secmodt.h source code [include/nss/secmodt.h]

1	/ This Source Code Form is subject to the terms of the Mozilla Public*
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4	#ifndef _SECMODT_H_
5	#define _SECMODT_H_ 1
6
7	#include "nssrwlkt.h"
8	#include "nssilckt.h"
9	#include "secoid.h"
10	#include "secasn1.h"
11	#include "pkcs11t.h"
12	#include "utilmodt.h"
13
14	SEC_BEGIN_PROTOS
15
16	/ find a better home for these... /
17	extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
18	SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
19	extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
20	SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
21	extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
22	SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
23	extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
24	SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
25
26	SEC_END_PROTOS
27
28	/ PKCS11 needs to be included /
29	typedef struct SECMODModuleStr SECMODModule;
30	typedef struct SECMODModuleListStr SECMODModuleList;
31	typedef NSSRWLock SECMODListLock;
32	typedef struct PK11SlotInfoStr PK11SlotInfo; / defined in secmodti.h /
33	typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; / defined in secmodti.h /
34	typedef struct PK11SymKeyStr PK11SymKey; / defined in secmodti.h /
35	typedef struct PK11ContextStr PK11Context; / defined in secmodti.h /
36	typedef struct PK11SlotListStr PK11SlotList;
37	typedef struct PK11SlotListElementStr PK11SlotListElement;
38	typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
39	typedef unsigned long SECMODModuleID;
40	typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
41	typedef struct PK11GenericObjectStr PK11GenericObject;
42	typedef void (PK11FreeDataFunc)(void* *);
43
44	struct SECMODModuleStr {
45	PLArenaPool *arena;
46	PRBool internal; / true of internally linked modules, false*
47	* for the loaded modules */
48	PRBool loaded; / Set to true if module has been loaded /
49	PRBool isFIPS; / Set to true if module is finst internal /
50	char dllName; /* name of the shared library which implements*
51	* this module */
52	char commonName; /* name of the module to display to the user /
53	void library; /* pointer to the library. opaque. used only by*
54	* pk11load.c */
55	void functionList; /* The PKCS #11 function table /
56	PZLock refLock; /* only used pk11db.c /
57	int refCount; / Module reference count /
58	PK11SlotInfo *slots; /* array of slot points attached to this mod/
59	int slotCount; / count of slot in above array /
60	PK11PreSlotInfo slotInfo; /* special info about slots default settings /
61	int slotInfoCount; / count /
62	SECMODModuleID moduleID; / ID so we can find this module again /
63	PRBool isThreadSafe;
64	unsigned long ssl[`2`]; / SSL cipher enable flags /
65	char libraryParams; /* Module specific parameters /
66	void moduleDBFunc; /* function to return module configuration data/
67	SECMODModule parent; /* module that loaded us /
68	PRBool isCritical; / This module must load successfully /
69	PRBool isModuleDB; / this module has lists of PKCS #11 modules /
70	PRBool moduleDBOnly; / this module only has lists of PKCS #11 modules /
71	int trustOrder; / order for this module's certificate trust rollup /
72	int cipherOrder; / order for cipher operations /
73	unsigned long evControlMask; / control the running and shutdown of slot*
74	* events (SECMOD_WaitForAnyTokenEvent) */
75	CK_VERSION cryptokiVersion; / version of this library /
76	CK_FLAGS flags; / pkcs11 v3 flags /
77	/ Warning this could go way in future versions of NSS*
78	* when FIPS indicators wind up in the functionList */
79	CK_NSS_GetFIPSStatus fipsIndicator;
80	};
81
82	/ evControlMask flags /
83	/*
84	* These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
85	*
86	* SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
87	* C_WaitForSlotEvent().
88	* SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
89	* which polls for token insertion and removal events.
90	* SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
91	* waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
92	* should return immediately to it's caller.
93	*/
94	#define SECMOD_END_WAIT 0x01
95	#define SECMOD_WAIT_SIMULATED_EVENT 0x02
96	#define SECMOD_WAIT_PKCS11_EVENT 0x04
97
98	struct SECMODModuleListStr {
99	SECMODModuleList *next;
100	SECMODModule *module;
101	};
102
103	struct PK11SlotListStr {
104	PK11SlotListElement *head;
105	PK11SlotListElement *tail;
106	PZLock *lock;
107	};
108
109	struct PK11SlotListElementStr {
110	PK11SlotListElement *next;
111	PK11SlotListElement *prev;
112	PK11SlotInfo *slot;
113	int refCount;
114	};
115
116	struct PK11RSAGenParamsStr {
117	int keySizeInBits;
118	unsigned long pe;
119	};
120
121	typedef enum {
122	PK11CertListUnique = `0`, / get one instance of all certs /
123	PK11CertListUser = `1`, / get all instances of user certs /
124	PK11CertListRootUnique = `2`, / get one instance of CA certs without a private key.*
125	* deprecated. Use PK11CertListCAUnique
126	*/
127	PK11CertListCA = `3`, / get all instances of CA certs /
128	PK11CertListCAUnique = `4`, / get one instance of CA certs /
129	PK11CertListUserUnique = `5`, / get one instance of user certs /
130	PK11CertListAll = `6` / get all instances of all certs /
131	} PK11CertListType;
132
133	/*
134	* Entry into the array which lists all the legal bits for the default flags
135	* in the slot, their definition, and the PKCS #11 mechanism they represent.
136	* Always statically allocated.
137	*/
138	struct PK11DefaultArrayEntryStr {
139	const char *name;
140	unsigned long flag;
141	unsigned long mechanism; / this is a long so we don't include the*
142	* whole pkcs 11 world to use this header */
143	};
144
145	/*
146	* PK11AttrFlags
147	*
148	* A 32-bit bitmask of PK11_ATTR_XXX flags
149	*/
150	typedef PRUint32 PK11AttrFlags;
151
152	/*
153	* PK11_ATTR_XXX
154	*
155	* The following PK11_ATTR_XXX bitflags are used to specify
156	* PKCS #11 object attributes that have Boolean values. Some NSS
157	* functions have a "PK11AttrFlags attrFlags" parameter whose value
158	* is the logical OR of these bitflags. NSS use these bitflags on
159	* private keys or secret keys. Some of these bitflags also apply
160	* to the public keys associated with the private keys.
161	*
162	* For each PKCS #11 object attribute, we need two bitflags to
163	* specify not only "true" and "false" but also "default". For
164	* example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
165	* CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add
166	* { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
167	* to the template. If PK11_ATTR_PUBLIC is set, we add
168	* { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
169	* to the template. If neither flag is set, we don't add any
170	* CKA_PRIVATE entry to the template.
171	*/
172
173	/*
174	* Attributes for PKCS #11 storage objects, which include not only
175	* keys but also certificates and domain parameters.
176	*/
177
178	/*
179	* PK11_ATTR_TOKEN
180	* PK11_ATTR_SESSION
181	*
182	* These two flags determine whether the object is a token or
183	* session object.
184	*
185	* These two flags are related and cannot both be set.
186	* If the PK11_ATTR_TOKEN flag is set, the object is a token
187	* object. If the PK11_ATTR_SESSION flag is set, the object is
188	* a session object. If neither flag is set, the object is *by
189	* default* a session object.
190	*
191	* These two flags specify the value of the PKCS #11 CKA_TOKEN
192	* attribute.
193	*/
194	#define PK11_ATTR_TOKEN 0x00000001L
195	#define PK11_ATTR_SESSION 0x00000002L
196
197	/*
198	* PK11_ATTR_PRIVATE
199	* PK11_ATTR_PUBLIC
200	*
201	* These two flags determine whether the object is a private or
202	* public object. A user may not access a private object until the
203	* user has authenticated to the token.
204	*
205	* These two flags are related and cannot both be set.
206	* If the PK11_ATTR_PRIVATE flag is set, the object is a private
207	* object. If the PK11_ATTR_PUBLIC flag is set, the object is a
208	* public object. If neither flag is set, it is token-specific
209	* whether the object is private or public.
210	*
211	* These two flags specify the value of the PKCS #11 CKA_PRIVATE
212	* attribute. NSS only uses this attribute on private and secret
213	* keys, so public keys created by NSS get the token-specific
214	* default value of the CKA_PRIVATE attribute.
215	*/
216	#define PK11_ATTR_PRIVATE 0x00000004L
217	#define PK11_ATTR_PUBLIC 0x00000008L
218
219	/*
220	* PK11_ATTR_MODIFIABLE
221	* PK11_ATTR_UNMODIFIABLE
222	*
223	* These two flags determine whether the object is modifiable or
224	* read-only.
225	*
226	* These two flags are related and cannot both be set.
227	* If the PK11_ATTR_MODIFIABLE flag is set, the object can be
228	* modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object
229	* is read-only. If neither flag is set, the object is by default
230	* modifiable.
231	*
232	* These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
233	* attribute.
234	*/
235	#define PK11_ATTR_MODIFIABLE 0x00000010L
236	#define PK11_ATTR_UNMODIFIABLE 0x00000020L
237
238	/ Attributes for PKCS #11 key objects. /
239
240	/*
241	* PK11_ATTR_SENSITIVE
242	* PK11_ATTR_INSENSITIVE
243	*
244	* These two flags are related and cannot both be set.
245	* If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
246	* If the PK11_ATTR_INSENSITIVE flag is set, the key is not
247	* sensitive. If neither flag is set, it is token-specific whether
248	* the key is sensitive or not.
249	*
250	* If a key is sensitive, certain attributes of the key cannot be
251	* revealed in plaintext outside the token.
252	*
253	* This flag specifies the value of the PKCS #11 CKA_SENSITIVE
254	* attribute. Although the default value of the CKA_SENSITIVE
255	* attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
256	* tokens set the default value to CK_TRUE because only CK_TRUE
257	* is allowed. So in practice the default value of this attribute
258	* is token-specific, hence the need for two bitflags.
259	*/
260	#define PK11_ATTR_SENSITIVE 0x00000040L
261	#define PK11_ATTR_INSENSITIVE 0x00000080L
262
263	/*
264	* PK11_ATTR_EXTRACTABLE
265	* PK11_ATTR_UNEXTRACTABLE
266	*
267	* These two flags are related and cannot both be set.
268	* If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
269	* and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set,
270	* the key is not extractable, and certain attributes of the key
271	* cannot be revealed in plaintext outside the token (just like a
272	* sensitive key). If neither flag is set, it is token-specific
273	* whether the key is extractable or not.
274	*
275	* These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
276	* attribute.
277	*/
278	#define PK11_ATTR_EXTRACTABLE 0x00000100L
279	#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
280
281	/ Cryptographic module types /
282	#define SECMOD_EXTERNAL 0 /* external module */
283	#define SECMOD_INTERNAL 1 /* internal default module */
284	#define SECMOD_FIPS 2 /* internal fips module */
285
286	/ default module configuration strings /
287	#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
288
289	#define SECMOD_MAKE_NSS_FLAGS(fips, slot) \
290	"Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
291
292	#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
293	#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1)
294	#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
295	#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3)
296
297	/*
298	* What is the origin of a given Key. Normally this doesn't matter, but
299	* the fortezza code needs to know if it needs to invoke the SSL3 fortezza
300	* hack.
301	*/
302	typedef enum {
303	PK11_OriginNULL = `0`, / There is not key, it's a null SymKey /
304	PK11_OriginDerive = `1`, / Key was derived from some other key /
305	PK11_OriginGenerated = `2`, / Key was generated (also PBE keys) /
306	PK11_OriginFortezzaHack = `3`, / Key was marked for fortezza hack /
307	PK11_OriginUnwrap = `4` / Key was unwrapped or decrypted /
308	} PK11Origin;
309
310	/ PKCS #11 disable reasons /
311	typedef enum {
312	PK11_DIS_NONE = `0`,
313	PK11_DIS_USER_SELECTED = `1`,
314	PK11_DIS_COULD_NOT_INIT_TOKEN = `2`,
315	PK11_DIS_TOKEN_VERIFY_FAILED = `3`,
316	PK11_DIS_TOKEN_NOT_PRESENT = `4`
317	} PK11DisableReasons;
318
319	/ types of PKCS #11 objects*
320	* used to identify which NSS data structure is
321	* passed to the PK11_Raw* functions. Types map as follows:
322	* PK11_TypeGeneric PK11GenericObject *
323	* PK11_TypePrivKey SECKEYPrivateKey *
324	* PK11_TypePubKey SECKEYPublicKey *
325	* PK11_TypeSymKey PK11SymKey *
326	* PK11_TypeCert CERTCertificate * (currently not used).
327	*/
328	typedef enum {
329	PK11_TypeGeneric = `0`,
330	PK11_TypePrivKey = `1`,
331	PK11_TypePubKey = `2`,
332	PK11_TypeCert = `3`,
333	PK11_TypeSymKey = `4`
334	} PK11ObjectType;
335
336	/ function pointer type for password callback function.*
337	* This type is passed in to PK11_SetPasswordFunc()
338	*/
339	typedef char (PR_CALLBACK PK11PasswordFunc)(PK11SlotInfo slot, PRBool retry, void* *arg);
340	typedef PRBool(PR_CALLBACK PK11VerifyPasswordFunc)(PK11SlotInfo slot, void *arg);
341	typedef PRBool(PR_CALLBACK PK11IsLoggedInFunc)(PK11SlotInfo slot, void *arg);
342
343	/*
344	* Special strings the password callback function can return only if
345	* the slot is an protected auth path slot.
346	*/
347	#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate \
348	* has already been made, just retry \
349	* the operation */
350	#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \
351	* has completed. Continue without \
352	* another call to C_Login */
353	/ All other non-null values mean that that NSS could call C_Login to force*
354	* the authentication. The following define is to aid applications in
355	* documenting that is what it's trying to do */
356	#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \
357	* to the user, initiate a C_Login \
358	* to authenticate the token */
359
360	/*
361	* PKCS #11 key structures
362	*/
363
364	/*
365	** Attributes
366	*/
367	struct SECKEYAttributeStr {
368	SECItem attrType;
369	SECItem **attrValue;
370	};
371	typedef struct SECKEYAttributeStr SECKEYAttribute;
372
373	/*
374	** A PKCS#8 private key info object
375	*/
376	struct SECKEYPrivateKeyInfoStr {
377	PLArenaPool *arena;
378	SECItem version;
379	SECAlgorithmID algorithm;
380	SECItem privateKey;
381	SECKEYAttribute **attributes;
382	};
383	typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
384
385	/*
386	** A PKCS#8 private key info object
387	*/
388	struct SECKEYEncryptedPrivateKeyInfoStr {
389	PLArenaPool *arena;
390	SECAlgorithmID algorithm;
391	SECItem encryptedData;
392	};
393	typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
394
395	/*
396	* token removal detection
397	*/
398	typedef enum {
399	PK11TokenNotRemovable = `0`,
400	PK11TokenPresent = `1`,
401	PK11TokenChanged = `2`,
402	PK11TokenRemoved = `3`
403	} PK11TokenStatus;
404
405	typedef enum {
406	PK11TokenRemovedOrChangedEvent = `0`,
407	PK11TokenPresentEvent = `1`
408	} PK11TokenEvent;
409
410	/*
411	* CRL Import Flags
412	*/
413	#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
414	#define CRL_IMPORT_BYPASS_CHECKS 0x00000001
415
416	/*
417	* Merge Error Log
418	*/
419	typedef struct PK11MergeLogStr PK11MergeLog;
420	typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
421
422	/ These need to be global, leave some open fields so we can 'expand'*
423	* these without breaking binary compatibility */
424	struct PK11MergeLogNodeStr {
425	PK11MergeLogNode next; /* next entry in the list /
426	PK11MergeLogNode prev; /* last entry in the list /
427	PK11GenericObject object; /* object that failed /
428	int error; / what the error was /
429	CK_RV reserved1;
430	unsigned long reserved2; / future flags /
431	unsigned long reserved3; / future scalar /
432	void reserved4; /* future pointer /
433	void reserved5; /* future expansion pointer /
434	};
435
436	struct PK11MergeLogStr {
437	PK11MergeLogNode *head;
438	PK11MergeLogNode *tail;
439	PLArenaPool *arena;
440	int version;
441	unsigned long reserved1;
442	unsigned long reserved2;
443	unsigned long reserved3;
444	void *reserverd4;
445	void *reserverd5;
446	};
447
448	#endif /_SECMODT_H_ /
449

source code of include/nss/secmodt.h