1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the Netscape security libraries.
16
* The Initial Developer of the Original Code is
17
* Netscape Communications Corporation.
18
* Portions created by the Initial Developer are Copyright (C) 1994-2000
19
* the Initial Developer. All Rights Reserved.
23
* Alternatively, the contents of this file may be used under the terms of
24
* either the GNU General Public License Version 2 or later (the "GPL"), or
25
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26
* in which case the provisions of the GPL or the LGPL are applicable instead
27
* of those above. If you wish to allow use of your version of this file only
28
* under the terms of either the GPL or the LGPL, and not to allow others to
29
* use your version of this file under the terms of the MPL, indicate your
30
* decision by deleting the provisions above and replace them with the notice
31
* and other provisions required by the GPL or the LGPL. If you do not delete
32
* the provisions above, a recipient may use your version of this file under
33
* the terms of any one of the MPL, the GPL or the LGPL.
35
* ***** END LICENSE BLOCK ***** */
45
/* find a better home for these... */
46
extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
47
extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
48
extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
49
extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
50
extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
51
extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
52
extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
53
extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
55
/* PKCS11 needs to be included */
56
typedef struct SECMODModuleStr SECMODModule;
57
typedef struct SECMODModuleListStr SECMODModuleList;
58
typedef NSSRWLock SECMODListLock;
59
typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
60
typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
61
typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
62
typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
63
typedef struct PK11SlotListStr PK11SlotList;
64
typedef struct PK11SlotListElementStr PK11SlotListElement;
65
typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
66
typedef unsigned long SECMODModuleID;
67
typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
68
typedef struct PK11GenericObjectStr PK11GenericObject;
69
typedef void (*PK11FreeDataFunc)(void *);
71
struct SECMODModuleStr {
73
PRBool internal; /* true of internally linked modules, false
74
* for the loaded modules */
75
PRBool loaded; /* Set to true if module has been loaded */
76
PRBool isFIPS; /* Set to true if module is finst internal */
77
char *dllName; /* name of the shared library which implements
79
char *commonName; /* name of the module to display to the user */
80
void *library; /* pointer to the library. opaque. used only by
82
void *functionList; /* The PKCS #11 function table */
83
PZLock *refLock; /* only used pk11db.c */
84
int refCount; /* Module reference count */
85
PK11SlotInfo **slots; /* array of slot points attached to this mod*/
86
int slotCount; /* count of slot in above array */
87
PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
88
int slotInfoCount; /* count */
89
SECMODModuleID moduleID; /* ID so we can find this module again */
91
unsigned long ssl[2]; /* SSL cipher enable flags */
92
char *libraryParams; /* Module specific parameters */
93
void *moduleDBFunc; /* function to return module configuration data*/
94
SECMODModule *parent; /* module that loaded us */
95
PRBool isCritical; /* This module must load successfully */
96
PRBool isModuleDB; /* this module has lists of PKCS #11 modules */
97
PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */
98
int trustOrder; /* order for this module's certificate trust rollup */
99
int cipherOrder; /* order for cipher operations */
100
unsigned long evControlMask; /* control the running and shutdown of slot
101
* events (SECMOD_WaitForAnyTokenEvent) */
102
CK_VERSION cryptokiVersion; /* version of this library */
105
/* evControlMask flags */
107
* These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
109
* SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
110
* C_WaitForSlotEvent().
111
* SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
112
* which polls for token insertion and removal events.
113
* SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
114
* waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
115
* should return immediately to it's caller.
117
#define SECMOD_END_WAIT 0x01
118
#define SECMOD_WAIT_SIMULATED_EVENT 0x02
119
#define SECMOD_WAIT_PKCS11_EVENT 0x04
121
struct SECMODModuleListStr {
122
SECMODModuleList *next;
123
SECMODModule *module;
126
struct PK11SlotListStr {
127
PK11SlotListElement *head;
128
PK11SlotListElement *tail;
132
struct PK11SlotListElementStr {
133
PK11SlotListElement *next;
134
PK11SlotListElement *prev;
139
struct PK11RSAGenParamsStr {
145
PK11CertListUnique = 0, /* get one instance of all certs */
146
PK11CertListUser = 1, /* get all instances of user certs */
147
PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
148
* deprecated. Use PK11CertListCAUnique
150
PK11CertListCA = 3, /* get all instances of CA certs */
151
PK11CertListCAUnique = 4, /* get one instance of CA certs */
152
PK11CertListUserUnique = 5, /* get one instance of user certs */
153
PK11CertListAll = 6 /* get all instances of all certs */
157
* Entry into the Array which lists all the legal bits for the default flags
158
* in the slot, their definition, and the PKCS #11 mechanism the represent
159
* Always Statically allocated.
161
struct PK11DefaultArrayEntryStr {
164
unsigned long mechanism; /* this is a long so we don't include the
165
* whole pkcs 11 world to use this header */
169
#define SECMOD_RSA_FLAG 0x00000001L
170
#define SECMOD_DSA_FLAG 0x00000002L
171
#define SECMOD_RC2_FLAG 0x00000004L
172
#define SECMOD_RC4_FLAG 0x00000008L
173
#define SECMOD_DES_FLAG 0x00000010L
174
#define SECMOD_DH_FLAG 0x00000020L
175
#define SECMOD_FORTEZZA_FLAG 0x00000040L
176
#define SECMOD_RC5_FLAG 0x00000080L
177
#define SECMOD_SHA1_FLAG 0x00000100L
178
#define SECMOD_MD5_FLAG 0x00000200L
179
#define SECMOD_MD2_FLAG 0x00000400L
180
#define SECMOD_SSL_FLAG 0x00000800L
181
#define SECMOD_TLS_FLAG 0x00001000L
182
#define SECMOD_AES_FLAG 0x00002000L
183
#define SECMOD_SHA256_FLAG 0x00004000L
184
#define SECMOD_SHA512_FLAG 0x00008000L /* also for SHA384 */
185
#define SECMOD_CAMELLIA_FLAG 0x00010000L /* = PUBLIC_MECH_CAMELLIA_FLAG */
186
/* reserved bit for future, do not use */
187
#define SECMOD_RESERVED_FLAG 0X08000000L
188
#define SECMOD_FRIENDLY_FLAG 0x10000000L
189
#define SECMOD_RANDOM_FLAG 0x80000000L
191
/* need to make SECMOD and PK11 prefixes consistant. */
192
#define PK11_OWN_PW_DEFAULTS 0x20000000L
193
#define PK11_DISABLE_FLAG 0x40000000L
198
* A 32-bit bitmask of PK11_ATTR_XXX flags
200
typedef PRUint32 PK11AttrFlags;
205
* The following PK11_ATTR_XXX bitflags are used to specify
206
* PKCS #11 object attributes that have Boolean values. Some NSS
207
* functions have a "PK11AttrFlags attrFlags" parameter whose value
208
* is the logical OR of these bitflags. NSS use these bitflags on
209
* private keys or secret keys. Some of these bitflags also apply
210
* to the public keys associated with the private keys.
212
* For each PKCS #11 object attribute, we need two bitflags to
213
* specify not only "true" and "false" but also "default". For
214
* example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
215
* CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add
216
* { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
217
* to the template. If PK11_ATTR_PUBLIC is set, we add
218
* { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
219
* to the template. If neither flag is set, we don't add any
220
* CKA_PRIVATE entry to the template.
224
* Attributes for PKCS #11 storage objects, which include not only
225
* keys but also certificates and domain parameters.
232
* These two flags determine whether the object is a token or
235
* These two flags are related and cannot both be set.
236
* If the PK11_ATTR_TOKEN flag is set, the object is a token
237
* object. If the PK11_ATTR_SESSION flag is set, the object is
238
* a session object. If neither flag is set, the object is *by
239
* default* a session object.
241
* These two flags specify the value of the PKCS #11 CKA_TOKEN
244
#define PK11_ATTR_TOKEN 0x00000001L
245
#define PK11_ATTR_SESSION 0x00000002L
251
* These two flags determine whether the object is a private or
252
* public object. A user may not access a private object until the
253
* user has authenticated to the token.
255
* These two flags are related and cannot both be set.
256
* If the PK11_ATTR_PRIVATE flag is set, the object is a private
257
* object. If the PK11_ATTR_PUBLIC flag is set, the object is a
258
* public object. If neither flag is set, it is token-specific
259
* whether the object is private or public.
261
* These two flags specify the value of the PKCS #11 CKA_PRIVATE
262
* attribute. NSS only uses this attribute on private and secret
263
* keys, so public keys created by NSS get the token-specific
264
* default value of the CKA_PRIVATE attribute.
266
#define PK11_ATTR_PRIVATE 0x00000004L
267
#define PK11_ATTR_PUBLIC 0x00000008L
270
* PK11_ATTR_MODIFIABLE
271
* PK11_ATTR_UNMODIFIABLE
273
* These two flags determine whether the object is modifiable or
276
* These two flags are related and cannot both be set.
277
* If the PK11_ATTR_MODIFIABLE flag is set, the object can be
278
* modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object
279
* is read-only. If neither flag is set, the object is *by default*
282
* These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
285
#define PK11_ATTR_MODIFIABLE 0x00000010L
286
#define PK11_ATTR_UNMODIFIABLE 0x00000020L
288
/* Attributes for PKCS #11 key objects. */
291
* PK11_ATTR_SENSITIVE
292
* PK11_ATTR_INSENSITIVE
294
* These two flags are related and cannot both be set.
295
* If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
296
* If the PK11_ATTR_INSENSITIVE flag is set, the key is not
297
* sensitive. If neither flag is set, it is token-specific whether
298
* the key is sensitive or not.
300
* If a key is sensitive, certain attributes of the key cannot be
301
* revealed in plaintext outside the token.
303
* This flag specifies the value of the PKCS #11 CKA_SENSITIVE
304
* attribute. Although the default value of the CKA_SENSITIVE
305
* attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
306
* tokens set the default value to CK_TRUE because only CK_TRUE
307
* is allowed. So in practice the default value of this attribute
308
* is token-specific, hence the need for two bitflags.
310
#define PK11_ATTR_SENSITIVE 0x00000040L
311
#define PK11_ATTR_INSENSITIVE 0x00000080L
314
* PK11_ATTR_EXTRACTABLE
315
* PK11_ATTR_UNEXTRACTABLE
317
* These two flags are related and cannot both be set.
318
* If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
319
* and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set,
320
* the key is not extractable, and certain attributes of the key
321
* cannot be revealed in plaintext outside the token (just like a
322
* sensitive key). If neither flag is set, it is token-specific
323
* whether the key is extractable or not.
325
* These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
328
#define PK11_ATTR_EXTRACTABLE 0x00000100L
329
#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
331
/* Cryptographic module types */
332
#define SECMOD_EXTERNAL 0 /* external module */
333
#define SECMOD_INTERNAL 1 /* internal default module */
334
#define SECMOD_FIPS 2 /* internal fips module */
336
/* default module configuration strings */
337
#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SHA256,SHA512]"
339
#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
340
"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
342
#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
343
#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
344
#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
345
#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
348
* What is the origin of a given Key. Normally this doesn't matter, but
349
* the fortezza code needs to know if it needs to invoke the SSL3 fortezza
353
PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */
354
PK11_OriginDerive = 1, /* Key was derived from some other key */
355
PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */
356
PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
357
PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */
360
/* PKCS #11 disable reasons */
363
PK11_DIS_USER_SELECTED = 1,
364
PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
365
PK11_DIS_TOKEN_VERIFY_FAILED = 3,
366
PK11_DIS_TOKEN_NOT_PRESENT = 4
367
} PK11DisableReasons;
369
/* types of PKCS #11 objects
370
* used to identify which NSS data structure is
371
* passed to the PK11_Raw* functions. Types map as follows:
372
* PK11_TypeGeneric PK11GenericObject *
373
* PK11_TypePrivKey SECKEYPrivateKey *
374
* PK11_TypePubKey SECKEYPublicKey *
375
* PK11_TypeSymKey PK11SymKey *
376
* PK11_TypeCert CERTCertificate * (currently not used).
379
PK11_TypeGeneric = 0,
380
PK11_TypePrivKey = 1,
388
/* function pointer type for password callback function.
389
* This type is passed in to PK11_SetPasswordFunc()
391
typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
392
typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
393
typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
396
* Special strings the password callback function can return only if
397
* the slot is an protected auth path slot.
399
#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate
400
* has already been made, just retry
402
#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate
403
* has completed. Continue without
404
* another call to C_Login */
405
/* All other non-null values mean that that NSS could call C_Login to force
406
* the authentication. The following define is to aid applications in
407
* documenting that is what it's trying to do */
408
#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented
409
* to the user, initiate a C_Login
410
* to authenticate the token */
413
* PKCS #11 key structures
419
struct SECKEYAttributeStr {
423
typedef struct SECKEYAttributeStr SECKEYAttribute;
426
** A PKCS#8 private key info object
428
struct SECKEYPrivateKeyInfoStr {
431
SECAlgorithmID algorithm;
433
SECKEYAttribute **attributes;
435
typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
438
** A PKCS#8 private key info object
440
struct SECKEYEncryptedPrivateKeyInfoStr {
442
SECAlgorithmID algorithm;
443
SECItem encryptedData;
445
typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
448
* token removal detection
451
PK11TokenNotRemovable = 0,
452
PK11TokenPresent = 1,
453
PK11TokenChanged = 2,
458
PK11TokenRemovedOrChangedEvent = 0,
459
PK11TokenPresentEvent = 1
465
#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
466
#define CRL_IMPORT_BYPASS_CHECKS 0x00000001
472
typedef struct PK11MergeLogStr PK11MergeLog;
473
typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
475
/* These need to be global, leave some open fields so we can 'expand'
476
* these without breaking binary compatibility */
477
struct PK11MergeLogNodeStr {
478
PK11MergeLogNode *next; /* next entry in the list */
479
PK11MergeLogNode *prev; /* last entry in the list */
480
PK11GenericObject *object; /* object that failed */
481
int error; /* what the error was */
483
unsigned long reserved2; /* future flags */
484
unsigned long reserved3; /* future scalar */
485
void *reserved4; /* future pointer */
486
void *reserved5; /* future expansion pointer */
489
struct PK11MergeLogStr {
490
PK11MergeLogNode *head;
491
PK11MergeLogNode *tail;
494
unsigned long reserved1;
495
unsigned long reserved2;
496
unsigned long reserved3;
502
#endif /*_SECMODT_H_ */