 + /* more ECC Signature Oids */
1.1509 + OD( ansix962SignatureRecommended,
1.1510 + SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST,
1.1511 + "X9.62 ECDSA signature with recommended digest", CKM_INVALID_MECHANISM,
1.1512 + INVALID_CERT_EXTENSION ),
1.1513 + OD( ansix962SignatureSpecified,
1.1514 + SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST,
1.1515 + "X9.62 ECDSA signature with specified digest", CKM_ECDSA,
1.1516 + INVALID_CERT_EXTENSION ),
1.1517 + OD( ansix962SignaturewithSHA224Digest,
1.1518 + SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE,
1.1519 + "X9.62 ECDSA signature with SHA224", CKM_INVALID_MECHANISM,
1.1520 + INVALID_CERT_EXTENSION ),
1.1521 + OD( ansix962SignaturewithSHA256Digest,
1.1522 + SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE,
1.1523 + "X9.62 ECDSA signature with SHA256", CKM_INVALID_MECHANISM,
1.1524 + INVALID_CERT_EXTENSION ),
1.1525 + OD( ansix962SignaturewithSHA384Digest,
1.1526 + SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE,
1.1527 + "X9.62 ECDSA signature with SHA384", CKM_INVALID_MECHANISM,
1.1528 + INVALID_CERT_EXTENSION ),
1.1529 + OD( ansix962SignaturewithSHA512Digest,
1.1530 + SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE,
1.1531 + "X9.62 ECDSA signature with SHA512", CKM_INVALID_MECHANISM,
1.1532 + INVALID_CERT_EXTENSION ),
1.1533 +
1.1534 + /* More id-ce and id-pe OIDs from RFC 3280 */
1.1535 + OD( x509HoldInstructionCode, SEC_OID_X509_HOLD_INSTRUCTION_CODE,
1.1536 + "CRL Hold Instruction Code", CKM_INVALID_MECHANISM,
1.1537 + UNSUPPORTED_CERT_EXTENSION ),
1.1538 + OD( x509DeltaCRLIndicator, SEC_OID_X509_DELTA_CRL_INDICATOR,
1.1539 + "Delta CRL Indicator", CKM_INVALID_MECHANISM,
1.1540 + FAKE_SUPPORTED_CERT_EXTENSION ),
1.1541 + OD( x509IssuingDistributionPoint, SEC_OID_X509_ISSUING_DISTRIBUTION_POINT,
1.1542 + "Issuing Distribution Point", CKM_INVALID_MECHANISM,
1.1543 + FAKE_SUPPORTED_CERT_EXTENSION ),
1.1544 + OD( x509CertIssuer, SEC_OID_X509_CERT_ISSUER,
1.1545 + "Certificate Issuer Extension",CKM_INVALID_MECHANISM,
1.1546 + FAKE_SUPPORTED_CERT_EXTENSION ),
1.1547 + OD( x509FreshestCRL, SEC_OID_X509_FRESHEST_CRL,
1.1548 + "Freshest CRL", CKM_INVALID_MECHANISM,
1.1549 + UNSUPPORTED_CERT_EXTENSION ),
1.1550 + OD( x509InhibitAnyPolicy, SEC_OID_X509_INHIBIT_ANY_POLICY,
1.1551 + "Inhibit Any Policy", CKM_INVALID_MECHANISM,
1.1552 + FAKE_SUPPORTED_CERT_EXTENSION ),
1.1553 + OD( x509SubjectInfoAccess, SEC_OID_X509_SUBJECT_INFO_ACCESS,
1.1554 + "Subject Info Access", CKM_INVALID_MECHANISM,
1.1555 + UNSUPPORTED_CERT_EXTENSION ),
1.1556 +
1.1557 + /* Camellia algorithm OIDs */
1.1558 + OD( camellia128_CBC, SEC_OID_CAMELLIA_128_CBC,
1.1559 + "CAMELLIA-128-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION ),
1.1560 + OD( camellia192_CBC, SEC_OID_CAMELLIA_192_CBC,
1.1561 + "CAMELLIA-192-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION ),
1.1562 + OD( camellia256_CBC, SEC_OID_CAMELLIA_256_CBC,
1.1563 + "CAMELLIA-256-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION ),
1.1564 +
1.1565 + /* PKCS 5 v2 OIDS */
1.1566 + OD( pkcs5Pbkdf2, SEC_OID_PKCS5_PBKDF2,
1.1567 + "PKCS #5 Password Based Key Dervive Function v2 ",
1.1568 + CKM_PKCS5_PBKD2, INVALID_CERT_EXTENSION ),
1.1569 + OD( pkcs5Pbes2, SEC_OID_PKCS5_PBES2,
1.1570 + "PKCS #5 Password Based Encryption v2 ",
1.1571 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1572 + OD( pkcs5Pbmac1, SEC_OID_PKCS5_PBMAC1,
1.1573 + "PKCS #5 Password Based Authentication v1 ",
1.1574 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1575 + OD( hmac_sha1, SEC_OID_HMAC_SHA1, "HMAC SHA-1",
1.1576 + CKM_SHA_1_HMAC, INVALID_CERT_EXTENSION ),
1.1577 + OD( hmac_sha224, SEC_OID_HMAC_SHA224, "HMAC SHA-224",
1.1578 + CKM_SHA224_HMAC, INVALID_CERT_EXTENSION ),
1.1579 + OD( hmac_sha256, SEC_OID_HMAC_SHA256, "HMAC SHA-256",
1.1580 + CKM_SHA256_HMAC, INVALID_CERT_EXTENSION ),
1.1581 + OD( hmac_sha384, SEC_OID_HMAC_SHA384, "HMAC SHA-384",
1.1582 + CKM_SHA384_HMAC, INVALID_CERT_EXTENSION ),
1.1583 + OD( hmac_sha512, SEC_OID_HMAC_SHA512, "HMAC SHA-512",
1.1584 + CKM_SHA512_HMAC, INVALID_CERT_EXTENSION ),
1.1585 +
1.1586 + /* SIA extension OIDs */
1.1587 + OD( x509SIATimeStamping, SEC_OID_PKIX_TIMESTAMPING,
1.1588 + "SIA Time Stamping", CKM_INVALID_MECHANISM,
1.1589 + INVALID_CERT_EXTENSION ),
1.1590 + OD( x509SIACaRepository, SEC_OID_PKIX_CA_REPOSITORY,
1.1591 + "SIA CA Repository", CKM_INVALID_MECHANISM,
1.1592 + INVALID_CERT_EXTENSION ),
1.1593 +
1.1594 + OD( isoSHA1WithRSASignature, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE,
1.1595 + "ISO SHA-1 with RSA Signature",
1.1596 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1597 +
1.1598 + /* SEED algorithm OIDs */
1.1599 + OD( seed_CBC, SEC_OID_SEED_CBC,
1.1600 + "SEED-CBC", CKM_SEED_CBC, INVALID_CERT_EXTENSION),
1.1601 +
1.1602 + OD( x509CertificatePoliciesAnyPolicy, SEC_OID_X509_ANY_POLICY,
1.1603 + "Certificate Policies AnyPolicy",
1.1604 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1605 +
1.1606 + OD( pkcs1RSAOAEPEncryption, SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION,
1.1607 + "PKCS #1 RSA-OAEP Encryption", CKM_RSA_PKCS_OAEP,
1.1608 + INVALID_CERT_EXTENSION ),
1.1609 +
1.1610 + OD( pkcs1MGF1, SEC_OID_PKCS1_MGF1,
1.1611 + "PKCS #1 MGF1 Mask Generation Function", CKM_INVALID_MECHANISM,
1.1612 + INVALID_CERT_EXTENSION ),
1.1613 +
1.1614 + OD( pkcs1PSpecified, SEC_OID_PKCS1_PSPECIFIED,
1.1615 + "PKCS #1 RSA-OAEP Explicitly Specified Encoding Parameters",
1.1616 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1617 +
1.1618 + OD( pkcs1RSAPSSSignature, SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
1.1619 + "PKCS #1 RSA-PSS Signature", CKM_RSA_PKCS_PSS,
1.1620 + INVALID_CERT_EXTENSION ),
1.1621 +
1.1622 + OD( pkcs1SHA224WithRSAEncryption, SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION,
1.1623 + "PKCS #1 SHA-224 With RSA Encryption", CKM_SHA224_RSA_PKCS,
1.1624 + INVALID_CERT_EXTENSION ),
1.1625 +
1.1626 + OD( sha224, SEC_OID_SHA224, "SHA-224", CKM_SHA224, INVALID_CERT_EXTENSION),
1.1627 +
1.1628 + OD( evIncorporationLocality, SEC_OID_EV_INCORPORATION_LOCALITY,
1.1629 + "Jurisdiction of Incorporation Locality Name",
1.1630 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1631 + OD( evIncorporationState, SEC_OID_EV_INCORPORATION_STATE,
1.1632 + "Jurisdiction of Incorporation State Name",
1.1633 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1634 + OD( evIncorporationCountry, SEC_OID_EV_INCORPORATION_COUNTRY,
1.1635 + "Jurisdiction of Incorporation Country Name",
1.1636 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1637 + OD( x520BusinessCategory, SEC_OID_BUSINESS_CATEGORY,
1.1638 + "Business Category",
1.1639 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1640 +
1.1641 + OD( nistDSASignaturewithSHA224Digest,
1.1642 + SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST,
1.1643 + "DSA with SHA-224 Signature",
1.1644 + CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION),
1.1645 + OD( nistDSASignaturewithSHA256Digest,
1.1646 + SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST,
1.1647 + "DSA with SHA-256 Signature",
1.1648 + CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION),
1.1649 + OD( msExtendedKeyUsageTrustListSigning,
1.1650 + SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING,
1.1651 + "Microsoft Trust List Signing",
1.1652 + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1.1653 + OD( x520Name, SEC_OID_AVA_NAME,
1.1654 + "X520 Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION )
1.1655 +};
1.1656 +
1.1657 +/* PRIVATE EXTENDED SECOID Table
1.1658 + * This table is private. Its structure is opaque to the outside.
1.1659 + * It is indexed by the same SECOidTag as the oids table above.
1.1660 + * Every member of this struct must have accessor functions (set, get)
1.1661 + * and those functions must operate by value, not by reference.
1.1662 + * The addresses of the contents of this table must not be exposed
1.1663 + * by the accessor functions.
1.1664 + */
1.1665 +typedef struct privXOidStr {
1.1666 + PRUint32 notPolicyFlags; /* ones complement of policy flags */
1.1667 +} privXOid;
1.1668 +
1.1669 +static privXOid xOids[SEC_OID_TOTAL];
1.1670 +
1.1671 +/*
1.1672 + * now the dynamic table. The dynamic table gets build at init time.
1.1673 + * and conceivably gets modified if the user loads new crypto modules.
1.1674 + * All this static data, and the allocated data to which it points,
1.1675 + * is protected by a global reader/writer lock.
1.1676 + * The c language guarantees that global and static data that is not
1.1677 + * explicitly initialized will be initialized with zeros. If we
1.1678 + * initialize it with zeros, the data goes into the initialized data
1.1679 + * secment, and increases the size of the library. By leaving it
1.1680 + * uninitialized, it is allocated in BSS, and does NOT increase the
1.1681 + * library size.
1.1682 + */
1.1683 +
1.1684 +typedef struct dynXOidStr {
1.1685 + SECOidData data;
1.1686 + privXOid priv;
1.1687 +} dynXOid;
1.1688 +
1.1689 +static NSSRWLock * dynOidLock;
1.1690 +static PLArenaPool * dynOidPool;
1.1691 +static PLHashTable * dynOidHash;
1.1692 +static dynXOid ** dynOidTable; /* not in the pool */
1.1693 +static int dynOidEntriesAllocated;
1.1694 +static int dynOidEntriesUsed;
1.1695 +
1.1696 +/* Creates NSSRWLock and dynOidPool at initialization time.
1.1697 +*/
1.1698 +static SECStatus
1.1699 +secoid_InitDynOidData(void)
1.1700 +{
1.1701 + SECStatus rv = SECSuccess;
1.1702 +
1.1703 + dynOidLock = NSSRWLock_New(1, "dynamic OID data");
1.1704 + if (!dynOidLock) {
1.1705 + return SECFailure; /* Error code should already be set. */
1.1706 + }
1.1707 + dynOidPool = PORT_NewArena(2048);
1.1708 + if (!dynOidPool) {
1.1709 + rv = SECFailure /* Error code should already be set. */;
1.1710 + }
1.1711 + return rv;
1.1712 +}
1.1713 +
1.1714 +/* Add oidData to hash table. Caller holds write lock dynOidLock. */
1.1715 +static SECStatus
1.1716 +secoid_HashDynamicOiddata(const SECOidData * oid)
1.1717 +{
1.1718 + PLHashEntry *entry;
1.1719 +
1.1720 + if (!dynOidHash) {
1.1721 + dynOidHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
1.1722 + PL_CompareValues, NULL, NULL);
1.1723 + if ( !dynOidHash ) {
1.1724 + return SECFailure;
1.1725 + }
1.1726 + }
1.1727 +
1.1728 + entry = PL_HashTableAdd( dynOidHash, &oid->oid, (void *)oid );
1.1729 + return entry ? SECSuccess : SECFailure;
1.1730 +}
1.1731 +
1.1732 +
1.1733 +/*
1.1734 + * Lookup a Dynamic OID. Dynamic OID's still change slowly, so it's
1.1735 + * cheaper to rehash the table when it changes than it is to do the loop
1.1736 + * each time.
1.1737 + */
1.1738 +static SECOidData *
1.1739 +secoid_FindDynamic(const SECItem *key)
1.1740 +{
1.1741 + SECOidData *ret = NULL;
1.1742 +
1.1743 + if (dynOidHash) {
1.1744 + NSSRWLock_LockRead(dynOidLock);
1.1745 + if (dynOidHash) { /* must check it again with lock held. */
1.1746 + ret = (SECOidData *)PL_HashTableLookup(dynOidHash, key);
1.1747 + }
1.1748 + NSSRWLock_UnlockRead(dynOidLock);
1.1749 + }
1.1750 + if (ret == NULL) {
1.1751 + PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
1.1752 + }
1.1753 + return ret;
1.1754 +}
1.1755 +
1.1756 +static dynXOid *
1.1757 +secoid_FindDynamicByTag(SECOidTag tagnum)
1.1758 +{
1.1759 + dynXOid *dxo = NULL;
1.1760 + int tagNumDiff;
1.1761 +
1.1762 + if (tagnum < SEC_OID_TOTAL) {
1.1763 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1.1764 + return NULL;
1.1765 + }
1.1766 + tagNumDiff = tagnum - SEC_OID_TOTAL;
1.1767 +
1.1768 + if (dynOidTable) {
1.1769 + NSSRWLock_LockRead(dynOidLock);
1.1770 + if (dynOidTable != NULL && /* must check it again with lock held. */
1.1771 + tagNumDiff < dynOidEntriesUsed) {
1.1772 + dxo = dynOidTable[tagNumDiff];
1.1773 + }
1.1774 + NSSRWLock_UnlockRead(dynOidLock);
1.1775 + }
1.1776 + if (dxo == NULL) {
1.1777 + PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
1.1778 + }
1.1779 + return dxo;
1.1780 +}
1.1781 +
1.1782 +/*
1.1783 + * This routine is thread safe now.
1.1784 + */
1.1785 +SECOidTag
1.1786 +SECOID_AddEntry(const SECOidData * src)
1.1787 +{
1.1788 + SECOidData * dst;
1.1789 + dynXOid **table;
1.1790 + SECOidTag ret = SEC_OID_UNKNOWN;
1.1791 + SECStatus rv;
1.1792 + int tableEntries;
1.1793 + int used;
1.1794 +
1.1795 + if (!src || !src->oid.data || !src->oid.len || \
1.1796 + !src->desc || !strlen(src->desc)) {
1.1797 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1798 + return ret;
1.1799 + }
1.1800 + if (src->supportedExtension != INVALID_CERT_EXTENSION &&
1.1801 + src->supportedExtension != UNSUPPORTED_CERT_EXTENSION &&
1.1802 + src->supportedExtension != SUPPORTED_CERT_EXTENSION ) {
1.1803 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1804 + return ret;
1.1805 + }
1.1806 +
1.1807 + if (!dynOidPool || !dynOidLock) {
1.1808 + PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
1.1809 + return ret;
1.1810 + }
1.1811 +
1.1812 + NSSRWLock_LockWrite(dynOidLock);
1.1813 +
1.1814 + /* We've just acquired the write lock, and now we call FindOIDTag
1.1815 + ** which will acquire and release the read lock. NSSRWLock has been
1.1816 + ** designed to allow this very case without deadlock. This approach
1.1817 + ** makes the test for the presence of the OID, and the subsequent
1.1818 + ** addition of the OID to the table a single atomic write operation.
1.1819 + */
1.1820 + ret = SECOID_FindOIDTag(&src->oid);
1.1821 + if (ret != SEC_OID_UNKNOWN) {
1.1822 + /* we could return an error here, but I chose not to do that.
1.1823 + ** This way, if we add an OID to the shared library's built in
1.1824 + ** list of OIDs in some future release, and that OID is the same
1.1825 + ** as some OID that a program has been adding, the program will
1.1826 + ** not suddenly stop working.
1.1827 + */
1.1828 + goto done;
1.1829 + }
1.1830 +
1.1831 + table = dynOidTable;
1.1832 + tableEntries = dynOidEntriesAllocated;
1.1833 + used = dynOidEntriesUsed;
1.1834 +
1.1835 + if (used + 1 > tableEntries) {
1.1836 + dynXOid ** newTable;
1.1837 + int newTableEntries = tableEntries + 16;
1.1838 +
1.1839 + newTable = (dynXOid **)PORT_Realloc(table,
1.1840 + newTableEntries * sizeof(dynXOid *));
1.1841 + if (newTable == NULL) {
1.1842 + goto done;
1.1843 + }
1.1844 + dynOidTable = table = newTable;
1.1845 + dynOidEntriesAllocated = tableEntries = newTableEntries;
1.1846 + }
1.1847 +
1.1848 + /* copy oid structure */
1.1849 + dst = (SECOidData *)PORT_ArenaZNew(dynOidPool, dynXOid);
1.1850 + if (!dst) {
1.1851 + goto done;
1.1852 + }
1.1853 + rv = SECITEM_CopyItem(dynOidPool, &dst->oid, &src->oid);
1.1854 + if (rv != SECSuccess) {
1.1855 + goto done;
1.1856 + }
1.1857 + dst->desc = PORT_ArenaStrdup(dynOidPool, src->desc);
1.1858 + if (!dst->desc) {
1.1859 + goto done;
1.1860 + }
1.1861 + dst->offset = (SECOidTag)(used + SEC_OID_TOTAL);
1.1862 + dst->mechanism = src->mechanism;
1.1863 + dst->supportedExtension = src->supportedExtension;
1.1864 +
1.1865 + rv = secoid_HashDynamicOiddata(dst);
1.1866 + if (rv == SECSuccess) {
1.1867 + table[used++] = (dynXOid *)dst;
1.1868 + dynOidEntriesUsed = used;
1.1869 + ret = dst->offset;
1.1870 + }
1.1871 +done:
1.1872 + NSSRWLock_UnlockWrite(dynOidLock);
1.1873 + return ret;
1.1874 +}
1.1875 +
1.1876 +
1.1877 +/* normal static table processing */
1.1878 +static PLHashTable *oidhash = NULL;
1.1879 +static PLHashTable *oidmechhash = NULL;
1.1880 +
1.1881 +static PLHashNumber
1.1882 +secoid_HashNumber(const void *key)
1.1883 +{
1.1884 + return (PLHashNumber) key;
1.1885 +}
1.1886 +
1.1887 +static void
1.1888 +handleHashAlgSupport(char * envVal)
1.1889 +{
1.1890 + char * myVal = PORT_Strdup(envVal); /* Get a copy we can alter */
1.1891 + char * arg = myVal;
1.1892 +
1.1893 + while (arg && *arg) {
1.1894 + char * nextArg = PL_strpbrk(arg, ";");
1.1895 + PRUint32 notEnable;
1.1896 +
1.1897 + if (nextArg) {
1.1898 + while (*nextArg == ';') {
1.1899 + *nextArg++ = '\0';
1.1900 + }
1.1901 + }
1.1902 + notEnable = (*arg == '-') ? NSS_USE_ALG_IN_CERT_SIGNATURE : 0;
1.1903 + if ((*arg == '+' || *arg == '-') && *++arg) {
1.1904 + int i;
1.1905 +
1.1906 + for (i = 1; i < SEC_OID_TOTAL; i++) {
1.1907 + if (oids[i].desc && strstr(arg, oids[i].desc)) {
1.1908 + xOids[i].notPolicyFlags = notEnable |
1.1909 + (xOids[i].notPolicyFlags & ~NSS_USE_ALG_IN_CERT_SIGNATURE);
1.1910 + }
1.1911 + }
1.1912 + }
1.1913 + arg = nextArg;
1.1914 + }
1.1915 + PORT_Free(myVal); /* can handle NULL argument OK */
1.1916 +}
1.1917 +
1.1918 +SECStatus
1.1919 +SECOID_Init(void)
1.1920 +{
1.1921 + PLHashEntry *entry;
1.1922 + const SECOidData *oid;
1.1923 + int i;
1.1924 + char * envVal;
1.1925 + volatile char c; /* force a reference that won't get optimized away */
1.1926 +
1.1927 + c = __nss_util_rcsid[0] + __nss_util_sccsid[0];
1.1928 +
1.1929 + if (oidhash) {
1.1930 + return SECSuccess; /* already initialized */
1.1931 + }
1.1932 +
1.1933 + if (!PR_GetEnv("NSS_ALLOW_WEAK_SIGNATURE_ALG")) {
1.1934 + /* initialize any policy flags that are disabled by default */
1.1935 + xOids[SEC_OID_MD2 ].notPolicyFlags = ~0;
1.1936 + xOids[SEC_OID_MD4 ].notPolicyFlags = ~0;
1.1937 + xOids[SEC_OID_MD5 ].notPolicyFlags = ~0;
1.1938 + xOids[SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
1.1939 + xOids[SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
1.1940 + xOids[SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
1.1941 + xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~0;
1.1942 + xOids[SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC].notPolicyFlags = ~0;
1.1943 + }
1.1944 +
1.1945 + envVal = PR_GetEnv("NSS_HASH_ALG_SUPPORT");
1.1946 + if (envVal)
1.1947 + handleHashAlgSupport(envVal);
1.1948 +
1.1949 + if (secoid_InitDynOidData() != SECSuccess) {
1.1950 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1.1951 + PORT_Assert(0); /* this function should never fail */
1.1952 + return SECFailure;
1.1953 + }
1.1954 +
1.1955 + oidhash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
1.1956 + PL_CompareValues, NULL, NULL);
1.1957 + oidmechhash = PL_NewHashTable(0, secoid_HashNumber, PL_CompareValues,
1.1958 + PL_CompareValues, NULL, NULL);
1.1959 +
1.1960 + if ( !oidhash || !oidmechhash) {
1.1961 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1.1962 + PORT_Assert(0); /*This function should never fail. */
1.1963 + return(SECFailure);
1.1964 + }
1.1965 +
1.1966 + for ( i = 0; i < SEC_OID_TOTAL; i++ ) {
1.1967 + oid = &oids[i];
1.1968 +
1.1969 + PORT_Assert ( oid->offset == i );
1.1970 +
1.1971 + entry = PL_HashTableAdd( oidhash, &oid->oid, (void *)oid );
1.1972 + if ( entry == NULL ) {
1.1973 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1.1974 + PORT_Assert(0); /*This function should never fail. */
1.1975 + return(SECFailure);
1.1976 + }
1.1977 +
1.1978 + if ( oid->mechanism != CKM_INVALID_MECHANISM ) {
1.1979 + entry = PL_HashTableAdd( oidmechhash,
1.1980 + (void *)oid->mechanism, (void *)oid );
1.1981 + if ( entry == NULL ) {
1.1982 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1.1983 + PORT_Assert(0); /* This function should never fail. */
1.1984 + return(SECFailure);
1.1985 + }
1.1986 + }
1.1987 + }
1.1988 +
1.1989 + PORT_Assert (i == SEC_OID_TOTAL);
1.1990 +
1.1991 + return(SECSuccess);
1.1992 +}
1.1993 +
1.1994 +SECOidData *
1.1995 +SECOID_FindOIDByMechanism(unsigned long mechanism)
1.1996 +{
1.1997 + SECOidData *ret;
1.1998 +
1.1999 + PR_ASSERT(oidhash != NULL);
1.2000 +
1.2001 + ret = PL_HashTableLookupConst ( oidmechhash, (void *)mechanism);
1.2002 + if ( ret == NULL ) {
1.2003 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1.2004 + }
1.2005 +
1.2006 + return (ret);
1.2007 +}
1.2008 +
1.2009 +SECOidData *
1.2010 +SECOID_FindOID(const SECItem *oid)
1.2011 +{
1.2012 + SECOidData *ret;
1.2013 +
1.2014 + PR_ASSERT(oidhash != NULL);
1.2015 +
1.2016 + ret = PL_HashTableLookupConst ( oidhash, oid );
1.2017 + if ( ret == NULL ) {
1.2018 + ret = secoid_FindDynamic(oid);
1.2019 + if (ret == NULL) {
1.2020 + PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
1.2021 + }
1.2022 + }
1.2023 +
1.2024 + return(ret);
1.2025 +}
1.2026 +
1.2027 +SECOidTag
1.2028 +SECOID_FindOIDTag(const SECItem *oid)
1.2029 +{
1.2030 + SECOidData *oiddata;
1.2031 +
1.2032 + oiddata = SECOID_FindOID (oid);
1.2033 + if (oiddata == NULL)
1.2034 + return SEC_OID_UNKNOWN;
1.2035 +
1.2036 + return oiddata->offset;
1.2037 +}
1.2038 +
1.2039 +/* This really should return const. */
1.2040 +SECOidData *
1.2041 +SECOID_FindOIDByTag(SECOidTag tagnum)
1.2042 +{
1.2043 + if (tagnum >= SEC_OID_TOTAL) {
1.2044 + return (SECOidData *)secoid_FindDynamicByTag(tagnum);
1.2045 + }
1.2046 +
1.2047 + PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
1.2048 + return (SECOidData *)(&oids[tagnum]);
1.2049 +}
1.2050 +
1.2051 +PRBool SECOID_KnownCertExtenOID (SECItem *extenOid)
1.2052 +{
1.2053 + SECOidData * oidData;
1.2054 +
1.2055 + oidData = SECOID_FindOID (extenOid);
1.2056 + if (oidData == (SECOidData *)NULL)
1.2057 + return (PR_FALSE);
1.2058 + return ((oidData->supportedExtension == SUPPORTED_CERT_EXTENSION) ?
1.2059 + PR_TRUE : PR_FALSE);
1.2060 +}
1.2061 +
1.2062 +
1.2063 +const char *
1.2064 +SECOID_FindOIDTagDescription(SECOidTag tagnum)
1.2065 +{
1.2066 + const SECOidData *oidData = SECOID_FindOIDByTag(tagnum);
1.2067 + return oidData ? oidData->desc : 0;
1.2068 +}
1.2069 +
1.2070 +/* --------- opaque extended OID table accessor functions ---------------*/
1.2071 +/*
1.2072 + * Any of these functions may return SECSuccess or SECFailure with the error
1.2073 + * code set to SEC_ERROR_UNKNOWN_OBJECT_TYPE if the SECOidTag is out of range.
1.2074 + */
1.2075 +
1.2076 +static privXOid *
1.2077 +secoid_FindXOidByTag(SECOidTag tagnum)
1.2078 +{
1.2079 + if (tagnum >= SEC_OID_TOTAL) {
1.2080 + dynXOid *dxo = secoid_FindDynamicByTag(tagnum);
1.2081 + return (dxo ? &dxo->priv : NULL);
1.2082 + }
1.2083 +
1.2084 + PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
1.2085 + return &xOids[tagnum];
1.2086 +}
1.2087 +
1.2088 +/* The Get function outputs the 32-bit value associated with the SECOidTag.
1.2089 + * Flags bits are the NSS_USE_ALG_ #defines in "secoidt.h".
1.2090 + * Default value for any algorithm is 0xffffffff (enabled for all purposes).
1.2091 + * No value is output if function returns SECFailure.
1.2092 + */
1.2093 +SECStatus
1.2094 +NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue)
1.2095 +{
1.2096 + privXOid * pxo = secoid_FindXOidByTag(tag);
1.2097 + if (!pxo)
1.2098 + return SECFailure;
1.2099 + if (!pValue) {
1.2100 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.2101 + return SECFailure;
1.2102 + }
1.2103 + *pValue = ~(pxo->notPolicyFlags);
1.2104 + return SECSuccess;
1.2105 +}
1.2106 +
1.2107 +/* The Set function modifies the stored value according to the following
1.2108 + * algorithm:
1.2109 + * policy[tag] = (policy[tag] & ~clearBits) | setBits;
1.2110 + */
1.2111 +SECStatus
1.2112 +NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits)
1.2113 +{
1.2114 + privXOid * pxo = secoid_FindXOidByTag(tag);
1.2115 + PRUint32 policyFlags;
1.2116 + if (!pxo)
1.2117 + return SECFailure;
1.2118 + /* The stored policy flags are the ones complement of the flags as
1.2119 + * seen by the user. This is not atomic, but these changes should
1.2120 + * be done rarely, e.g. at initialization time.
1.2121 + */
1.2122 + policyFlags = ~(pxo->notPolicyFlags);
1.2123 + policyFlags = (policyFlags & ~clearBits) | setBits;
1.2124 + pxo->notPolicyFlags = ~policyFlags;
1.2125 + return SECSuccess;
1.2126 +}
1.2127 +
1.2128 +/* --------- END OF opaque extended OID table accessor functions ---------*/
1.2129 +
1.2130 +/* for now, this is only used in a single place, so it can remain static */
1.2131 +static PRBool parentForkedAfterC_Initialize;
1.2132 +
1.2133 +#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x
1.2134 +
1.2135 +/*
1.2136 + * free up the oid tables.
1.2137 + */
1.2138 +SECStatus
1.2139 +SECOID_Shutdown(void)
1.2140 +{
1.2141 + if (oidhash) {
1.2142 + PL_HashTableDestroy(oidhash);
1.2143 + oidhash = NULL;
1.2144 + }
1.2145 + if (oidmechhash) {
1.2146 + PL_HashTableDestroy(oidmechhash);
1.2147 + oidmechhash = NULL;
1.2148 + }
1.2149 + /* Have to handle the case where the lock was created, but
1.2150 + ** the pool wasn't.
1.2151 + ** I'm not going to attempt to create the lock, just to protect
1.2152 + ** the destruction of data that probably isn't initialized anyway.
1.2153 + */
1.2154 + if (dynOidLock) {
1.2155 + SKIP_AFTER_FORK(NSSRWLock_LockWrite(dynOidLock));
1.2156 + if (dynOidHash) {
1.2157 + PL_HashTableDestroy(dynOidHash);
1.2158 + dynOidHash = NULL;
1.2159 + }
1.2160 + if (dynOidPool) {
1.2161 + PORT_FreeArena(dynOidPool, PR_FALSE);
1.2162 + dynOidPool = NULL;
1.2163 + }
1.2164 + if (dynOidTable) {
1.2165 + PORT_Free(dynOidTable);
1.2166 + dynOidTable = NULL;
1.2167 + }
1.2168 + dynOidEntriesAllocated = 0;
1.2169 + dynOidEntriesUsed = 0;
1.2170 +
1.2171 + SKIP_AFTER_FORK(NSSRWLock_UnlockWrite(dynOidLock));
1.2172 + SKIP_AFTER_FORK(NSSRWLock_Destroy(dynOidLock));
1.2173 + dynOidLock = NULL;
1.2174 + } else {
1.2175 + /* Since dynOidLock doesn't exist, then all the data it protects
1.2176 + ** should be uninitialized. We'll check that (in DEBUG builds),
1.2177 + ** and then make sure it is so, in case NSS is reinitialized.
1.2178 + */
1.2179 + PORT_Assert(!dynOidHash && !dynOidPool && !dynOidTable && \
1.2180 + !dynOidEntriesAllocated && !dynOidEntriesUsed);
1.2181 + dynOidHash = NULL;
1.2182 + dynOidPool = NULL;
1.2183 + dynOidTable = NULL;
1.2184 + dynOidEntriesAllocated = 0;
1.2185 + dynOidEntriesUsed = 0;
1.2186 + }
1.2187 + memset(xOids, 0, sizeof xOids);
1.2188 + return SECSuccess;
1.2189 +}
1.2190 +
1.2191 +void UTIL_SetForkState(PRBool forked)
1.2192 +{
1.2193 + parentForkedAfterC_Initialize = forked;
1.2194 +}
1.2195 +
1.2196 +const char *
1.2197 +NSSUTIL_GetVersion(void)
1.2198 +{
1.2199 + return NSSUTIL_VERSION;
1.2200 +}
