michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #ifndef _PKCS11N_H_ michael@0: #define _PKCS11N_H_ michael@0: michael@0: /* michael@0: * pkcs11n.h michael@0: * michael@0: * This file contains the NSS-specific type definitions for Cryptoki michael@0: * (PKCS#11). michael@0: */ michael@0: michael@0: /* michael@0: * NSSCK_VENDOR_NSS michael@0: * michael@0: * Cryptoki reserves the high half of all the number spaces for michael@0: * vendor-defined use. I'd like to keep all of our NSS- michael@0: * specific values together, but not in the oh-so-obvious michael@0: * 0x80000001, 0x80000002, etc. area. So I've picked an offset, michael@0: * and constructed values for the beginnings of our spaces. michael@0: * michael@0: * Note that some "historical" Netscape values don't fall within michael@0: * this range. michael@0: */ michael@0: #define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */ michael@0: michael@0: /* michael@0: * NSS-defined object classes michael@0: * michael@0: */ michael@0: #define CKO_NSS (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) michael@0: michael@0: #define CKO_NSS_CRL (CKO_NSS + 1) michael@0: #define CKO_NSS_SMIME (CKO_NSS + 2) michael@0: #define CKO_NSS_TRUST (CKO_NSS + 3) michael@0: #define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4) michael@0: #define CKO_NSS_NEWSLOT (CKO_NSS + 5) michael@0: #define CKO_NSS_DELSLOT (CKO_NSS + 6) michael@0: michael@0: michael@0: /* michael@0: * NSS-defined key types michael@0: * michael@0: */ michael@0: #define CKK_NSS (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NSS) michael@0: michael@0: #define CKK_NSS_PKCS8 (CKK_NSS + 1) michael@0: michael@0: #define CKK_NSS_JPAKE_ROUND1 (CKK_NSS + 2) michael@0: #define CKK_NSS_JPAKE_ROUND2 (CKK_NSS + 3) michael@0: michael@0: /* michael@0: * NSS-defined certificate types michael@0: * michael@0: */ michael@0: #define CKC_NSS (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NSS) michael@0: michael@0: /* FAKE PKCS #11 defines */ michael@0: #define CKA_DIGEST 0x81000000L michael@0: #define CKA_FLAGS_ONLY 0 /* CKA_CLASS */ michael@0: michael@0: /* michael@0: * NSS-defined object attributes michael@0: * michael@0: */ michael@0: #define CKA_NSS (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NSS) michael@0: michael@0: #define CKA_NSS_URL (CKA_NSS + 1) michael@0: #define CKA_NSS_EMAIL (CKA_NSS + 2) michael@0: #define CKA_NSS_SMIME_INFO (CKA_NSS + 3) michael@0: #define CKA_NSS_SMIME_TIMESTAMP (CKA_NSS + 4) michael@0: #define CKA_NSS_PKCS8_SALT (CKA_NSS + 5) michael@0: #define CKA_NSS_PASSWORD_CHECK (CKA_NSS + 6) michael@0: #define CKA_NSS_EXPIRES (CKA_NSS + 7) michael@0: #define CKA_NSS_KRL (CKA_NSS + 8) michael@0: michael@0: #define CKA_NSS_PQG_COUNTER (CKA_NSS + 20) michael@0: #define CKA_NSS_PQG_SEED (CKA_NSS + 21) michael@0: #define CKA_NSS_PQG_H (CKA_NSS + 22) michael@0: #define CKA_NSS_PQG_SEED_BITS (CKA_NSS + 23) michael@0: #define CKA_NSS_MODULE_SPEC (CKA_NSS + 24) michael@0: #define CKA_NSS_OVERRIDE_EXTENSIONS (CKA_NSS + 25) michael@0: michael@0: #define CKA_NSS_JPAKE_SIGNERID (CKA_NSS + 26) michael@0: #define CKA_NSS_JPAKE_PEERID (CKA_NSS + 27) michael@0: #define CKA_NSS_JPAKE_GX1 (CKA_NSS + 28) michael@0: #define CKA_NSS_JPAKE_GX2 (CKA_NSS + 29) michael@0: #define CKA_NSS_JPAKE_GX3 (CKA_NSS + 30) michael@0: #define CKA_NSS_JPAKE_GX4 (CKA_NSS + 31) michael@0: #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32) michael@0: #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33) michael@0: michael@0: /* michael@0: * Trust attributes: michael@0: * michael@0: * If trust goes standard, these probably will too. So I'll michael@0: * put them all in one place. michael@0: */ michael@0: michael@0: #define CKA_TRUST (CKA_NSS + 0x2000) michael@0: michael@0: /* "Usage" key information */ michael@0: #define CKA_TRUST_DIGITAL_SIGNATURE (CKA_TRUST + 1) michael@0: #define CKA_TRUST_NON_REPUDIATION (CKA_TRUST + 2) michael@0: #define CKA_TRUST_KEY_ENCIPHERMENT (CKA_TRUST + 3) michael@0: #define CKA_TRUST_DATA_ENCIPHERMENT (CKA_TRUST + 4) michael@0: #define CKA_TRUST_KEY_AGREEMENT (CKA_TRUST + 5) michael@0: #define CKA_TRUST_KEY_CERT_SIGN (CKA_TRUST + 6) michael@0: #define CKA_TRUST_CRL_SIGN (CKA_TRUST + 7) michael@0: michael@0: /* "Purpose" trust information */ michael@0: #define CKA_TRUST_SERVER_AUTH (CKA_TRUST + 8) michael@0: #define CKA_TRUST_CLIENT_AUTH (CKA_TRUST + 9) michael@0: #define CKA_TRUST_CODE_SIGNING (CKA_TRUST + 10) michael@0: #define CKA_TRUST_EMAIL_PROTECTION (CKA_TRUST + 11) michael@0: #define CKA_TRUST_IPSEC_END_SYSTEM (CKA_TRUST + 12) michael@0: #define CKA_TRUST_IPSEC_TUNNEL (CKA_TRUST + 13) michael@0: #define CKA_TRUST_IPSEC_USER (CKA_TRUST + 14) michael@0: #define CKA_TRUST_TIME_STAMPING (CKA_TRUST + 15) michael@0: #define CKA_TRUST_STEP_UP_APPROVED (CKA_TRUST + 16) michael@0: michael@0: #define CKA_CERT_SHA1_HASH (CKA_TRUST + 100) michael@0: #define CKA_CERT_MD5_HASH (CKA_TRUST + 101) michael@0: michael@0: /* NSS trust stuff */ michael@0: michael@0: /* HISTORICAL: define used to pass in the database key for DSA private keys */ michael@0: #define CKA_NETSCAPE_DB 0xD5A0DB00L michael@0: #define CKA_NETSCAPE_TRUST 0x80000001L michael@0: michael@0: /* FAKE PKCS #11 defines */ michael@0: #define CKM_FAKE_RANDOM 0x80000efeUL michael@0: #define CKM_INVALID_MECHANISM 0xffffffffUL michael@0: michael@0: /* michael@0: * NSS-defined crypto mechanisms michael@0: * michael@0: */ michael@0: #define CKM_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) michael@0: michael@0: #define CKM_NSS_AES_KEY_WRAP (CKM_NSS + 1) michael@0: #define CKM_NSS_AES_KEY_WRAP_PAD (CKM_NSS + 2) michael@0: michael@0: /* HKDF key derivation mechanisms. See CK_NSS_HKDFParams for documentation. */ michael@0: #define CKM_NSS_HKDF_SHA1 (CKM_NSS + 3) michael@0: #define CKM_NSS_HKDF_SHA256 (CKM_NSS + 4) michael@0: #define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5) michael@0: #define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6) michael@0: michael@0: /* J-PAKE round 1 key generation mechanisms. michael@0: * michael@0: * Required template attributes: CKA_PRIME, CKA_SUBPRIME, CKA_BASE, michael@0: * CKA_NSS_JPAKE_SIGNERID michael@0: * Output key type: CKK_NSS_JPAKE_ROUND1 michael@0: * Output key class: CKO_PRIVATE_KEY michael@0: * Parameter type: CK_NSS_JPAKERound1Params michael@0: * michael@0: */ michael@0: #define CKM_NSS_JPAKE_ROUND1_SHA1 (CKM_NSS + 7) michael@0: #define CKM_NSS_JPAKE_ROUND1_SHA256 (CKM_NSS + 8) michael@0: #define CKM_NSS_JPAKE_ROUND1_SHA384 (CKM_NSS + 9) michael@0: #define CKM_NSS_JPAKE_ROUND1_SHA512 (CKM_NSS + 10) michael@0: michael@0: /* J-PAKE round 2 key derivation mechanisms. michael@0: * michael@0: * Required template attributes: CKA_NSS_JPAKE_PEERID michael@0: * Input key type: CKK_NSS_JPAKE_ROUND1 michael@0: * Output key type: CKK_NSS_JPAKE_ROUND2 michael@0: * Output key class: CKO_PRIVATE_KEY michael@0: * Parameter type: CK_NSS_JPAKERound2Params michael@0: */ michael@0: #define CKM_NSS_JPAKE_ROUND2_SHA1 (CKM_NSS + 11) michael@0: #define CKM_NSS_JPAKE_ROUND2_SHA256 (CKM_NSS + 12) michael@0: #define CKM_NSS_JPAKE_ROUND2_SHA384 (CKM_NSS + 13) michael@0: #define CKM_NSS_JPAKE_ROUND2_SHA512 (CKM_NSS + 14) michael@0: michael@0: /* J-PAKE final key material derivation mechanisms michael@0: * michael@0: * Input key type: CKK_NSS_JPAKE_ROUND2 michael@0: * Output key type: CKK_GENERIC_SECRET michael@0: * Output key class: CKO_SECRET_KEY michael@0: * Parameter type: CK_NSS_JPAKEFinalParams michael@0: * michael@0: * You must apply a KDF (e.g. CKM_NSS_HKDF_*) to resultant keying material michael@0: * to get a key with uniformly distributed bits. michael@0: */ michael@0: #define CKM_NSS_JPAKE_FINAL_SHA1 (CKM_NSS + 15) michael@0: #define CKM_NSS_JPAKE_FINAL_SHA256 (CKM_NSS + 16) michael@0: #define CKM_NSS_JPAKE_FINAL_SHA384 (CKM_NSS + 17) michael@0: #define CKM_NSS_JPAKE_FINAL_SHA512 (CKM_NSS + 18) michael@0: michael@0: /* Constant-time MAC mechanisms: michael@0: * michael@0: * These operations verify a padded, MAC-then-encrypt block of data in michael@0: * constant-time. Because of the order of operations, the padding bytes are not michael@0: * protected by the MAC. However, disclosing the value of the padding bytes michael@0: * gives an attacker the ability to decrypt ciphertexts. Such disclosure can be michael@0: * as subtle as taking slightly less time to perform the MAC when the padding michael@0: * is one byte longer. See https://www.isg.rhul.ac.uk/tls/ michael@0: * michael@0: * CKM_NSS_HMAC_CONSTANT_TIME: performs an HMAC authentication. michael@0: * CKM_NSS_SSL3_MAC_CONSTANT_TIME: performs an authentication with SSLv3 MAC. michael@0: * michael@0: * Parameter type: CK_NSS_MAC_CONSTANT_TIME_PARAMS michael@0: */ michael@0: #define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19) michael@0: #define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20) michael@0: michael@0: /* TLS 1.2 mechanisms */ michael@0: #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) michael@0: #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) michael@0: #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) michael@0: #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) michael@0: michael@0: /* michael@0: * HISTORICAL: michael@0: * Do not attempt to use these. They are only used by NETSCAPE's internal michael@0: * PKCS #11 interface. Most of these are place holders for other mechanism michael@0: * and will change in the future. michael@0: */ michael@0: #define CKM_NETSCAPE_PBE_SHA1_DES_CBC 0x80000002UL michael@0: #define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC 0x80000003UL michael@0: #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC 0x80000004UL michael@0: #define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC 0x80000005UL michael@0: #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4 0x80000006UL michael@0: #define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4 0x80000007UL michael@0: #define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC 0x80000008UL michael@0: #define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN 0x80000009UL michael@0: #define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN 0x8000000aUL michael@0: #define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN 0x8000000bUL michael@0: michael@0: #define CKM_TLS_PRF_GENERAL 0x80000373UL michael@0: michael@0: typedef struct CK_NSS_JPAKEPublicValue { michael@0: CK_BYTE * pGX; michael@0: CK_ULONG ulGXLen; michael@0: CK_BYTE * pGV; michael@0: CK_ULONG ulGVLen; michael@0: CK_BYTE * pR; michael@0: CK_ULONG ulRLen; michael@0: } CK_NSS_JPAKEPublicValue; michael@0: michael@0: typedef struct CK_NSS_JPAKERound1Params { michael@0: CK_NSS_JPAKEPublicValue gx1; /* out */ michael@0: CK_NSS_JPAKEPublicValue gx2; /* out */ michael@0: } CK_NSS_JPAKERound1Params; michael@0: michael@0: typedef struct CK_NSS_JPAKERound2Params { michael@0: CK_BYTE * pSharedKey; /* in */ michael@0: CK_ULONG ulSharedKeyLen; /* in */ michael@0: CK_NSS_JPAKEPublicValue gx3; /* in */ michael@0: CK_NSS_JPAKEPublicValue gx4; /* in */ michael@0: CK_NSS_JPAKEPublicValue A; /* out */ michael@0: } CK_NSS_JPAKERound2Params; michael@0: michael@0: typedef struct CK_NSS_JPAKEFinalParams { michael@0: CK_NSS_JPAKEPublicValue B; /* in */ michael@0: } CK_NSS_JPAKEFinalParams; michael@0: michael@0: /* macAlg: the MAC algorithm to use. This determines the hash function used in michael@0: * the HMAC/SSLv3 MAC calculations. michael@0: * ulBodyTotalLen: the total length of the data, including padding bytes and michael@0: * padding length. michael@0: * pHeader: points to a block of data that contains additional data to michael@0: * authenticate. For TLS this includes the sequence number etc. For SSLv3, michael@0: * this also includes the initial padding bytes. michael@0: * michael@0: * NOTE: the softoken's implementation of CKM_NSS_HMAC_CONSTANT_TIME and michael@0: * CKM_NSS_SSL3_MAC_CONSTANT_TIME requires that the sum of ulBodyTotalLen michael@0: * and ulHeaderLen be much smaller than 2^32 / 8 bytes because it uses an michael@0: * unsigned int variable to represent the length in bits. This should not michael@0: * be a problem because the SSL/TLS protocol limits the size of an SSL michael@0: * record to something considerably less than 2^32 bytes. michael@0: */ michael@0: typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS { michael@0: CK_MECHANISM_TYPE macAlg; /* in */ michael@0: CK_ULONG ulBodyTotalLen; /* in */ michael@0: CK_BYTE * pHeader; /* in */ michael@0: CK_ULONG ulHeaderLen; /* in */ michael@0: } CK_NSS_MAC_CONSTANT_TIME_PARAMS; michael@0: michael@0: /* michael@0: * NSS-defined return values michael@0: * michael@0: */ michael@0: #define CKR_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) michael@0: michael@0: #define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1) michael@0: #define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2) michael@0: michael@0: /* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms. michael@0: See RFC 5869. michael@0: michael@0: bExtract: If set, HKDF-Extract will be applied to the input key. If michael@0: the optional salt is given, it is used; otherwise, the salt is michael@0: set to a sequence of zeros equal in length to the HMAC output. michael@0: If bExpand is not set, then the key template given to michael@0: C_DeriveKey must indicate an output key size less than or equal michael@0: to the output size of the HMAC. michael@0: michael@0: bExpand: If set, HKDF-Expand will be applied to the input key (if michael@0: bExtract is not set) or to the result of HKDF-Extract (if michael@0: bExtract is set). Any info given in the optional pInfo field will michael@0: be included in the calculation. michael@0: michael@0: The size of the output key must be specified in the template passed to michael@0: C_DeriveKey. michael@0: */ michael@0: typedef struct CK_NSS_HKDFParams { michael@0: CK_BBOOL bExtract; michael@0: CK_BYTE_PTR pSalt; michael@0: CK_ULONG ulSaltLen; michael@0: CK_BBOOL bExpand; michael@0: CK_BYTE_PTR pInfo; michael@0: CK_ULONG ulInfoLen; michael@0: } CK_NSS_HKDFParams; michael@0: michael@0: /* michael@0: * Trust info michael@0: * michael@0: * This isn't part of the Cryptoki standard (yet), so I'm putting michael@0: * all the definitions here. Some of this would move to nssckt.h michael@0: * if trust info were made part of the standard. In view of this michael@0: * possibility, I'm putting my (NSS) values in the NSS michael@0: * vendor space, like everything else. michael@0: */ michael@0: michael@0: typedef CK_ULONG CK_TRUST; michael@0: michael@0: /* The following trust types are defined: */ michael@0: #define CKT_VENDOR_DEFINED 0x80000000 michael@0: michael@0: #define CKT_NSS (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NSS) michael@0: michael@0: /* If trust goes standard, these'll probably drop out of vendor space. */ michael@0: #define CKT_NSS_TRUSTED (CKT_NSS + 1) michael@0: #define CKT_NSS_TRUSTED_DELEGATOR (CKT_NSS + 2) michael@0: #define CKT_NSS_MUST_VERIFY_TRUST (CKT_NSS + 3) michael@0: #define CKT_NSS_NOT_TRUSTED (CKT_NSS + 10) michael@0: #define CKT_NSS_TRUST_UNKNOWN (CKT_NSS + 5) /* default */ michael@0: michael@0: /* michael@0: * These may well remain NSS-specific; I'm only using them michael@0: * to cache resolution data. michael@0: */ michael@0: #define CKT_NSS_VALID_DELEGATOR (CKT_NSS + 11) michael@0: michael@0: michael@0: /* michael@0: * old definitions. They still exist, but the plain meaning of the michael@0: * labels have never been accurate to what was really implemented. michael@0: * The new labels correctly reflect what the values effectively mean. michael@0: */ michael@0: #if defined(__GNUC__) && (__GNUC__ > 3) michael@0: /* make GCC warn when we use these #defines */ michael@0: /* michael@0: * This is really painful because GCC doesn't allow us to mark random michael@0: * #defines as deprecated. We can only mark the following: michael@0: * functions, variables, and types. michael@0: * const variables will create extra storage for everyone including this michael@0: * header file, so it's undesirable. michael@0: * functions could be inlined to prevent storage creation, but will fail michael@0: * when constant values are expected (like switch statements). michael@0: * enum types do not seem to pay attention to the deprecated attribute. michael@0: * michael@0: * That leaves typedefs. We declare new types that we then deprecate, then michael@0: * cast the resulting value to the deprecated type in the #define, thus michael@0: * producting the warning when the #define is used. michael@0: */ michael@0: #if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5) michael@0: /* The mac doesn't like the friendlier deprecate messages. I'm assuming this michael@0: * is a gcc version issue rather than mac or ppc specific */ michael@0: typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated)); michael@0: typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated)); michael@0: typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated)); michael@0: #else michael@0: /* when possible, get a full deprecation warning. This works on gcc 4.5 michael@0: * it may work on earlier versions of gcc */ michael@0: typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated michael@0: ("CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST"))); michael@0: typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated michael@0: ("CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED"))); michael@0: typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated michael@0: ("CKT_NSS_MUST_VERIFY really functions as CKT_NSS_TRUST_UNKNOWN"))); michael@0: #endif michael@0: #define CKT_NSS_UNTRUSTED ((__CKT_NSS_UNTRUSTED)CKT_NSS_MUST_VERIFY_TRUST) michael@0: #define CKT_NSS_VALID ((__CKT_NSS_VALID) CKT_NSS_NOT_TRUSTED) michael@0: /* keep the old value for compatibility reasons*/ michael@0: #define CKT_NSS_MUST_VERIFY ((__CKT_NSS_MUST_VERIFY)(CKT_NSS +4)) michael@0: #else michael@0: #ifdef _WIN32 michael@0: /* This magic gets the windows compiler to give us a deprecation michael@0: * warning */ michael@0: #pragma deprecated(CKT_NSS_UNTRUSTED, CKT_NSS_MUST_VERIFY, CKT_NSS_VALID) michael@0: #endif michael@0: /* CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST */ michael@0: #define CKT_NSS_UNTRUSTED CKT_NSS_MUST_VERIFY_TRUST michael@0: /* CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED */ michael@0: #define CKT_NSS_VALID CKT_NSS_NOT_TRUSTED michael@0: /* CKT_NSS_MUST_VERIFY was always treated as CKT_NSS_TRUST_UNKNOWN */ michael@0: #define CKT_NSS_MUST_VERIFY (CKT_NSS + 4) /*really means trust unknown*/ michael@0: #endif michael@0: michael@0: /* don't leave old programs in a lurch just yet, give them the old NETSCAPE michael@0: * synonym */ michael@0: #define CKO_NETSCAPE_CRL CKO_NSS_CRL michael@0: #define CKO_NETSCAPE_SMIME CKO_NSS_SMIME michael@0: #define CKO_NETSCAPE_TRUST CKO_NSS_TRUST michael@0: #define CKO_NETSCAPE_BUILTIN_ROOT_LIST CKO_NSS_BUILTIN_ROOT_LIST michael@0: #define CKO_NETSCAPE_NEWSLOT CKO_NSS_NEWSLOT michael@0: #define CKO_NETSCAPE_DELSLOT CKO_NSS_DELSLOT michael@0: #define CKK_NETSCAPE_PKCS8 CKK_NSS_PKCS8 michael@0: #define CKA_NETSCAPE_URL CKA_NSS_URL michael@0: #define CKA_NETSCAPE_EMAIL CKA_NSS_EMAIL michael@0: #define CKA_NETSCAPE_SMIME_INFO CKA_NSS_SMIME_INFO michael@0: #define CKA_NETSCAPE_SMIME_TIMESTAMP CKA_NSS_SMIME_TIMESTAMP michael@0: #define CKA_NETSCAPE_PKCS8_SALT CKA_NSS_PKCS8_SALT michael@0: #define CKA_NETSCAPE_PASSWORD_CHECK CKA_NSS_PASSWORD_CHECK michael@0: #define CKA_NETSCAPE_EXPIRES CKA_NSS_EXPIRES michael@0: #define CKA_NETSCAPE_KRL CKA_NSS_KRL michael@0: #define CKA_NETSCAPE_PQG_COUNTER CKA_NSS_PQG_COUNTER michael@0: #define CKA_NETSCAPE_PQG_SEED CKA_NSS_PQG_SEED michael@0: #define CKA_NETSCAPE_PQG_H CKA_NSS_PQG_H michael@0: #define CKA_NETSCAPE_PQG_SEED_BITS CKA_NSS_PQG_SEED_BITS michael@0: #define CKA_NETSCAPE_MODULE_SPEC CKA_NSS_MODULE_SPEC michael@0: #define CKM_NETSCAPE_AES_KEY_WRAP CKM_NSS_AES_KEY_WRAP michael@0: #define CKM_NETSCAPE_AES_KEY_WRAP_PAD CKM_NSS_AES_KEY_WRAP_PAD michael@0: #define CKR_NETSCAPE_CERTDB_FAILED CKR_NSS_CERTDB_FAILED michael@0: #define CKR_NETSCAPE_KEYDB_FAILED CKR_NSS_KEYDB_FAILED michael@0: michael@0: #define CKT_NETSCAPE_TRUSTED CKT_NSS_TRUSTED michael@0: #define CKT_NETSCAPE_TRUSTED_DELEGATOR CKT_NSS_TRUSTED_DELEGATOR michael@0: #define CKT_NETSCAPE_UNTRUSTED CKT_NSS_UNTRUSTED michael@0: #define CKT_NETSCAPE_MUST_VERIFY CKT_NSS_MUST_VERIFY michael@0: #define CKT_NETSCAPE_TRUST_UNKNOWN CKT_NSS_TRUST_UNKNOWN michael@0: #define CKT_NETSCAPE_VALID CKT_NSS_VALID michael@0: #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR michael@0: michael@0: /* michael@0: * These are not really PKCS #11 values specifically. They are the 'loadable' michael@0: * module spec NSS uses. The are available for others to use as well, but not michael@0: * part of the formal PKCS #11 spec. michael@0: * michael@0: * The function 'FIND' returns an array of PKCS #11 initialization strings michael@0: * The function 'ADD' takes a PKCS #11 initialization string and stores it. michael@0: * The function 'DEL' takes a 'name= library=' value and deletes the associated michael@0: * string. michael@0: * The function 'RELEASE' frees the array returned by 'FIND' michael@0: */ michael@0: #define SECMOD_MODULE_DB_FUNCTION_FIND 0 michael@0: #define SECMOD_MODULE_DB_FUNCTION_ADD 1 michael@0: #define SECMOD_MODULE_DB_FUNCTION_DEL 2 michael@0: #define SECMOD_MODULE_DB_FUNCTION_RELEASE 3 michael@0: typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function, michael@0: char *parameters, void *moduleSpec); michael@0: michael@0: /* softoken slot ID's */ michael@0: #define SFTK_MIN_USER_SLOT_ID 4 michael@0: #define SFTK_MAX_USER_SLOT_ID 100 michael@0: #define SFTK_MIN_FIPS_USER_SLOT_ID 101 michael@0: #define SFTK_MAX_FIPS_USER_SLOT_ID 127 michael@0: michael@0: michael@0: #endif /* _PKCS11N_H_ */