michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: #ifndef _SECMODT_H_ michael@0: #define _SECMODT_H_ 1 michael@0: michael@0: #include "nssrwlkt.h" michael@0: #include "nssilckt.h" michael@0: #include "secoid.h" michael@0: #include "secasn1.h" michael@0: #include "pkcs11t.h" michael@0: #include "utilmodt.h" michael@0: michael@0: SEC_BEGIN_PROTOS michael@0: michael@0: /* find a better home for these... */ michael@0: extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[]; michael@0: SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate) michael@0: extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; michael@0: SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate) michael@0: extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[]; michael@0: SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate) michael@0: extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[]; michael@0: SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate) michael@0: michael@0: SEC_END_PROTOS michael@0: michael@0: /* PKCS11 needs to be included */ michael@0: typedef struct SECMODModuleStr SECMODModule; michael@0: typedef struct SECMODModuleListStr SECMODModuleList; michael@0: typedef NSSRWLock SECMODListLock; michael@0: typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ michael@0: typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */ michael@0: typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ michael@0: typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ michael@0: typedef struct PK11SlotListStr PK11SlotList; michael@0: typedef struct PK11SlotListElementStr PK11SlotListElement; michael@0: typedef struct PK11RSAGenParamsStr PK11RSAGenParams; michael@0: typedef unsigned long SECMODModuleID; michael@0: typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry; michael@0: typedef struct PK11GenericObjectStr PK11GenericObject; michael@0: typedef void (*PK11FreeDataFunc)(void *); michael@0: michael@0: struct SECMODModuleStr { michael@0: PLArenaPool *arena; michael@0: PRBool internal; /* true of internally linked modules, false michael@0: * for the loaded modules */ michael@0: PRBool loaded; /* Set to true if module has been loaded */ michael@0: PRBool isFIPS; /* Set to true if module is finst internal */ michael@0: char *dllName; /* name of the shared library which implements michael@0: * this module */ michael@0: char *commonName; /* name of the module to display to the user */ michael@0: void *library; /* pointer to the library. opaque. used only by michael@0: * pk11load.c */ michael@0: void *functionList; /* The PKCS #11 function table */ michael@0: PZLock *refLock; /* only used pk11db.c */ michael@0: int refCount; /* Module reference count */ michael@0: PK11SlotInfo **slots; /* array of slot points attached to this mod*/ michael@0: int slotCount; /* count of slot in above array */ michael@0: PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ michael@0: int slotInfoCount; /* count */ michael@0: SECMODModuleID moduleID; /* ID so we can find this module again */ michael@0: PRBool isThreadSafe; michael@0: unsigned long ssl[2]; /* SSL cipher enable flags */ michael@0: char *libraryParams; /* Module specific parameters */ michael@0: void *moduleDBFunc; /* function to return module configuration data*/ michael@0: SECMODModule *parent; /* module that loaded us */ michael@0: PRBool isCritical; /* This module must load successfully */ michael@0: PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ michael@0: PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ michael@0: int trustOrder; /* order for this module's certificate trust rollup */ michael@0: int cipherOrder; /* order for cipher operations */ michael@0: unsigned long evControlMask; /* control the running and shutdown of slot michael@0: * events (SECMOD_WaitForAnyTokenEvent) */ michael@0: CK_VERSION cryptokiVersion; /* version of this library */ michael@0: }; michael@0: michael@0: /* evControlMask flags */ michael@0: /* michael@0: * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent. michael@0: * michael@0: * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in michael@0: * C_WaitForSlotEvent(). michael@0: * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code michael@0: * which polls for token insertion and removal events. michael@0: * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is michael@0: * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent michael@0: * should return immediately to it's caller. michael@0: */ michael@0: #define SECMOD_END_WAIT 0x01 michael@0: #define SECMOD_WAIT_SIMULATED_EVENT 0x02 michael@0: #define SECMOD_WAIT_PKCS11_EVENT 0x04 michael@0: michael@0: struct SECMODModuleListStr { michael@0: SECMODModuleList *next; michael@0: SECMODModule *module; michael@0: }; michael@0: michael@0: struct PK11SlotListStr { michael@0: PK11SlotListElement *head; michael@0: PK11SlotListElement *tail; michael@0: PZLock *lock; michael@0: }; michael@0: michael@0: struct PK11SlotListElementStr { michael@0: PK11SlotListElement *next; michael@0: PK11SlotListElement *prev; michael@0: PK11SlotInfo *slot; michael@0: int refCount; michael@0: }; michael@0: michael@0: struct PK11RSAGenParamsStr { michael@0: int keySizeInBits; michael@0: unsigned long pe; michael@0: }; michael@0: michael@0: typedef enum { michael@0: PK11CertListUnique = 0, /* get one instance of all certs */ michael@0: PK11CertListUser = 1, /* get all instances of user certs */ michael@0: PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key. michael@0: * deprecated. Use PK11CertListCAUnique michael@0: */ michael@0: PK11CertListCA = 3, /* get all instances of CA certs */ michael@0: PK11CertListCAUnique = 4, /* get one instance of CA certs */ michael@0: PK11CertListUserUnique = 5, /* get one instance of user certs */ michael@0: PK11CertListAll = 6 /* get all instances of all certs */ michael@0: } PK11CertListType; michael@0: michael@0: /* michael@0: * Entry into the array which lists all the legal bits for the default flags michael@0: * in the slot, their definition, and the PKCS #11 mechanism they represent. michael@0: * Always statically allocated. michael@0: */ michael@0: struct PK11DefaultArrayEntryStr { michael@0: const char *name; michael@0: unsigned long flag; michael@0: unsigned long mechanism; /* this is a long so we don't include the michael@0: * whole pkcs 11 world to use this header */ michael@0: }; michael@0: michael@0: /* michael@0: * PK11AttrFlags michael@0: * michael@0: * A 32-bit bitmask of PK11_ATTR_XXX flags michael@0: */ michael@0: typedef PRUint32 PK11AttrFlags; michael@0: michael@0: /* michael@0: * PK11_ATTR_XXX michael@0: * michael@0: * The following PK11_ATTR_XXX bitflags are used to specify michael@0: * PKCS #11 object attributes that have Boolean values. Some NSS michael@0: * functions have a "PK11AttrFlags attrFlags" parameter whose value michael@0: * is the logical OR of these bitflags. NSS use these bitflags on michael@0: * private keys or secret keys. Some of these bitflags also apply michael@0: * to the public keys associated with the private keys. michael@0: * michael@0: * For each PKCS #11 object attribute, we need two bitflags to michael@0: * specify not only "true" and "false" but also "default". For michael@0: * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the michael@0: * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add michael@0: * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) } michael@0: * to the template. If PK11_ATTR_PUBLIC is set, we add michael@0: * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) } michael@0: * to the template. If neither flag is set, we don't add any michael@0: * CKA_PRIVATE entry to the template. michael@0: */ michael@0: michael@0: /* michael@0: * Attributes for PKCS #11 storage objects, which include not only michael@0: * keys but also certificates and domain parameters. michael@0: */ michael@0: michael@0: /* michael@0: * PK11_ATTR_TOKEN michael@0: * PK11_ATTR_SESSION michael@0: * michael@0: * These two flags determine whether the object is a token or michael@0: * session object. michael@0: * michael@0: * These two flags are related and cannot both be set. michael@0: * If the PK11_ATTR_TOKEN flag is set, the object is a token michael@0: * object. If the PK11_ATTR_SESSION flag is set, the object is michael@0: * a session object. If neither flag is set, the object is *by michael@0: * default* a session object. michael@0: * michael@0: * These two flags specify the value of the PKCS #11 CKA_TOKEN michael@0: * attribute. michael@0: */ michael@0: #define PK11_ATTR_TOKEN 0x00000001L michael@0: #define PK11_ATTR_SESSION 0x00000002L michael@0: michael@0: /* michael@0: * PK11_ATTR_PRIVATE michael@0: * PK11_ATTR_PUBLIC michael@0: * michael@0: * These two flags determine whether the object is a private or michael@0: * public object. A user may not access a private object until the michael@0: * user has authenticated to the token. michael@0: * michael@0: * These two flags are related and cannot both be set. michael@0: * If the PK11_ATTR_PRIVATE flag is set, the object is a private michael@0: * object. If the PK11_ATTR_PUBLIC flag is set, the object is a michael@0: * public object. If neither flag is set, it is token-specific michael@0: * whether the object is private or public. michael@0: * michael@0: * These two flags specify the value of the PKCS #11 CKA_PRIVATE michael@0: * attribute. NSS only uses this attribute on private and secret michael@0: * keys, so public keys created by NSS get the token-specific michael@0: * default value of the CKA_PRIVATE attribute. michael@0: */ michael@0: #define PK11_ATTR_PRIVATE 0x00000004L michael@0: #define PK11_ATTR_PUBLIC 0x00000008L michael@0: michael@0: /* michael@0: * PK11_ATTR_MODIFIABLE michael@0: * PK11_ATTR_UNMODIFIABLE michael@0: * michael@0: * These two flags determine whether the object is modifiable or michael@0: * read-only. michael@0: * michael@0: * These two flags are related and cannot both be set. michael@0: * If the PK11_ATTR_MODIFIABLE flag is set, the object can be michael@0: * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object michael@0: * is read-only. If neither flag is set, the object is *by default* michael@0: * modifiable. michael@0: * michael@0: * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE michael@0: * attribute. michael@0: */ michael@0: #define PK11_ATTR_MODIFIABLE 0x00000010L michael@0: #define PK11_ATTR_UNMODIFIABLE 0x00000020L michael@0: michael@0: /* Attributes for PKCS #11 key objects. */ michael@0: michael@0: /* michael@0: * PK11_ATTR_SENSITIVE michael@0: * PK11_ATTR_INSENSITIVE michael@0: * michael@0: * These two flags are related and cannot both be set. michael@0: * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive. michael@0: * If the PK11_ATTR_INSENSITIVE flag is set, the key is not michael@0: * sensitive. If neither flag is set, it is token-specific whether michael@0: * the key is sensitive or not. michael@0: * michael@0: * If a key is sensitive, certain attributes of the key cannot be michael@0: * revealed in plaintext outside the token. michael@0: * michael@0: * This flag specifies the value of the PKCS #11 CKA_SENSITIVE michael@0: * attribute. Although the default value of the CKA_SENSITIVE michael@0: * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS michael@0: * tokens set the default value to CK_TRUE because only CK_TRUE michael@0: * is allowed. So in practice the default value of this attribute michael@0: * is token-specific, hence the need for two bitflags. michael@0: */ michael@0: #define PK11_ATTR_SENSITIVE 0x00000040L michael@0: #define PK11_ATTR_INSENSITIVE 0x00000080L michael@0: michael@0: /* michael@0: * PK11_ATTR_EXTRACTABLE michael@0: * PK11_ATTR_UNEXTRACTABLE michael@0: * michael@0: * These two flags are related and cannot both be set. michael@0: * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable michael@0: * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set, michael@0: * the key is not extractable, and certain attributes of the key michael@0: * cannot be revealed in plaintext outside the token (just like a michael@0: * sensitive key). If neither flag is set, it is token-specific michael@0: * whether the key is extractable or not. michael@0: * michael@0: * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE michael@0: * attribute. michael@0: */ michael@0: #define PK11_ATTR_EXTRACTABLE 0x00000100L michael@0: #define PK11_ATTR_UNEXTRACTABLE 0x00000200L michael@0: michael@0: /* Cryptographic module types */ michael@0: #define SECMOD_EXTERNAL 0 /* external module */ michael@0: #define SECMOD_INTERNAL 1 /* internal default module */ michael@0: #define SECMOD_FIPS 2 /* internal fips module */ michael@0: michael@0: /* default module configuration strings */ michael@0: #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" michael@0: michael@0: #define SECMOD_MAKE_NSS_FLAGS(fips,slot) \ michael@0: "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})" michael@0: michael@0: #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module" michael@0: #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1) michael@0: #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module" michael@0: #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3) michael@0: michael@0: /* michael@0: * What is the origin of a given Key. Normally this doesn't matter, but michael@0: * the fortezza code needs to know if it needs to invoke the SSL3 fortezza michael@0: * hack. michael@0: */ michael@0: typedef enum { michael@0: PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ michael@0: PK11_OriginDerive = 1, /* Key was derived from some other key */ michael@0: PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ michael@0: PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */ michael@0: PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ michael@0: } PK11Origin; michael@0: michael@0: /* PKCS #11 disable reasons */ michael@0: typedef enum { michael@0: PK11_DIS_NONE = 0, michael@0: PK11_DIS_USER_SELECTED = 1, michael@0: PK11_DIS_COULD_NOT_INIT_TOKEN = 2, michael@0: PK11_DIS_TOKEN_VERIFY_FAILED = 3, michael@0: PK11_DIS_TOKEN_NOT_PRESENT = 4 michael@0: } PK11DisableReasons; michael@0: michael@0: /* types of PKCS #11 objects michael@0: * used to identify which NSS data structure is michael@0: * passed to the PK11_Raw* functions. Types map as follows: michael@0: * PK11_TypeGeneric PK11GenericObject * michael@0: * PK11_TypePrivKey SECKEYPrivateKey * michael@0: * PK11_TypePubKey SECKEYPublicKey * michael@0: * PK11_TypeSymKey PK11SymKey * michael@0: * PK11_TypeCert CERTCertificate * (currently not used). michael@0: */ michael@0: typedef enum { michael@0: PK11_TypeGeneric = 0, michael@0: PK11_TypePrivKey = 1, michael@0: PK11_TypePubKey = 2, michael@0: PK11_TypeCert = 3, michael@0: PK11_TypeSymKey = 4 michael@0: } PK11ObjectType; michael@0: michael@0: michael@0: michael@0: /* function pointer type for password callback function. michael@0: * This type is passed in to PK11_SetPasswordFunc() michael@0: */ michael@0: typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg); michael@0: typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); michael@0: typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); michael@0: michael@0: /* michael@0: * Special strings the password callback function can return only if michael@0: * the slot is an protected auth path slot. michael@0: */ michael@0: #define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate michael@0: * has already been made, just retry michael@0: * the operation */ michael@0: #define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate michael@0: * has completed. Continue without michael@0: * another call to C_Login */ michael@0: /* All other non-null values mean that that NSS could call C_Login to force michael@0: * the authentication. The following define is to aid applications in michael@0: * documenting that is what it's trying to do */ michael@0: #define PK11_PW_TRY "TRY" /* Default: a prompt has been presented michael@0: * to the user, initiate a C_Login michael@0: * to authenticate the token */ michael@0: michael@0: /* michael@0: * PKCS #11 key structures michael@0: */ michael@0: michael@0: /* michael@0: ** Attributes michael@0: */ michael@0: struct SECKEYAttributeStr { michael@0: SECItem attrType; michael@0: SECItem **attrValue; michael@0: }; michael@0: typedef struct SECKEYAttributeStr SECKEYAttribute; michael@0: michael@0: /* michael@0: ** A PKCS#8 private key info object michael@0: */ michael@0: struct SECKEYPrivateKeyInfoStr { michael@0: PLArenaPool *arena; michael@0: SECItem version; michael@0: SECAlgorithmID algorithm; michael@0: SECItem privateKey; michael@0: SECKEYAttribute **attributes; michael@0: }; michael@0: typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo; michael@0: michael@0: /* michael@0: ** A PKCS#8 private key info object michael@0: */ michael@0: struct SECKEYEncryptedPrivateKeyInfoStr { michael@0: PLArenaPool *arena; michael@0: SECAlgorithmID algorithm; michael@0: SECItem encryptedData; michael@0: }; michael@0: typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo; michael@0: michael@0: /* michael@0: * token removal detection michael@0: */ michael@0: typedef enum { michael@0: PK11TokenNotRemovable = 0, michael@0: PK11TokenPresent = 1, michael@0: PK11TokenChanged = 2, michael@0: PK11TokenRemoved = 3 michael@0: } PK11TokenStatus; michael@0: michael@0: typedef enum { michael@0: PK11TokenRemovedOrChangedEvent = 0, michael@0: PK11TokenPresentEvent = 1 michael@0: } PK11TokenEvent; michael@0: michael@0: /* michael@0: * CRL Import Flags michael@0: */ michael@0: #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000 michael@0: #define CRL_IMPORT_BYPASS_CHECKS 0x00000001 michael@0: michael@0: michael@0: /* michael@0: * Merge Error Log michael@0: */ michael@0: typedef struct PK11MergeLogStr PK11MergeLog; michael@0: typedef struct PK11MergeLogNodeStr PK11MergeLogNode; michael@0: michael@0: /* These need to be global, leave some open fields so we can 'expand' michael@0: * these without breaking binary compatibility */ michael@0: struct PK11MergeLogNodeStr { michael@0: PK11MergeLogNode *next; /* next entry in the list */ michael@0: PK11MergeLogNode *prev; /* last entry in the list */ michael@0: PK11GenericObject *object; /* object that failed */ michael@0: int error; /* what the error was */ michael@0: CK_RV reserved1; michael@0: unsigned long reserved2; /* future flags */ michael@0: unsigned long reserved3; /* future scalar */ michael@0: void *reserved4; /* future pointer */ michael@0: void *reserved5; /* future expansion pointer */ michael@0: }; michael@0: michael@0: struct PK11MergeLogStr { michael@0: PK11MergeLogNode *head; michael@0: PK11MergeLogNode *tail; michael@0: PLArenaPool *arena; michael@0: int version; michael@0: unsigned long reserved1; michael@0: unsigned long reserved2; michael@0: unsigned long reserved3; michael@0: void *reserverd4; michael@0: void *reserverd5; michael@0: }; michael@0: michael@0: michael@0: #endif /*_SECMODT_H_ */