pk11pub.h source code [include/nss/pk11pub.h]

1	/ This Source Code Form is subject to the terms of the Mozilla Public*
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4	#ifndef _PK11PUB_H_
5	#define _PK11PUB_H_
6	#include "plarena.h"
7	#include "seccomon.h"
8	#include "secoidt.h"
9	#include "secdert.h"
10	#include "keythi.h"
11	#include "certt.h"
12	#include "pk11hpke.h"
13	#include "pkcs11t.h"
14	#include "secmodt.h"
15	#include "seccomon.h"
16	#include "pkcs7t.h"
17	#include "cmsreclist.h"
18
19	/*
20	* Exported PK11 wrap functions.
21	*/
22
23	SEC_BEGIN_PROTOS
24
25	/************************************************************
26	* Generic Slot Lists Management
27	************************************************************/
28	void PK11_FreeSlotList(PK11SlotList *list);
29	SECStatus PK11_FreeSlotListElement(PK11SlotList list, PK11SlotListElement le);
30	PK11SlotListElement PK11_GetFirstSafe(PK11SlotList list);
31	PK11SlotListElement PK11_GetNextSafe(PK11SlotList list,
32	PK11SlotListElement *le, PRBool restart);
33
34	/************************************************************
35	* Generic Slot Management
36	************************************************************/
37	PK11SlotInfo PK11_ReferenceSlot(PK11SlotInfo slot);
38	void PK11_FreeSlot(PK11SlotInfo *slot);
39	SECStatus PK11_DestroyObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE object);
40	SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE object);
41	PK11SlotInfo PK11_GetInternalKeySlot(void*);
42	PK11SlotInfo PK11_GetInternalSlot(void*);
43	SECStatus PK11_Logout(PK11SlotInfo *slot);
44	void PK11_LogoutAll(void);
45
46	/************************************************************
47	* Slot Password Management
48	************************************************************/
49	void PK11_SetSlotPWValues(PK11SlotInfo slot, int* askpw, int timeout);
50	void PK11_GetSlotPWValues(PK11SlotInfo slot, int* askpw, int* *timeout);
51	SECStatus PK11_CheckSSOPassword(PK11SlotInfo slot, char* *ssopw);
52	SECStatus PK11_CheckUserPassword(PK11SlotInfo slot, const* char *pw);
53	PRBool PK11_IsLoggedIn(PK11SlotInfo slot, void* *wincx);
54	SECStatus PK11_InitPin(PK11SlotInfo slot, const* char *ssopw,
55	const char *pk11_userpwd);
56	SECStatus PK11_ChangePW(PK11SlotInfo slot, const* char *oldpw,
57	const char *newpw);
58	void PK11_SetPasswordFunc(PK11PasswordFunc func);
59	int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
60	SECStatus PK11_ResetToken(PK11SlotInfo slot, char* *sso_pwd);
61	SECStatus PK11_Authenticate(PK11SlotInfo slot, PRBool loadCerts, void* *wincx);
62	SECStatus PK11_TokenRefresh(PK11SlotInfo *slot);
63
64	/******************************************************************
65	* Slot info functions
66	******************************************************************/
67	PK11SlotInfo PK11_FindSlotByName(const* char *name);
68	/******************************************************************
69	* PK11_FindSlotsByNames searches for a PK11SlotInfo using one or
70	* more criteria : dllName, slotName and tokenName . In addition, if
71	* presentOnly is set , only slots with a token inserted will be
72	* returned.
73	******************************************************************/
74	PK11SlotList PK11_FindSlotsByNames(const* char *dllName,
75	const char slotName, const* char *tokenName, PRBool presentOnly);
76	PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
77	PRBool PK11_IsInternal(PK11SlotInfo *slot);
78	PRBool PK11_IsInternalKeySlot(PK11SlotInfo *slot);
79	char PK11_GetTokenName(PK11SlotInfo slot);
80	char PK11_GetTokenURI(PK11SlotInfo slot);
81	char PK11_GetSlotName(PK11SlotInfo slot);
82	PRBool PK11_NeedLogin(PK11SlotInfo *slot);
83	PRBool PK11_IsFriendly(PK11SlotInfo *slot);
84	PRBool PK11_IsHW(PK11SlotInfo *slot);
85	PRBool PK11_IsRemovable(PK11SlotInfo *slot);
86	PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
87	PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
88	int PK11_GetSlotSeries(PK11SlotInfo *slot);
89	int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
90	unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
91	CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
92	SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
93	SECStatus PK11_GetSlotInfo(PK11SlotInfo slot, CK_SLOT_INFO info);
94	SECStatus PK11_GetTokenInfo(PK11SlotInfo slot, CK_TOKEN_INFO info);
95	PRBool PK11_IsDisabled(PK11SlotInfo *slot);
96	PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
97	PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
98	/ Prevents the slot from being used, and set disable reason to user-disable /
99	/ NOTE: Mechanisms that were ON continue to stay ON /
100	/ Therefore, when the slot is enabled, it will remember /
101	/ what mechanisms needs to be turned on /
102	PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
103	/ Allow all mechanisms that are ON before UserDisableSlot() /
104	/ was called to be available again /
105	PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
106	/*
107	* wait for a specific slot event.
108	* event is a specific event to wait for. Currently only
109	* PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined.
110	* timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only
111	* poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change).
112	* pollInterval is a suggested pulling interval value. '0' means use the
113	* default. Future implementations that don't poll may ignore this value.
114	* series is the current series for the last slot. This should be the series
115	* value for the slot the last time you read persistant information from the
116	* slot. For instance, if you publish a cert from the slot, you should obtain
117	* the slot series at that time. Then PK11_WaitForTokenEvent can detect a
118	* a change in the slot between the time you publish and the time
119	* PK11_WaitForTokenEvent is called, elliminating potential race conditions.
120	*
121	* The current status that is returned is:
122	* PK11TokenNotRemovable - always returned for any non-removable token.
123	* PK11TokenPresent - returned when the token is present and we are waiting
124	* on a PK11TokenPresentEvent. Then next event to look for is a
125	* PK11TokenChangeOrRemovalEvent.
126	* PK11TokenChanged - returned when the old token has been removed and a new
127	* token ad been inserted, and we are waiting for a
128	* PK11TokenChangeOrRemovalEvent. The next event to look for is another
129	* PK11TokenChangeOrRemovalEvent.
130	* PK11TokenRemoved - returned when the token is not present and we are
131	* waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for
132	* is a PK11TokenPresentEvent.
133	*/
134	PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
135	PRIntervalTime timeout, PRIntervalTime pollInterval, int series);
136
137	PRBool PK11_NeedPWInit(void);
138	PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
139	SECStatus PK11_GetModInfo(SECMODModule mod, CK_INFO info);
140	char PK11_GetModuleURI(SECMODModule mod);
141	PRBool PK11_IsFIPS(void);
142	SECMODModule PK11_GetModule(PK11SlotInfo slot);
143
144	/*********************************************************************
145	* Slot mapping utility functions.
146	*********************************************************************/
147	PRBool PK11_IsPresent(PK11SlotInfo *slot);
148	PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
149	PK11SlotList *PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW,
150	PRBool loadCerts, void *wincx);
151	PK11SlotInfo PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE type,
152	CK_FLAGS mechFlag, unsigned* int *keySize,
153	unsigned int count, void *wincx);
154	PK11SlotInfo PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE type,
155	unsigned int count, void *wincx);
156	PK11SlotInfo PK11_GetBestSlot(CK_MECHANISM_TYPE type, void* *wincx);
157	PK11SlotInfo *PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type,
158	CK_FLAGS mechFlag, unsigned int keySize, void *wincx);
159	CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
160	int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
161
162	/*
163	* Open a new database using the softoken. The caller is responsible for making
164	* sure the module spec is correct and usable. The caller should ask for one
165	* new database per call if the caller wants to get meaningful information
166	* about the new database.
167	*
168	* moduleSpec is the same data that you would pass to softoken at
169	* initialization time under the 'tokens' options. For example, if you were
170	* to specify tokens=<0x4=[configdir='./mybackup' tokenDescription='Backup']>
171	* You would specify "configdir='./mybackup' tokenDescription='Backup'" as your
172	* module spec here. The slot ID will be calculated for you by
173	* SECMOD_OpenUserDB().
174	*
175	* Typical parameters here are configdir, tokenDescription and flags.
176	*
177	* a Full list is below:
178	*
179	*
180	* configDir - The location of the databases for this token. If configDir is
181	* not specified, and noCertDB and noKeyDB is not specified, the load
182	* will fail.
183	* certPrefix - Cert prefix for this token.
184	* keyPrefix - Prefix for the key database for this token. (if not specified,
185	* certPrefix will be used).
186	* tokenDescription - The label value for this token returned in the
187	* CK_TOKEN_INFO structure with an internationalize string (UTF8).
188	* This value will be truncated at 32 bytes (no NULL, partial UTF8
189	* characters dropped). You should specify a user friendly name here
190	* as this is the value the token will be referred to in most
191	* application UI's. You should make sure tokenDescription is unique.
192	* slotDescription - The slotDescription value for this token returned
193	* in the CK_SLOT_INFO structure with an internationalize string
194	* (UTF8). This value will be truncated at 64 bytes (no NULL, partial
195	* UTF8 characters dropped). This name will not change after the
196	* database is closed. It should have some number to make this unique.
197	* minPWLen - minimum password length for this token.
198	* flags - comma separated list of flag values, parsed case-insensitive.
199	* Valid flags are:
200	* readOnly - Databases should be opened read only.
201	* noCertDB - Don't try to open a certificate database.
202	* noKeyDB - Don't try to open a key database.
203	* forceOpen - Don't fail to initialize the token if the
204	* databases could not be opened.
205	* passwordRequired - zero length passwords are not acceptable
206	* (valid only if there is a keyDB).
207	* optimizeSpace - allocate smaller hash tables and lock tables.
208	* When this flag is not specified, Softoken will allocate
209	* large tables to prevent lock contention.
210	*/
211	PK11SlotInfo SECMOD_OpenUserDB(const* char *moduleSpec);
212	SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot);
213
214	/*
215	* This is exactly the same as OpenUserDB except it can be called on any
216	* module that understands softoken style new slot entries. The resulting
217	* slot can be closed using SECMOD_CloseUserDB above. Value of moduleSpec
218	* is token specific.
219	*/
220	PK11SlotInfo SECMOD_OpenNewSlot(SECMODModule mod, const char *moduleSpec);
221
222	/*
223	* merge the permanent objects from on token to another
224	*/
225	SECStatus PK11_MergeTokens(PK11SlotInfo targetSlot, PK11SlotInfo sourceSlot,
226	PK11MergeLog log, void* targetPwArg, void* *sourcePwArg);
227
228	/*
229	* create and destroy merge logs needed by PK11_MergeTokens
230	*/
231	PK11MergeLog PK11_CreateMergeLog(void*);
232	void PK11_DestroyMergeLog(PK11MergeLog *log);
233
234	/*********************************************************************
235	* Mechanism Mapping functions
236	*********************************************************************/
237	CK_KEY_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type, unsigned long len);
238	CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
239	int PK11_GetBlockSize(CK_MECHANISM_TYPE type, SECItem *params);
240	int PK11_GetIVLength(CK_MECHANISM_TYPE type);
241	SECItem PK11_ParamFromIV(CK_MECHANISM_TYPE type, SECItem iv);
242	unsigned char PK11_IVFromParam(CK_MECHANISM_TYPE type, SECItem param, int *len);
243	SECItem PK11_BlockData(SECItem data, unsigned long size);
244
245	/ PKCS #11 to DER mapping functions /
246	SECItem PK11_ParamFromAlgid(SECAlgorithmID algid);
247	SECItem PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey );
248	CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
249	SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
250	SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
251	SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
252	PLArenaPool arena, SECAlgorithmID algid);
253	SECStatus PK11_SeedRandom(PK11SlotInfo , unsigned* char data, int* len);
254	SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo , unsigned* char data, int* len);
255	SECStatus PK11_RandomUpdate(void *data, size_t bytes);
256	SECStatus PK11_GenerateRandom(unsigned char data, int* len);
257
258	/ warning: cannot work with pkcs 5 v2*
259	* use algorithm ID s instead of pkcs #11 mechanism pointers */
260	CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
261	CK_MECHANISM_PTR pCryptoMechanism,
262	SECItem *pbe_pwd, PRBool bad3DES);
263	CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
264	CK_MECHANISM_TYPE PK11_MapSignKeyType(KeyType keyType);
265
266	/**********************************************************************
267	* Symmetric, Public, and Private Keys
268	**********************************************************************/
269	void PK11_FreeSymKey(PK11SymKey *key);
270	PK11SymKey PK11_ReferenceSymKey(PK11SymKey symKey);
271	PK11SymKey PK11_ImportDataKey(PK11SlotInfo slot, CK_MECHANISM_TYPE type, PK11Origin origin,
272	CK_ATTRIBUTE_TYPE operation, SECItem key, void* *wincx);
273	PK11SymKey PK11_ImportSymKey(PK11SlotInfo slot, CK_MECHANISM_TYPE type,
274	PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem key, void* *wincx);
275	PK11SymKey PK11_ImportSymKeyWithFlags(PK11SlotInfo slot,
276	CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
277	SECItem key, CK_FLAGS flags, PRBool isPerm, void* *wincx);
278	PK11SymKey PK11_SymKeyFromHandle(PK11SlotInfo slot, PK11SymKey *parent,
279	PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID,
280	PRBool owner, void *wincx);
281	/ PK11_GetWrapKey and PK11_SetWrapKey are not thread safe. /
282	PK11SymKey PK11_GetWrapKey(PK11SlotInfo slot, int wrap,
283	CK_MECHANISM_TYPE type, int series, void *wincx);
284	void PK11_SetWrapKey(PK11SlotInfo slot, int* wrap, PK11SymKey *wrapKey);
285	CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
286	/*
287	* import a public key into the desired slot
288	*
289	* This function takes a public key structure and creates a public key in a
290	* given slot. If isToken is set, then a persistant public key is created.
291	*
292	* Note: it is possible for this function to return a handle for a key which
293	* is persistant, even if isToken is not set.
294	*/
295	CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot,
296	SECKEYPublicKey *pubKey, PRBool isToken);
297	PK11SymKey PK11_KeyGen(PK11SlotInfo slot, CK_MECHANISM_TYPE type,
298	SECItem param, int* keySize, void *wincx);
299	PK11SymKey PK11_TokenKeyGen(PK11SlotInfo slot, CK_MECHANISM_TYPE type,
300	SECItem param, int* keySize, SECItem *keyid,
301	PRBool isToken, void *wincx);
302	PK11SymKey PK11_TokenKeyGenWithFlags(PK11SlotInfo slot,
303	CK_MECHANISM_TYPE type, SECItem *param,
304	int keySize, SECItem *keyid, CK_FLAGS opFlags,
305	PK11AttrFlags attrFlags, void *wincx);
306	/ Generates a key using the exact template supplied by the caller. The other*
307	* PK11_[Token]KeyGen mechanisms should be used instead of this one whenever
308	* they work because they include/exclude the CKA_VALUE_LEN template value
309	* based on the mechanism type as required by many tokens.
310	*
311	* keyGenType should be PK11_GetKeyGenWithSize(type, <key size>) or it should
312	* be equal to type if PK11_GetKeyGenWithSize cannot be used (e.g. because
313	* pk11wrap does not know about the mechanisms).
314	*/
315	PK11SymKey PK11_KeyGenWithTemplate(PK11SlotInfo slot, CK_MECHANISM_TYPE type,
316	CK_MECHANISM_TYPE keyGenType,
317	SECItem param, CK_ATTRIBUTE attrs,
318	unsigned int attrsCount, void *wincx);
319	PK11SymKey PK11_ListFixedKeysInSlot(PK11SlotInfo slot, char *nickname,
320	void *wincx);
321	PK11SymKey PK11_GetNextSymKey(PK11SymKey symKey);
322	CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *key);
323	CK_OBJECT_HANDLE PK11_GetSymKeyHandle(PK11SymKey *symKey);
324
325	/*
326	* PK11_SetSymKeyUserData
327	* sets generic user data on keys (usually a pointer to a data structure)
328	* that can later be retrieved by PK11_GetSymKeyUserData().
329	* symKey - key where data will be set.
330	* data - data to be set.
331	* freefunc - function used to free the data.
332	* Setting user data on symKeys with existing user data already set will cause
333	* the existing user data to be freed before the new user data is set.
334	* Freeing user data is done by calling the user specified freefunc.
335	* If freefunc is NULL, the user data is assumed to be global or static an
336	* not freed. Passing NULL for user data to PK11_SetSymKeyUserData has the
337	* effect of freeing any existing user data, and clearing the user data
338	* pointer. If user data exists when the symKey is finally freed, that
339	* data will be freed with freefunc.
340	*
341	* Applications should only use this function on keys which the application
342	* has created directly, as there is only one user data value per key.
343	*/
344	void PK11_SetSymKeyUserData(PK11SymKey symKey, void* *data,
345	PK11FreeDataFunc freefunc);
346	/ PK11_GetSymKeyUserData*
347	* retrieves generic user data which was set on a key by
348	* PK11_SetSymKeyUserData.
349	* symKey - key with data to be fetched
350	*
351	* If no data exists, or the data has been cleared, PK11_GetSymKeyUserData
352	* will return NULL. Returned data is still owned and managed by the SymKey,
353	* the caller should not free the data.
354	*
355	*/
356	void PK11_GetSymKeyUserData(PK11SymKey symKey);
357
358	SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
359	PK11SymKey symKey, SECItem wrappedKey);
360	SECStatus PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey *pubKey,
361	CK_MECHANISM_TYPE mechType,
362	SECItem *param,
363	PK11SymKey *symKey,
364	SECItem *wrappedKey);
365	SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
366	PK11SymKey wrappingKey, PK11SymKey symKey, SECItem *wrappedKey);
367	/ move a key to 'slot' optionally set the key attributes according to either*
368	* operation or the flags and making the key permanent at the same time.
369	* If the key is moved to the same slot, operation and flags values are
370	* currently ignored */
371	PK11SymKey PK11_MoveSymKey(PK11SlotInfo slot, CK_ATTRIBUTE_TYPE operation,
372	CK_FLAGS flags, PRBool perm, PK11SymKey *symKey);
373	/*
374	* To do joint operations, we often need two keys in the same slot.
375	* Usually the PKCS #11 wrappers handle this correctly (like for PK11_WrapKey),
376	* but sometimes the wrappers don't know about mechanism specific keys in
377	* the Mechanism params. This function makes sure the two keys are in the
378	* same slot by copying one or both of the keys into a common slot. This
379	* functions makes sure the slot can handle the target mechanism. If the copy
380	* is warranted, this function will prefer to move the movingKey first, then
381	* the preferedKey. If the keys are moved, the new keys are returned in
382	* newMovingKey and/or newPreferedKey. The application is responsible
383	* for freeing those keys one the operation is complete.
384	*/
385	SECStatus PK11_SymKeysToSameSlot(CK_MECHANISM_TYPE mech,
386	CK_ATTRIBUTE_TYPE preferedOperation,
387	CK_ATTRIBUTE_TYPE movingOperation,
388	PK11SymKey preferedKey, PK11SymKey movingKey,
389	PK11SymKey **newPreferedKey,
390	PK11SymKey **newMovingKey);
391
392	/*
393	* derive a new key from the base key.
394	* PK11_Derive returns a key which can do exactly one operation, and is
395	* ephemeral (session key).
396	* PK11_DeriveWithFlags is the same as PK11_Derive, except you can use
397	* CKF_ flags to enable more than one operation.
398	* PK11_DeriveWithFlagsPerm is the same as PK11_DeriveWithFlags except you can
399	* (optionally) make the key permanent (token key).
400	*/
401	PK11SymKey PK11_Derive(PK11SymKey baseKey, CK_MECHANISM_TYPE mechanism,
402	SECItem *param, CK_MECHANISM_TYPE target,
403	CK_ATTRIBUTE_TYPE operation, int keySize);
404	PK11SymKey PK11_DeriveWithFlags(PK11SymKey baseKey,
405	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target,
406	CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
407	PK11SymKey PK11_DeriveWithFlagsPerm(PK11SymKey baseKey,
408	CK_MECHANISM_TYPE derive,
409	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
410	int keySize, CK_FLAGS flags, PRBool isPerm);
411	PK11SymKey *
412	PK11_DeriveWithTemplate(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive,
413	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
414	int keySize, CK_ATTRIBUTE userAttr, unsigned* int numAttrs,
415	PRBool isPerm);
416
417	PK11SymKey PK11_PubDerive(SECKEYPrivateKey privKey,
418	SECKEYPublicKey pubKey, PRBool isSender, SECItem randomA, SECItem *randomB,
419	CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
420	CK_ATTRIBUTE_TYPE operation, int keySize, void *wincx);
421	PK11SymKey PK11_PubDeriveWithKDF(SECKEYPrivateKey privKey,
422	SECKEYPublicKey pubKey, PRBool isSender, SECItem randomA, SECItem *randomB,
423	CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
424	CK_ATTRIBUTE_TYPE operation, int keySize,
425	CK_ULONG kdf, SECItem sharedData, void* *wincx);
426
427	/*
428	* Concatenate a pair of symmetric keys.
429	*/
430	PK11SymKey PK11_ConcatSymKeys(PK11SymKey left, PK11SymKey *right, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation);
431
432	/*
433	* unwrap a new key with a symetric key.
434	* PK11_Unwrap returns a key which can do exactly one operation, and is
435	* ephemeral (session key).
436	* PK11_UnwrapWithFlags is the same as PK11_Unwrap, except you can use
437	* CKF_ flags to enable more than one operation.
438	* PK11_UnwrapWithFlagsPerm is the same as PK11_UnwrapWithFlags except you can
439	* (optionally) make the key permanent (token key).
440	*/
441	PK11SymKey PK11_UnwrapSymKey(PK11SymKey key,
442	CK_MECHANISM_TYPE wraptype, SECItem param, SECItem wrapppedKey,
443	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
444	PK11SymKey PK11_UnwrapSymKeyWithFlags(PK11SymKey wrappingKey,
445	CK_MECHANISM_TYPE wrapType, SECItem param, SECItem wrappedKey,
446	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize,
447	CK_FLAGS flags);
448	PK11SymKey PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey wrappingKey,
449	CK_MECHANISM_TYPE wrapType,
450	SECItem param, SECItem wrappedKey,
451	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
452	int keySize, CK_FLAGS flags, PRBool isPerm);
453
454	/*
455	* unwrap a new key with a private key.
456	* PK11_PubUnwrap returns a key which can do exactly one operation, and is
457	* ephemeral (session key).
458	* PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can
459	* use * CKF_ flags to enable more than one operation, and optionally make
460	* the key permanent (token key).
461	*/
462	PK11SymKey PK11_PubUnwrapSymKey(SECKEYPrivateKey key, SECItem *wrapppedKey,
463	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
464	PK11SymKey PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey key,
465	CK_MECHANISM_TYPE mechType,
466	SECItem *param,
467	SECItem *wrapppedKey,
468	CK_MECHANISM_TYPE target,
469	CK_ATTRIBUTE_TYPE operation,
470	int keySize);
471	PK11SymKey PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey wrappingKey,
472	SECItem *wrappedKey, CK_MECHANISM_TYPE target,
473	CK_ATTRIBUTE_TYPE operation, int keySize,
474	CK_FLAGS flags, PRBool isPerm);
475	PK11SymKey PK11_FindFixedKey(PK11SlotInfo slot, CK_MECHANISM_TYPE type,
476	SECItem keyID, void* *wincx);
477	SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey, PRBool force);
478	SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
479	SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
480	SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate cert, void* *wincx);
481	SECKEYPrivateKey PK11_LoadPrivKey(PK11SlotInfo slot,
482	SECKEYPrivateKey privKey, SECKEYPublicKey pubKey,
483	PRBool token, PRBool sensitive);
484	char PK11_GetSymKeyNickname(PK11SymKey symKey);
485	char PK11_GetPrivateKeyNickname(SECKEYPrivateKey privKey);
486	char PK11_GetPublicKeyNickname(SECKEYPublicKey pubKey);
487	SECStatus PK11_SetSymKeyNickname(PK11SymKey symKey, const* char *nickname);
488	SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey,
489	const char *nickname);
490	SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey,
491	const char *nickname);
492
493	/*
494	* Using __PK11_SetCertificateNickname is DANGEROUS.
495	*
496	* The API will update the NSS database, but it will NOT update the in-memory data.
497	* As a result, after calling this API, there will be INCONSISTENCY between
498	* in-memory data and the database.
499	*
500	* Use of the API should be limited to short-lived tools, which will exit immediately
501	* after using this API.
502	*
503	* If you ignore this warning, your process is TAINTED and will most likely misbehave.
504	*/
505	SECStatus __PK11_SetCertificateNickname(CERTCertificate *cert,
506	const char *nickname);
507
508	/ size to hold key in bytes /
509	unsigned int PK11_GetKeyLength(PK11SymKey *key);
510	/ size of actual secret parts of key in bits /
511	/ algid is because RC4 strength is determined by the effective bits as well*
512	* as the key bits */
513	unsigned int PK11_GetKeyStrength(PK11SymKey key, SECAlgorithmID algid);
514	SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
515	SECItem PK11_GetKeyData(PK11SymKey symKey);
516	PK11SlotInfo PK11_GetSlotFromKey(PK11SymKey symKey);
517	void PK11_GetWindow(PK11SymKey symKey);
518
519	/*
520	* Explicitly set the key usage for the generated private key.
521	*
522	* This allows us to specify single use EC and RSA keys whose usage
523	* can be regulated by the underlying token.
524	*
525	* The underlying key usage is set using opFlags. opFlagsMask specifies
526	* which operations are specified by opFlags. For instance to turn encrypt
527	* on and signing off, opFlags would be CKF_ENCRYPT\|CKF_DECRYPT and
528	* opFlagsMask would be CKF_ENCRYPT\|CKF_DECRYPT\|CKF_SIGN\|CKF_VERIFY. You
529	* need to specify both the public and private key flags,
530	* PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the
531	* correct key type. Flags not specified in opFlagMask will be defaulted
532	* according to mechanism type and token capabilities.
533	*/
534	SECKEYPrivateKey PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo slot,
535	CK_MECHANISM_TYPE type, void param, SECKEYPublicKey *pubk,
536	PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask,
537	void *wincx);
538	/*
539	* The attrFlags is the logical OR of the PK11_ATTR_XXX bitflags.
540	* These flags apply to the private key. The PK11_ATTR_TOKEN,
541	* PK11_ATTR_SESSION, PK11_ATTR_MODIFIABLE, and PK11_ATTR_UNMODIFIABLE
542	* flags also apply to the public key.
543	*/
544	SECKEYPrivateKey PK11_GenerateKeyPairWithFlags(PK11SlotInfo slot,
545	CK_MECHANISM_TYPE type, void param, SECKEYPublicKey *pubk,
546	PK11AttrFlags attrFlags, void *wincx);
547	SECKEYPrivateKey PK11_GenerateKeyPair(PK11SlotInfo slot,
548	CK_MECHANISM_TYPE type, void param, SECKEYPublicKey *pubk,
549	PRBool isPerm, PRBool isSensitive, void *wincx);
550	SECKEYPrivateKey PK11_FindPrivateKeyFromCert(PK11SlotInfo slot,
551	CERTCertificate cert, void* *wincx);
552	SECKEYPrivateKey PK11_FindKeyByAnyCert(CERTCertificate cert, void *wincx);
553	SECKEYPrivateKey PK11_FindKeyByKeyID(PK11SlotInfo slot, SECItem *keyID,
554	void *wincx);
555	int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key);
556
557	SECStatus PK11_Decrypt(PK11SymKey *symkey,
558	CK_MECHANISM_TYPE mechanism, SECItem *param,
559	unsigned char out, unsigned* int *outLen,
560	unsigned int maxLen,
561	const unsigned char enc, unsigned* int encLen);
562	SECStatus PK11_Encrypt(PK11SymKey *symKey,
563	CK_MECHANISM_TYPE mechanism, SECItem *param,
564	unsigned char out, unsigned* int *outLen,
565	unsigned int maxLen,
566	const unsigned char data, unsigned* int dataLen);
567
568	/ note: despite the name, this function takes a private key. /
569	SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key,
570	unsigned char data, unsigned* *outLen,
571	unsigned int maxLen,
572	const unsigned char enc, unsigned* encLen);
573	#define PK11_PrivDecryptRaw PK11_PubDecryptRaw
574	/ The encrypt function that complements the above decrypt function. /
575	SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key,
576	unsigned char *enc,
577	const unsigned char data, unsigned* dataLen,
578	void *wincx);
579
580	SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key,
581	unsigned char data, unsigned* *outLen,
582	unsigned int maxLen,
583	const unsigned char enc, unsigned* encLen);
584	/ The encrypt function that complements the above decrypt function. /
585	SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key,
586	unsigned char *enc,
587	const unsigned char data, unsigned* dataLen,
588	void *wincx);
589
590	SECStatus PK11_PrivDecrypt(SECKEYPrivateKey *key,
591	CK_MECHANISM_TYPE mechanism, SECItem *param,
592	unsigned char out, unsigned* int *outLen,
593	unsigned int maxLen,
594	const unsigned char enc, unsigned* int encLen);
595	SECStatus PK11_PubEncrypt(SECKEYPublicKey *key,
596	CK_MECHANISM_TYPE mechanism, SECItem *param,
597	unsigned char out, unsigned* int *outLen,
598	unsigned int maxLen,
599	const unsigned char data, unsigned* int dataLen,
600	void *wincx);
601
602	SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot,
603	SECKEYPrivateKeyInfo pki, SECItem nickname,
604	SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
605	unsigned int usage, void *wincx);
606	SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
607	SECKEYPrivateKeyInfo pki, SECItem nickname,
608	SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
609	unsigned int usage, SECKEYPrivateKey *privk, void* *wincx);
610	SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot,
611	SECItem derPKI, SECItem nickname,
612	SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
613	unsigned int usage, void *wincx);
614	SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
615	SECItem derPKI, SECItem nickname,
616	SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
617	unsigned int usage, SECKEYPrivateKey *privk, void* *wincx);
618	SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
619	SECKEYEncryptedPrivateKeyInfo epki, SECItem pwitem,
620	SECItem nickname, SECItem publicValue, PRBool isPerm,
621	PRBool isPrivate, KeyType type,
622	unsigned int usage, void *wincx);
623	SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
624	SECKEYEncryptedPrivateKeyInfo epki, SECItem pwitem,
625	SECItem nickname, SECItem publicValue, PRBool isPerm,
626	PRBool isPrivate, KeyType type,
627	unsigned int usage, SECKEYPrivateKey *privk, void* *wincx);
628	SECItem PK11_ExportDERPrivateKeyInfo(SECKEYPrivateKey pk, void *wincx);
629	SECKEYPrivateKeyInfo *PK11_ExportPrivKeyInfo(
630	SECKEYPrivateKey pk, void* *wincx);
631	SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
632	CERTCertificate cert, void* *wincx);
633	SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
634	PK11SlotInfo slot, SECOidTag algTag, SECItem pwitem,
635	SECKEYPrivateKey pk, int* iteration, void *pwArg);
636	SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
637	PK11SlotInfo slot, SECOidTag algTag, SECItem pwitem,
638	CERTCertificate cert, int* iteration, void *pwArg);
639	/ V2 refers to PKCS #5 V2 here. If a PKCS #5 v1 or PKCS #12 pbe is passed*
640	* for pbeTag, then encTag and hashTag are ignored. If pbe is an encryption
641	* algorithm, then PKCS #5 V2 is used with prfTag for the prf. If prfTag isn't
642	* supplied prf will be SEC_OID_HMAC_SHA1 */
643	SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfoV2(
644	PK11SlotInfo *slot, SECOidTag pbeTag, SECOidTag encTag, SECOidTag prfTag,
645	SECItem pwitem, SECKEYPrivateKey pk, int iteration, void *pwArg);
646	SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfoV2(
647	PK11SlotInfo *slot, SECOidTag pbeTag, SECOidTag encTag, SECOidTag prfTag,
648	SECItem pwitem, CERTCertificate cert, int iteration, void *pwArg);
649	SECKEYPrivateKey PK11_FindKeyByDERCert(PK11SlotInfo slot,
650	CERTCertificate cert, void* *wincx);
651	SECKEYPublicKey PK11_MakeKEAPubKey(unsigned* char data, int* length);
652	SECStatus PK11_DigestKey(PK11Context context, PK11SymKey key);
653	PRBool PK11_VerifyKeyOK(PK11SymKey *key);
654	SECKEYPrivateKey PK11_UnwrapPrivKey(PK11SlotInfo slot,
655	PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
656	SECItem param, SECItem wrappedKey, SECItem *label,
657	SECItem *publicValue, PRBool token, PRBool sensitive,
658	CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE usage, int* usageCount,
659	void *wincx);
660	SECStatus PK11_WrapPrivKey(PK11SlotInfo slot, PK11SymKey wrappingKey,
661	SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
662	SECItem param, SECItem wrappedKey, void *wincx);
663	/*
664	* The caller of PK11_DEREncodePublicKey should free the returned SECItem with
665	* a SECITEM_FreeItem(..., PR_TRUE) call.
666	*/
667	SECItem PK11_DEREncodePublicKey(const* SECKEYPublicKey *pubk);
668	PK11SymKey PK11_CopySymKeyForSigning(PK11SymKey originalKey,
669	CK_MECHANISM_TYPE mech);
670	SECKEYPrivateKeyList PK11_ListPrivKeysInSlot(PK11SlotInfo slot,
671	char nickname, void* *wincx);
672	SECKEYPublicKeyList PK11_ListPublicKeysInSlot(PK11SlotInfo slot,
673	char *nickname);
674	SECKEYPQGParams PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey privKey);
675	/ deprecated /
676	SECKEYPrivateKeyList PK11_ListPrivateKeysInSlot(PK11SlotInfo slot);
677
678	PK11SymKey PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey symk,
679	void *wincx);
680	SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey(
681	SECKEYPrivateKey privk, void* *wincx);
682	SECKEYPrivateKey PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo destSlot,
683	SECKEYPrivateKey *privKey);
684
685	/**********************************************************************
686	* Certs
687	**********************************************************************/
688	SECItem PK11_MakeIDFromPubKey(SECItem pubKeyData);
689	SECStatus PK11_TraverseSlotCerts(
690	SECStatus (callback)(CERTCertificate , SECItem , void* *),
691	void arg, void* *wincx);
692	CERTCertificate PK11_FindCertFromNickname(const* char nickname, void* *wincx);
693	CERTCertificate PK11_FindCertFromURI(const* char uri, void* *wincx);
694	CERTCertList PK11_FindCertsFromURI(const* char uri, void* *wincx);
695	CERTCertList PK11_FindCertsFromEmailAddress(const* char email, void* *wincx);
696	CERTCertList PK11_FindCertsFromNickname(const* char nickname, void* *wincx);
697	CERTCertificate PK11_GetCertFromPrivateKey(SECKEYPrivateKey privKey);
698	SECStatus PK11_ImportCert(PK11SlotInfo slot, CERTCertificate cert,
699	CK_OBJECT_HANDLE key, const char *nickname,
700	PRBool includeTrust);
701	SECStatus PK11_ImportDERCert(PK11SlotInfo slot, SECItem derCert,
702	CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
703	PK11SlotInfo PK11_ImportCertForKey(CERTCertificate cert,
704	const char nickname, void* *wincx);
705	PK11SlotInfo PK11_ImportDERCertForKey(SECItem derCert, char *nickname,
706	void *wincx);
707	PK11SlotInfo PK11_KeyForCertExists(CERTCertificate cert,
708	CK_OBJECT_HANDLE keyPtr, void* *wincx);
709	PK11SlotInfo PK11_KeyForDERCertExists(SECItem derCert,
710	CK_OBJECT_HANDLE keyPtr, void* *wincx);
711	CERTCertificate PK11_FindCertByIssuerAndSN(PK11SlotInfo *slot,
712	CERTIssuerAndSN sn, void* *wincx);
713	CERTCertificate PK11_FindCertAndKeyByRecipientList(PK11SlotInfo *slot,
714	SEC_PKCS7RecipientInfo array, SEC_PKCS7RecipientInfo rip,
715	SECKEYPrivateKey *privKey, void* *wincx);
716	int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
717	void *wincx);
718	SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
719	PK11SlotInfo slot, SECStatus (callback)(CERTCertificate , void* *),
720	void *arg);
721	CERTCertificate PK11_FindCertFromDERCert(PK11SlotInfo slot,
722	CERTCertificate cert, void* *wincx);
723	CERTCertificate PK11_FindCertFromDERCertItem(PK11SlotInfo slot,
724	const SECItem derCert, void* *wincx);
725	SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo slot, CERTCertificate cert,
726	char *nickname, PRBool addUsage,
727	void *wincx);
728	CERTCertificate PK11_FindBestKEAMatch(CERTCertificate serverCert, void *wincx);
729	PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
730	CK_OBJECT_HANDLE PK11_FindEncodedCertInSlot(PK11SlotInfo slot, SECItem derCert, void *wincx);
731	CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo slot, CERTCertificate cert,
732	void *wincx);
733	CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
734	void wincx, PK11SlotInfo *pSlot);
735	SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
736	PK11SlotInfo slot, SECStatus (callback)(CERTCertificate , void* *),
737	void *arg);
738	CERTCertList PK11_ListCerts(PK11CertListType type, void* *pwarg);
739	CERTCertList PK11_ListCertsInSlot(PK11SlotInfo slot);
740	CERTSignedCrl PK11_ImportCRL(PK11SlotInfo slot, SECItem derCRL, char* *url,
741	int type, void wincx, PRInt32 importOptions, PLArenaPool arena, PRInt32 decodeOptions);
742	CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
743	CK_OBJECT_HANDLE id,
744	CK_ATTRIBUTE_TYPE type,
745	PRBool haslock / must be set to PR_FALSE /);
746
747	/**********************************************************************
748	* Hybrid Public Key Encryption
749	**********************************************************************/
750
751	/ Some of the various HPKE arguments would ideally be const, but the*
752	* underlying PK11 functions take them as non-const. To avoid lying to
753	* the application with a cast, this idiosyncrasy is exposed. */
754	SECStatus PK11_HPKE_ValidateParameters(HpkeKemId kemId, HpkeKdfId kdfId, HpkeAeadId aeadId);
755	HpkeContext *PK11_HPKE_NewContext(HpkeKemId kemId, HpkeKdfId kdfId, HpkeAeadId aeadId,
756	PK11SymKey psk, const* SECItem *pskId);
757	SECStatus PK11_HPKE_Deserialize(const HpkeContext cx, const* PRUint8 *enc,
758	unsigned int encLen, SECKEYPublicKey **outPubKey);
759	void PK11_HPKE_DestroyContext(HpkeContext *cx, PRBool freeit);
760
761	/ Serialize an initialized receiver context. This only retains the keys and*
762	* associated information necessary to resume Export and Open operations after
763	* import. Serialization is currently supported for receiver contexts only.
764	* This is done for two reasons: 1) it avoids having to move the encryption
765	* sequence number outside of the token (or adding encryption context
766	* serialization support to softoken), and 2) we don't have to worry about IV
767	* reuse due to sequence number cloning.
768	*
769	* \|wrapKey\| is required when exporting in FIPS mode. If exported with a
770	* wrapping key, that same key must be provided to the import function,
771	* otherwise behavior is undefined.
772	*
773	* Even when exported with key wrap, HPKE expects the nonce to also be kept
774	* secret and that value is not protected by wrapKey. Applications are
775	* responsible for maintaining the confidentiality of the exported information.
776	*/
777	SECStatus PK11_HPKE_ExportContext(const HpkeContext cx, PK11SymKey wrapKey, SECItem **serialized);
778	SECStatus PK11_HPKE_ExportSecret(const HpkeContext cx, const* SECItem info, unsigned* int L,
779	PK11SymKey **outKey);
780	const SECItem PK11_HPKE_GetEncapPubKey(const* HpkeContext *cx);
781	HpkeContext PK11_HPKE_ImportContext(const* SECItem serialized, PK11SymKey wrapKey);
782	SECStatus PK11_HPKE_Open(HpkeContext cx, const* SECItem aad, const* SECItem ct, SECItem *outPt);
783	SECStatus PK11_HPKE_Seal(HpkeContext cx, const* SECItem aad, const* SECItem pt, SECItem *outCt);
784	SECStatus PK11_HPKE_Serialize(const SECKEYPublicKey pk, PRUint8 buf, unsigned int len, unsigned* int maxLen);
785	SECStatus PK11_HPKE_SetupS(HpkeContext cx, const* SECKEYPublicKey pkE, SECKEYPrivateKey skE,
786	SECKEYPublicKey pkR, const* SECItem *info);
787	SECStatus PK11_HPKE_SetupR(HpkeContext cx, const* SECKEYPublicKey pkR, SECKEYPrivateKey skR,
788	const SECItem enc, const* SECItem *info);
789
790	/**********************************************************************
791	* Sign/Verify
792	**********************************************************************/
793
794	/*
795	* Return the length in bytes of a signature generated with the
796	* private key.
797	*
798	* Return 0 or -1 on failure. (XXX Should we fix it to always return
799	* -1 on failure?)
800	*/
801	int PK11_SignatureLen(SECKEYPrivateKey *key);
802	PK11SlotInfo PK11_GetSlotFromPrivateKey(SECKEYPrivateKey key);
803	SECStatus PK11_Sign(SECKEYPrivateKey key, SECItem sig,
804	const SECItem *hash);
805	SECStatus PK11_SignWithMechanism(SECKEYPrivateKey *key,
806	CK_MECHANISM_TYPE mechanism,
807	const SECItem param, SECItem sig,
808	const SECItem *hash);
809	SECStatus PK11_SignWithSymKey(PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism,
810	SECItem param, SECItem sig, const SECItem *data);
811	SECStatus PK11_VerifyRecover(SECKEYPublicKey key, const* SECItem *sig,
812	SECItem dsig, void* *wincx);
813	SECStatus PK11_Verify(SECKEYPublicKey key, const* SECItem *sig,
814	const SECItem hash, void* *wincx);
815	SECStatus PK11_VerifyWithMechanism(SECKEYPublicKey *key,
816	CK_MECHANISM_TYPE mechanism,
817	const SECItem param, const* SECItem *sig,
818	const SECItem hash, void* *wincx);
819
820	/**********************************************************************
821	* Key Encapsulation Mechanisms
822	**********************************************************************/
823
824	/*
825	* Using the given \|pubKey\|, generate a shared secret in \|outKey\| and an
826	* encapsulation of it in \|ciphertext\|. \|outKey\| will have usage attributes as
827	* specified in \|attrFlags\| and operation attributes as specified in \|opFlags\|.
828	*
829	* The function asserts that \|pubKey\|, \|outKey\|, and \|ciphertext\| are not NULL.
830
831	* If an error occurs, no allocations are made to \|outKey\| and \|ciphertext\|;
832	* otherwise (if SECSuccess is returned) allocations are made to \|outKey\| and
833	* \|ciphertext\| and the caller is responsible for freeing the memory occupied
834	* by these structures.
835	*/
836	SECStatus PK11_Encapsulate(SECKEYPublicKey *pubKey, CK_MECHANISM_TYPE target,
837	PK11AttrFlags attrFlags, CK_FLAGS opFlags,
838	PK11SymKey outKey, SECItem outCiphertext);
839
840	/*
841	* Using the given \|privKey\|, decapsulate \|ciphertext\| and put the resulting
842	* shared secret in \|outKey\|. \|outKey\| will have usage attributes as specified
843	* in \|attrFlags\| and operation attributes as specified in \|opFlags\|.
844	*
845	* The function asserts that \|privKey\|, \|ciphertext\|, and \|outKey\| are not NULL.
846
847	* If an error occurs, \|outKey\| is not allocated; otherwise (if SECSuccess is
848	* returned) \|outKey\| is allocated and the caller is responsible for freeing
849	* the memory occupied by it.
850	*/
851	SECStatus
852	PK11_Decapsulate(SECKEYPrivateKey privKey, const* SECItem *ciphertext,
853	CK_MECHANISM_TYPE target, PK11AttrFlags attrFlags,
854	CK_FLAGS opFlags, PK11SymKey **outKey);
855
856	/**********************************************************************
857	* Crypto Contexts
858	**********************************************************************/
859	void PK11_DestroyContext(PK11Context *context, PRBool freeit);
860	PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
861	CK_ATTRIBUTE_TYPE operation,
862	PK11SymKey *symKey,
863	const SECItem *param);
864	PK11Context *PK11_CreateContextByPubKey(CK_MECHANISM_TYPE type,
865	CK_ATTRIBUTE_TYPE operation,
866	SECKEYPublicKey *pubKey,
867	const SECItem param, void* *pwArg);
868	PK11Context *PK11_CreateContextByPrivKey(CK_MECHANISM_TYPE type,
869	CK_ATTRIBUTE_TYPE operation,
870	SECKEYPrivateKey *privKey,
871	const SECItem *param);
872	PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
873	PK11Context PK11_CloneContext(PK11Context old);
874	SECStatus PK11_DigestBegin(PK11Context *cx);
875	/*
876	* The output buffer 'out' must be big enough to hold the output of
877	* the hash algorithm 'hashAlg'.
878	*/
879	SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out,
880	const unsigned char *in, PRInt32 len);
881	SECStatus PK11_DigestOp(PK11Context context, const* unsigned char *in,
882	unsigned len);
883	SECStatus PK11_CipherOp(PK11Context context, unsigned* char out, int* *outlen,
884	int maxout, const unsigned char in, int* inlen);
885	/ application builds the mechanism specific params /
886	SECStatus PK11_AEADRawOp(PK11Context context, void* params, int* paramslen,
887	const unsigned char aad, int* aadlen,
888	unsigned char out, int* *outlen,
889	int maxout, const unsigned char in, int* inlen);
890	/ NSS builds the mechanism specific params /
891	SECStatus PK11_AEADOp(PK11Context *context, CK_GENERATOR_FUNCTION ivGen,
892	int fixedbits, unsigned char iv, int* ivlen,
893	const unsigned char aad, int* aadlen,
894	unsigned char out, int* *outlen,
895	int maxout, unsigned char tag, int* taglen,
896	const unsigned char in, int* inlen);
897
898	SECStatus PK11_Finalize(PK11Context *context);
899	SECStatus PK11_DigestFinal(PK11Context context, unsigned* char *data,
900	unsigned int outLen, unsigned* int length);
901	#define PK11_CipherFinal PK11_DigestFinal
902	SECStatus PK11_SaveContext(PK11Context cx, unsigned* char *save,
903	int len, int* saveLength);
904
905	/ Save the context's state, with possible allocation.*
906	* The caller may supply an already allocated buffer in preAllocBuf,
907	* with length pabLen. If the buffer is large enough for the context's
908	* state, it will receive the state.
909	* If the buffer is not large enough (or NULL), then a new buffer will
910	* be allocated with PORT_Alloc.
911	* In either case, the state will be returned as a buffer, and the length
912	* of the state will be given in *stateLen.
913	*/
914	unsigned char *
915	PK11_SaveContextAlloc(PK11Context *cx,
916	unsigned char preAllocBuf, unsigned* int pabLen,
917	unsigned int *stateLen);
918
919	SECStatus PK11_RestoreContext(PK11Context cx, unsigned* char save, int* len);
920	SECStatus PK11_GenerateFortezzaIV(PK11SymKey symKey, unsigned* char iv, int* len);
921	void PK11_SetFortezzaHack(PK11SymKey *symKey);
922
923	/**********************************************************************
924	* PBE functions
925	**********************************************************************/
926
927	/ This function creates PBE parameters from the given inputs. The result*
928	* can be used to create a password integrity key for PKCS#12, by sending
929	* the return value to PK11_KeyGen along with the appropriate mechanism.
930	*/
931	SECItem *
932	PK11_CreatePBEParams(SECItem salt, SECItem pwd, unsigned int iterations);
933
934	/ free params created above (can be called after keygen is done /
935	void PK11_DestroyPBEParams(SECItem *params);
936
937	SECAlgorithmID *
938	PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
939
940	/ use to create PKCS5 V2 algorithms with finder control than that provided*
941	* by PK11_CreatePBEAlgorithmID. */
942	SECAlgorithmID *
943	PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag,
944	SECOidTag prfAlgTag, int keyLength, int iteration,
945	SECItem *salt);
946	PK11SymKey *
947	PK11_PBEKeyGen(PK11SlotInfo slot, SECAlgorithmID algid, SECItem *pwitem,
948	PRBool faulty3DES, void *wincx);
949
950	/ warning: cannot work with PKCS 5 v2 use PK11_PBEKeyGen instead /
951	PK11SymKey *
952	PK11_RawPBEKeyGen(PK11SlotInfo slot, CK_MECHANISM_TYPE type, SECItem params,
953	SECItem pwitem, PRBool faulty3DES, void* *wincx);
954	SECItem *
955	PK11_GetPBEIV(SECAlgorithmID algid, SECItem pwitem);
956	/*
957	* Get the Mechanism and parameter of the base encryption or mac scheme from
958	* a PBE algorithm ID.
959	* Caller is responsible for freeing the return parameter (param).
960	*/
961	CK_MECHANISM_TYPE
962	PK11_GetPBECryptoMechanism(SECAlgorithmID *algid,
963	SECItem *param, SECItem pwd);
964
965	/**********************************************************************
966	* Functions to manage secmod flags
967	**********************************************************************/
968	const PK11DefaultArrayEntry PK11_GetDefaultArray(int* *size);
969	SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
970	const PK11DefaultArrayEntry *entry,
971	PRBool add);
972
973	/**********************************************************************
974	* Functions to look at PKCS #11 dependent data
975	**********************************************************************/
976	PK11GenericObject PK11_FindGenericObjects(PK11SlotInfo slot,
977	CK_OBJECT_CLASS objClass);
978	PK11GenericObject PK11_GetNextGenericObject(PK11GenericObject object);
979	PK11GenericObject PK11_GetPrevGenericObject(PK11GenericObject object);
980	SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object);
981	SECStatus PK11_LinkGenericObject(PK11GenericObject *list,
982	PK11GenericObject *object);
983	SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object);
984	SECStatus PK11_DestroyGenericObject(PK11GenericObject *object);
985	PK11GenericObject PK11_CreateManagedGenericObject(PK11SlotInfo slot,
986	const CK_ATTRIBUTE *pTemplate,
987	int count, PRBool token);
988	/ deprecated /
989	PK11GenericObject PK11_CreateGenericObject(PK11SlotInfo slot,
990	const CK_ATTRIBUTE *pTemplate,
991	int count, PRBool token);
992
993	/*
994	* PK11_ReadRawAttribute and PK11_WriteRawAttribute are generic
995	* functions to read and modify the actual PKCS #11 attributes of
996	* the underlying pkcs #11 object.
997	*
998	* object is a pointer to an NSS object that represents the underlying
999	* PKCS #11 object. It's type must match the type of PK11ObjectType
1000	* as follows:
1001	*
1002	* type object
1003	* PK11_TypeGeneric PK11GenericObject *
1004	* PK11_TypePrivKey SECKEYPrivateKey *
1005	* PK11_TypePubKey SECKEYPublicKey *
1006	* PK11_TypeSymKey PK11SymKey *
1007	*
1008	* All other types are considered invalid. If type does not match the object
1009	* passed, unpredictable results will occur.
1010	*
1011	* PK11_ReadRawAttribute allocates the buffer for returning the attribute
1012	* value. The caller of PK11_ReadRawAttribute should free the data buffer
1013	* pointed to by item using a SECITEM_FreeItem(item, PR_FALSE) or
1014	* PORT_Free(item->data) call.
1015	*/
1016	SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object,
1017	CK_ATTRIBUTE_TYPE attr, SECItem *item);
1018	SECStatus PK11_ReadRawAttributes(PLArenaPool arena, PK11ObjectType type, void* *object,
1019	CK_ATTRIBUTE pTemplate, unsigned* int count);
1020	SECStatus PK11_WriteRawAttribute(PK11ObjectType type, void *object,
1021	CK_ATTRIBUTE_TYPE attr, SECItem *item);
1022	/ get the PKCS #11 handle and slot for a generic object /
1023	CK_OBJECT_HANDLE PK11_GetObjectHandle(PK11ObjectType objType, void *objSpec,
1024	PK11SlotInfo **slotp);
1025
1026	/*
1027	* PK11_GetAllSlotsForCert returns all the slots that a given certificate
1028	* exists on, since it's possible for a cert to exist on more than one
1029	* PKCS#11 token.
1030	*/
1031	PK11SlotList *
1032	PK11_GetAllSlotsForCert(CERTCertificate cert, void* *arg);
1033
1034	/*
1035	* Finds all certificates on the given slot with the given subject distinguished
1036	* name and returns them as DER bytes. If no such certificates can be found,
1037	* returns SECSuccess and sets *results to NULL. If a failure is encountered
1038	* while fetching any of the matching certificates, SECFailure is returned and
1039	* *results will be NULL.
1040	*/
1041	SECStatus
1042	PK11_FindRawCertsWithSubject(PK11SlotInfo slot, SECItem derSubject,
1043	CERTCertificateList **results);
1044
1045	/*
1046	* Finds and returns all certificates with a public key that matches the given
1047	* private key. May return an empty list if no certificates match. Returns NULL
1048	* if a failure is encountered.
1049	*/
1050	CERTCertList *
1051	PK11_GetCertsMatchingPrivateKey(SECKEYPrivateKey *privKey);
1052
1053	/**********************************************************************
1054	* New functions which are already deprecated....
1055	**********************************************************************/
1056	SECItem *
1057	PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
1058	CERTCertificate cert, void* *pwarg);
1059	SECItem *
1060	PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
1061
1062	PRBool SECMOD_HasRootCerts(void);
1063
1064	/**********************************************************************
1065	* Other Utilities
1066	**********************************************************************/
1067	/*
1068	* Get the state of the system FIPS mode -
1069	* NSS uses this to force FIPS mode if the system bit is on. This returns
1070	* the system state independent of the database state and can be called
1071	* before NSS initializes.
1072	*/
1073	int SECMOD_GetSystemFIPSEnabled(void);
1074
1075	/ FIPS indicator functions. Some operations are physically allowed, but*
1076	* are against the NSS FIPS security policy. This is because sometimes NSS
1077	* functions are used in non-security contexts. You can call these functions
1078	* to determine if you are operating inside or outside the the current vendor's
1079	* FIPS Security Policy for NSS. NOTE: if the current version of NSS is not
1080	* actually FIPS certified, then these functions will always return PR_FALSE */
1081
1082	/ This function tells if if the last single shot operation on the slot*
1083	* was inside or outside the FIPS security policy */
1084	PRBool PK11_SlotGetLastFIPSStatus(PK11SlotInfo *slot);
1085	/ This tells you if the current operation is within the FIPS security policy. If*
1086	* you have called finalize on the context, it tells you if the last operation
1087	* was within the FIPS security policy */
1088	PRBool PK11_ContextGetFIPSStatus(PK11Context *context);
1089	/ This tells you if the requested object was created in accordance to the*
1090	* NSS FIPS security policy. */
1091	PRBool PK11_ObjectGetFIPSStatus(PK11ObjectType objType, void *objSpec);
1092
1093	SEC_END_PROTOS
1094
1095	#endif
1096

source code of include/nss/pk11pub.h