comparison nss/lib/pk11wrap/secmodt.h @ 0:1e5118fa0cb1

This is NSS with a Cmake Buildsyste To compile a static NSS library for Windows we've used the Chromium-NSS fork and added a Cmake buildsystem to compile it statically for Windows. See README.chromium for chromium changes and README.trustbridge for our modifications.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 28 Jul 2014 10:47:06 +0200
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:1e5118fa0cb1
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 #ifndef _SECMODT_H_
5 #define _SECMODT_H_ 1
6
7 #include "nssrwlkt.h"
8 #include "nssilckt.h"
9 #include "secoid.h"
10 #include "secasn1.h"
11 #include "pkcs11t.h"
12 #include "utilmodt.h"
13
14 SEC_BEGIN_PROTOS
15
16 /* find a better home for these... */
17 extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
18 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
19 extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
20 SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
21 extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
22 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
23 extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
24 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
25
26 SEC_END_PROTOS
27
28 /* PKCS11 needs to be included */
29 typedef struct SECMODModuleStr SECMODModule;
30 typedef struct SECMODModuleListStr SECMODModuleList;
31 typedef NSSRWLock SECMODListLock;
32 typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
33 typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
34 typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
35 typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
36 typedef struct PK11SlotListStr PK11SlotList;
37 typedef struct PK11SlotListElementStr PK11SlotListElement;
38 typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
39 typedef unsigned long SECMODModuleID;
40 typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
41 typedef struct PK11GenericObjectStr PK11GenericObject;
42 typedef void (*PK11FreeDataFunc)(void *);
43
44 struct SECMODModuleStr {
45 PLArenaPool *arena;
46 PRBool internal; /* true of internally linked modules, false
47 * for the loaded modules */
48 PRBool loaded; /* Set to true if module has been loaded */
49 PRBool isFIPS; /* Set to true if module is finst internal */
50 char *dllName; /* name of the shared library which implements
51 * this module */
52 char *commonName; /* name of the module to display to the user */
53 void *library; /* pointer to the library. opaque. used only by
54 * pk11load.c */
55 void *functionList; /* The PKCS #11 function table */
56 PZLock *refLock; /* only used pk11db.c */
57 int refCount; /* Module reference count */
58 PK11SlotInfo **slots; /* array of slot points attached to this mod*/
59 int slotCount; /* count of slot in above array */
60 PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
61 int slotInfoCount; /* count */
62 SECMODModuleID moduleID; /* ID so we can find this module again */
63 PRBool isThreadSafe;
64 unsigned long ssl[2]; /* SSL cipher enable flags */
65 char *libraryParams; /* Module specific parameters */
66 void *moduleDBFunc; /* function to return module configuration data*/
67 SECMODModule *parent; /* module that loaded us */
68 PRBool isCritical; /* This module must load successfully */
69 PRBool isModuleDB; /* this module has lists of PKCS #11 modules */
70 PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */
71 int trustOrder; /* order for this module's certificate trust rollup */
72 int cipherOrder; /* order for cipher operations */
73 unsigned long evControlMask; /* control the running and shutdown of slot
74 * events (SECMOD_WaitForAnyTokenEvent) */
75 CK_VERSION cryptokiVersion; /* version of this library */
76 };
77
78 /* evControlMask flags */
79 /*
80 * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
81 *
82 * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
83 * C_WaitForSlotEvent().
84 * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
85 * which polls for token insertion and removal events.
86 * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
87 * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
88 * should return immediately to it's caller.
89 */
90 #define SECMOD_END_WAIT 0x01
91 #define SECMOD_WAIT_SIMULATED_EVENT 0x02
92 #define SECMOD_WAIT_PKCS11_EVENT 0x04
93
94 struct SECMODModuleListStr {
95 SECMODModuleList *next;
96 SECMODModule *module;
97 };
98
99 struct PK11SlotListStr {
100 PK11SlotListElement *head;
101 PK11SlotListElement *tail;
102 PZLock *lock;
103 };
104
105 struct PK11SlotListElementStr {
106 PK11SlotListElement *next;
107 PK11SlotListElement *prev;
108 PK11SlotInfo *slot;
109 int refCount;
110 };
111
112 struct PK11RSAGenParamsStr {
113 int keySizeInBits;
114 unsigned long pe;
115 };
116
117 typedef enum {
118 PK11CertListUnique = 0, /* get one instance of all certs */
119 PK11CertListUser = 1, /* get all instances of user certs */
120 PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
121 * deprecated. Use PK11CertListCAUnique
122 */
123 PK11CertListCA = 3, /* get all instances of CA certs */
124 PK11CertListCAUnique = 4, /* get one instance of CA certs */
125 PK11CertListUserUnique = 5, /* get one instance of user certs */
126 PK11CertListAll = 6 /* get all instances of all certs */
127 } PK11CertListType;
128
129 /*
130 * Entry into the array which lists all the legal bits for the default flags
131 * in the slot, their definition, and the PKCS #11 mechanism they represent.
132 * Always statically allocated.
133 */
134 struct PK11DefaultArrayEntryStr {
135 const char *name;
136 unsigned long flag;
137 unsigned long mechanism; /* this is a long so we don't include the
138 * whole pkcs 11 world to use this header */
139 };
140
141 /*
142 * PK11AttrFlags
143 *
144 * A 32-bit bitmask of PK11_ATTR_XXX flags
145 */
146 typedef PRUint32 PK11AttrFlags;
147
148 /*
149 * PK11_ATTR_XXX
150 *
151 * The following PK11_ATTR_XXX bitflags are used to specify
152 * PKCS #11 object attributes that have Boolean values. Some NSS
153 * functions have a "PK11AttrFlags attrFlags" parameter whose value
154 * is the logical OR of these bitflags. NSS use these bitflags on
155 * private keys or secret keys. Some of these bitflags also apply
156 * to the public keys associated with the private keys.
157 *
158 * For each PKCS #11 object attribute, we need two bitflags to
159 * specify not only "true" and "false" but also "default". For
160 * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
161 * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add
162 * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
163 * to the template. If PK11_ATTR_PUBLIC is set, we add
164 * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
165 * to the template. If neither flag is set, we don't add any
166 * CKA_PRIVATE entry to the template.
167 */
168
169 /*
170 * Attributes for PKCS #11 storage objects, which include not only
171 * keys but also certificates and domain parameters.
172 */
173
174 /*
175 * PK11_ATTR_TOKEN
176 * PK11_ATTR_SESSION
177 *
178 * These two flags determine whether the object is a token or
179 * session object.
180 *
181 * These two flags are related and cannot both be set.
182 * If the PK11_ATTR_TOKEN flag is set, the object is a token
183 * object. If the PK11_ATTR_SESSION flag is set, the object is
184 * a session object. If neither flag is set, the object is *by
185 * default* a session object.
186 *
187 * These two flags specify the value of the PKCS #11 CKA_TOKEN
188 * attribute.
189 */
190 #define PK11_ATTR_TOKEN 0x00000001L
191 #define PK11_ATTR_SESSION 0x00000002L
192
193 /*
194 * PK11_ATTR_PRIVATE
195 * PK11_ATTR_PUBLIC
196 *
197 * These two flags determine whether the object is a private or
198 * public object. A user may not access a private object until the
199 * user has authenticated to the token.
200 *
201 * These two flags are related and cannot both be set.
202 * If the PK11_ATTR_PRIVATE flag is set, the object is a private
203 * object. If the PK11_ATTR_PUBLIC flag is set, the object is a
204 * public object. If neither flag is set, it is token-specific
205 * whether the object is private or public.
206 *
207 * These two flags specify the value of the PKCS #11 CKA_PRIVATE
208 * attribute. NSS only uses this attribute on private and secret
209 * keys, so public keys created by NSS get the token-specific
210 * default value of the CKA_PRIVATE attribute.
211 */
212 #define PK11_ATTR_PRIVATE 0x00000004L
213 #define PK11_ATTR_PUBLIC 0x00000008L
214
215 /*
216 * PK11_ATTR_MODIFIABLE
217 * PK11_ATTR_UNMODIFIABLE
218 *
219 * These two flags determine whether the object is modifiable or
220 * read-only.
221 *
222 * These two flags are related and cannot both be set.
223 * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
224 * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object
225 * is read-only. If neither flag is set, the object is *by default*
226 * modifiable.
227 *
228 * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
229 * attribute.
230 */
231 #define PK11_ATTR_MODIFIABLE 0x00000010L
232 #define PK11_ATTR_UNMODIFIABLE 0x00000020L
233
234 /* Attributes for PKCS #11 key objects. */
235
236 /*
237 * PK11_ATTR_SENSITIVE
238 * PK11_ATTR_INSENSITIVE
239 *
240 * These two flags are related and cannot both be set.
241 * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
242 * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
243 * sensitive. If neither flag is set, it is token-specific whether
244 * the key is sensitive or not.
245 *
246 * If a key is sensitive, certain attributes of the key cannot be
247 * revealed in plaintext outside the token.
248 *
249 * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
250 * attribute. Although the default value of the CKA_SENSITIVE
251 * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
252 * tokens set the default value to CK_TRUE because only CK_TRUE
253 * is allowed. So in practice the default value of this attribute
254 * is token-specific, hence the need for two bitflags.
255 */
256 #define PK11_ATTR_SENSITIVE 0x00000040L
257 #define PK11_ATTR_INSENSITIVE 0x00000080L
258
259 /*
260 * PK11_ATTR_EXTRACTABLE
261 * PK11_ATTR_UNEXTRACTABLE
262 *
263 * These two flags are related and cannot both be set.
264 * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
265 * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set,
266 * the key is not extractable, and certain attributes of the key
267 * cannot be revealed in plaintext outside the token (just like a
268 * sensitive key). If neither flag is set, it is token-specific
269 * whether the key is extractable or not.
270 *
271 * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
272 * attribute.
273 */
274 #define PK11_ATTR_EXTRACTABLE 0x00000100L
275 #define PK11_ATTR_UNEXTRACTABLE 0x00000200L
276
277 /* Cryptographic module types */
278 #define SECMOD_EXTERNAL 0 /* external module */
279 #define SECMOD_INTERNAL 1 /* internal default module */
280 #define SECMOD_FIPS 2 /* internal fips module */
281
282 /* default module configuration strings */
283 #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
284
285 #define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
286 "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
287
288 #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
289 #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
290 #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
291 #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
292
293 /*
294 * What is the origin of a given Key. Normally this doesn't matter, but
295 * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
296 * hack.
297 */
298 typedef enum {
299 PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */
300 PK11_OriginDerive = 1, /* Key was derived from some other key */
301 PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */
302 PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
303 PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */
304 } PK11Origin;
305
306 /* PKCS #11 disable reasons */
307 typedef enum {
308 PK11_DIS_NONE = 0,
309 PK11_DIS_USER_SELECTED = 1,
310 PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
311 PK11_DIS_TOKEN_VERIFY_FAILED = 3,
312 PK11_DIS_TOKEN_NOT_PRESENT = 4
313 } PK11DisableReasons;
314
315 /* types of PKCS #11 objects
316 * used to identify which NSS data structure is
317 * passed to the PK11_Raw* functions. Types map as follows:
318 * PK11_TypeGeneric PK11GenericObject *
319 * PK11_TypePrivKey SECKEYPrivateKey *
320 * PK11_TypePubKey SECKEYPublicKey *
321 * PK11_TypeSymKey PK11SymKey *
322 * PK11_TypeCert CERTCertificate * (currently not used).
323 */
324 typedef enum {
325 PK11_TypeGeneric = 0,
326 PK11_TypePrivKey = 1,
327 PK11_TypePubKey = 2,
328 PK11_TypeCert = 3,
329 PK11_TypeSymKey = 4
330 } PK11ObjectType;
331
332
333
334 /* function pointer type for password callback function.
335 * This type is passed in to PK11_SetPasswordFunc()
336 */
337 typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
338 typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
339 typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
340
341 /*
342 * Special strings the password callback function can return only if
343 * the slot is an protected auth path slot.
344 */
345 #define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate
346 * has already been made, just retry
347 * the operation */
348 #define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate
349 * has completed. Continue without
350 * another call to C_Login */
351 /* All other non-null values mean that that NSS could call C_Login to force
352 * the authentication. The following define is to aid applications in
353 * documenting that is what it's trying to do */
354 #define PK11_PW_TRY "TRY" /* Default: a prompt has been presented
355 * to the user, initiate a C_Login
356 * to authenticate the token */
357
358 /*
359 * PKCS #11 key structures
360 */
361
362 /*
363 ** Attributes
364 */
365 struct SECKEYAttributeStr {
366 SECItem attrType;
367 SECItem **attrValue;
368 };
369 typedef struct SECKEYAttributeStr SECKEYAttribute;
370
371 /*
372 ** A PKCS#8 private key info object
373 */
374 struct SECKEYPrivateKeyInfoStr {
375 PLArenaPool *arena;
376 SECItem version;
377 SECAlgorithmID algorithm;
378 SECItem privateKey;
379 SECKEYAttribute **attributes;
380 };
381 typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
382
383 /*
384 ** A PKCS#8 private key info object
385 */
386 struct SECKEYEncryptedPrivateKeyInfoStr {
387 PLArenaPool *arena;
388 SECAlgorithmID algorithm;
389 SECItem encryptedData;
390 };
391 typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
392
393 /*
394 * token removal detection
395 */
396 typedef enum {
397 PK11TokenNotRemovable = 0,
398 PK11TokenPresent = 1,
399 PK11TokenChanged = 2,
400 PK11TokenRemoved = 3
401 } PK11TokenStatus;
402
403 typedef enum {
404 PK11TokenRemovedOrChangedEvent = 0,
405 PK11TokenPresentEvent = 1
406 } PK11TokenEvent;
407
408 /*
409 * CRL Import Flags
410 */
411 #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
412 #define CRL_IMPORT_BYPASS_CHECKS 0x00000001
413
414
415 /*
416 * Merge Error Log
417 */
418 typedef struct PK11MergeLogStr PK11MergeLog;
419 typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
420
421 /* These need to be global, leave some open fields so we can 'expand'
422 * these without breaking binary compatibility */
423 struct PK11MergeLogNodeStr {
424 PK11MergeLogNode *next; /* next entry in the list */
425 PK11MergeLogNode *prev; /* last entry in the list */
426 PK11GenericObject *object; /* object that failed */
427 int error; /* what the error was */
428 CK_RV reserved1;
429 unsigned long reserved2; /* future flags */
430 unsigned long reserved3; /* future scalar */
431 void *reserved4; /* future pointer */
432 void *reserved5; /* future expansion pointer */
433 };
434
435 struct PK11MergeLogStr {
436 PK11MergeLogNode *head;
437 PK11MergeLogNode *tail;
438 PLArenaPool *arena;
439 int version;
440 unsigned long reserved1;
441 unsigned long reserved2;
442 unsigned long reserved3;
443 void *reserverd4;
444 void *reserverd5;
445 };
446
447
448 #endif /*_SECMODT_H_ */
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)