trustbridge/nss-cmake-static: nss/lib/pk11wrap/secmodt.h comparison

comparison nss/lib/pk11wrap/secmodt.h @ 0:1e5118fa0cb1

This is NSS with a Cmake Buildsyste To compile a static NSS library for Windows we've used the Chromium-NSS fork and added a Cmake buildsystem to compile it statically for Windows. See README.chromium for chromium changes and README.trustbridge for our modifications.

author	Andre Heinecke <andre.heinecke@intevation.de>
date	Mon, 28 Jul 2014 10:47:06 +0200
parents
children

comparison

equal deleted inserted replaced

--1:000000000000
+:1e5118fa0cb1
+/* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this
+* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#ifndef _SECMODT_H_
+#define _SECMODT_H_ 1
+#include "nssrwlkt.h"
+#include "nssilckt.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "pkcs11t.h"
+#include "utilmodt.h"
+SEC_BEGIN_PROTOS
+/* find a better home for these... */
+extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
+extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
+extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
+extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
+SEC_END_PROTOS
+/* PKCS11 needs to be included */
+typedef struct SECMODModuleStr SECMODModule;
+typedef struct SECMODModuleListStr SECMODModuleList;
+typedef NSSRWLock SECMODListLock;
+typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
+typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
+typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
+typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
+typedef struct PK11SlotListStr PK11SlotList;
+typedef struct PK11SlotListElementStr PK11SlotListElement;
+typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
+typedef unsigned long SECMODModuleID;
+typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
+typedef struct PK11GenericObjectStr PK11GenericObject;
+typedef void (*PK11FreeDataFunc)(void *);
+struct SECMODModuleStr {
+PLArenaPool	*arena;
+PRBool	internal;	/* true of internally linked modules, false
+				 * for the loaded modules */
+PRBool	loaded;		/* Set to true if module has been loaded */
+PRBool	isFIPS;		/* Set to true if module is finst internal */
+char	*dllName;	/* name of the shared library which implements
+				 * this module */
+char	*commonName;	/* name of the module to display to the user */
+void	*library;	/* pointer to the library. opaque. used only by
+				 * pk11load.c */
+void	*functionList; /* The PKCS #11 function table */
+PZLock	*refLock;	/* only used pk11db.c */
+int		refCount;	/* Module reference count */
+PK11SlotInfo **slots;	/* array of slot points attached to this mod*/
+int		slotCount;	/* count of slot in above array */
+PK11PreSlotInfo *slotInfo;	/* special info about slots default settings */
+int		slotInfoCount;  /* count */
+SECMODModuleID moduleID;	/* ID so we can find this module again */
+PRBool	isThreadSafe;
+unsigned long ssl[2];	/* SSL cipher enable flags */
+char	*libraryParams;  /* Module specific parameters */
+void *moduleDBFunc; /* function to return module configuration data*/
+SECMODModule *parent;	/* module that loaded us */
+PRBool	isCritical;	/* This module must load successfully */
+PRBool	isModuleDB;	/* this module has lists of PKCS #11 modules */
+PRBool	moduleDBOnly;	/* this module only has lists of PKCS #11 modules */
+int		trustOrder;	/* order for this module's certificate trust rollup */
+int		cipherOrder;	/* order for cipher operations */
+unsigned long evControlMask; /* control the running and shutdown of slot
+				  * events (SECMOD_WaitForAnyTokenEvent) */
+CK_VERSION  cryptokiVersion; /* version of this library */
+};
+/* evControlMask flags */
+/*
+* These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
+*
+* SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
+*  C_WaitForSlotEvent().
+* SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
+*  which polls for token insertion and removal events.
+* SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
+*  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
+*  should return immediately to it's caller.
+*/
+#define SECMOD_END_WAIT 	    0x01
+#define SECMOD_WAIT_SIMULATED_EVENT 0x02
+#define SECMOD_WAIT_PKCS11_EVENT    0x04
+struct SECMODModuleListStr {
+SECMODModuleList	*next;
+SECMODModule	*module;
+};
+struct PK11SlotListStr {
+PK11SlotListElement *head;
+PK11SlotListElement *tail;
+PZLock *lock;
+};
+struct PK11SlotListElementStr {
+PK11SlotListElement *next;
+PK11SlotListElement *prev;
+PK11SlotInfo *slot;
+int refCount;
+};
+struct PK11RSAGenParamsStr {
+int keySizeInBits;
+unsigned long pe;
+};
+typedef enum {
+PK11CertListUnique = 0,     /* get one instance of all certs */
+PK11CertListUser = 1,       /* get all instances of user certs */
+PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
+* deprecated. Use PK11CertListCAUnique
+*/
+PK11CertListCA = 3,         /* get all instances of CA certs */
+PK11CertListCAUnique = 4,   /* get one instance of CA certs */
+PK11CertListUserUnique = 5, /* get one instance of user certs */
+PK11CertListAll = 6         /* get all instances of all certs */
+} PK11CertListType;
+/*
+* Entry into the array which lists all the legal bits for the default flags
+* in the slot, their definition, and the PKCS #11 mechanism they represent.
+* Always statically allocated.
+*/
+struct PK11DefaultArrayEntryStr {
+const char *name;
+unsigned long flag;
+unsigned long mechanism; /* this is a long so we don't include the
+			      * whole pkcs 11 world to use this header */
+};
+/*
+* PK11AttrFlags
+*
+* A 32-bit bitmask of PK11_ATTR_XXX flags
+*/
+typedef PRUint32 PK11AttrFlags;
+/*
+* PK11_ATTR_XXX
+*
+* The following PK11_ATTR_XXX bitflags are used to specify
+* PKCS #11 object attributes that have Boolean values.  Some NSS
+* functions have a "PK11AttrFlags attrFlags" parameter whose value
+* is the logical OR of these bitflags.  NSS use these bitflags on
+* private keys or secret keys.  Some of these bitflags also apply
+* to the public keys associated with the private keys.
+*
+* For each PKCS #11 object attribute, we need two bitflags to
+* specify not only "true" and "false" but also "default".  For
+* example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
+* CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
+*     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
+* to the template.  If PK11_ATTR_PUBLIC is set, we add
+*     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
+* to the template.  If neither flag is set, we don't add any
+* CKA_PRIVATE entry to the template.
+*/
+/*
+* Attributes for PKCS #11 storage objects, which include not only
+* keys but also certificates and domain parameters.
+*/
+/*
+* PK11_ATTR_TOKEN
+* PK11_ATTR_SESSION
+*
+* These two flags determine whether the object is a token or
+* session object.
+*
+* These two flags are related and cannot both be set.
+* If the PK11_ATTR_TOKEN flag is set, the object is a token
+* object.  If the PK11_ATTR_SESSION flag is set, the object is
+* a session object.  If neither flag is set, the object is *by
+* default* a session object.
+*
+* These two flags specify the value of the PKCS #11 CKA_TOKEN
+* attribute.
+*/
+#define PK11_ATTR_TOKEN         0x00000001L
+#define PK11_ATTR_SESSION       0x00000002L
+/*
+* PK11_ATTR_PRIVATE
+* PK11_ATTR_PUBLIC
+*
+* These two flags determine whether the object is a private or
+* public object.  A user may not access a private object until the
+* user has authenticated to the token.
+*
+* These two flags are related and cannot both be set.
+* If the PK11_ATTR_PRIVATE flag is set, the object is a private
+* object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
+* public object.  If neither flag is set, it is token-specific
+* whether the object is private or public.
+*
+* These two flags specify the value of the PKCS #11 CKA_PRIVATE
+* attribute.  NSS only uses this attribute on private and secret
+* keys, so public keys created by NSS get the token-specific
+* default value of the CKA_PRIVATE attribute.
+*/
+#define PK11_ATTR_PRIVATE       0x00000004L
+#define PK11_ATTR_PUBLIC        0x00000008L
+/*
+* PK11_ATTR_MODIFIABLE
+* PK11_ATTR_UNMODIFIABLE
+*
+* These two flags determine whether the object is modifiable or
+* read-only.
+*
+* These two flags are related and cannot both be set.
+* If the PK11_ATTR_MODIFIABLE flag is set, the object can be
+* modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
+* is read-only.  If neither flag is set, the object is *by default*
+* modifiable.
+*
+* These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
+* attribute.
+*/
+#define PK11_ATTR_MODIFIABLE    0x00000010L
+#define PK11_ATTR_UNMODIFIABLE  0x00000020L
+/* Attributes for PKCS #11 key objects. */
+/*
+* PK11_ATTR_SENSITIVE
+* PK11_ATTR_INSENSITIVE
+*
+* These two flags are related and cannot both be set.
+* If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
+* If the PK11_ATTR_INSENSITIVE flag is set, the key is not
+* sensitive.  If neither flag is set, it is token-specific whether
+* the key is sensitive or not.
+*
+* If a key is sensitive, certain attributes of the key cannot be
+* revealed in plaintext outside the token.
+*
+* This flag specifies the value of the PKCS #11 CKA_SENSITIVE
+* attribute.  Although the default value of the CKA_SENSITIVE
+* attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
+* tokens set the default value to CK_TRUE because only CK_TRUE
+* is allowed.  So in practice the default value of this attribute
+* is token-specific, hence the need for two bitflags.
+*/
+#define PK11_ATTR_SENSITIVE     0x00000040L
+#define PK11_ATTR_INSENSITIVE   0x00000080L
+/*
+* PK11_ATTR_EXTRACTABLE
+* PK11_ATTR_UNEXTRACTABLE
+*
+* These two flags are related and cannot both be set.
+* If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
+* and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
+* the key is not extractable, and certain attributes of the key
+* cannot be revealed in plaintext outside the token (just like a
+* sensitive key).  If neither flag is set, it is token-specific
+* whether the key is extractable or not.
+*
+* These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
+* attribute.
+*/
+#define PK11_ATTR_EXTRACTABLE   0x00000100L
+#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
+/* Cryptographic module types */
+#define SECMOD_EXTERNAL	0	/* external module */
+#define SECMOD_INTERNAL 1	/* internal default module */
+#define SECMOD_FIPS	2	/* internal fips module */
+/* default module configuration strings */
+#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
+#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
+"Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
+#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
+#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
+#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
+#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
+/*
+* What is the origin of a given Key. Normally this doesn't matter, but
+* the fortezza code needs to know if it needs to invoke the SSL3 fortezza
+* hack.
+*/
+typedef enum {
+PK11_OriginNULL = 0,	/* There is not key, it's a null SymKey */
+PK11_OriginDerive = 1,	/* Key was derived from some other key */
+PK11_OriginGenerated = 2,	/* Key was generated (also PBE keys) */
+PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
+PK11_OriginUnwrap = 4	/* Key was unwrapped or decrypted */
+} PK11Origin;
+/* PKCS #11 disable reasons */
+typedef enum {
+PK11_DIS_NONE = 0,
+PK11_DIS_USER_SELECTED = 1,
+PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
+PK11_DIS_TOKEN_VERIFY_FAILED = 3,
+PK11_DIS_TOKEN_NOT_PRESENT = 4
+} PK11DisableReasons;
+/* types of PKCS #11 objects
+* used to identify which NSS data structure is
+* passed to the PK11_Raw* functions. Types map as follows:
+*   PK11_TypeGeneric            PK11GenericObject *
+*   PK11_TypePrivKey            SECKEYPrivateKey *
+*   PK11_TypePubKey             SECKEYPublicKey *
+*   PK11_TypeSymKey             PK11SymKey *
+*   PK11_TypeCert               CERTCertificate * (currently not used).
+*/
+typedef enum {
+PK11_TypeGeneric = 0,
+PK11_TypePrivKey = 1,
+PK11_TypePubKey = 2,
+PK11_TypeCert = 3,
+PK11_TypeSymKey = 4
+} PK11ObjectType;
+/* function pointer type for password callback function.
+* This type is passed in to PK11_SetPasswordFunc()
+*/
+typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
+typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
+typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
+/*
+* Special strings the password callback function can return only if
+* the slot is an protected auth path slot.
+*/
+#define PK11_PW_RETRY		"RETRY"	/* an failed attempt to authenticate
+					 * has already been made, just retry
+					 * the operation */
+#define PK11_PW_AUTHENTICATED	"AUTH"  /* a successful attempt to authenticate
+					 * has completed. Continue without
+					 * another call to C_Login */
+/* All other non-null values mean that that NSS could call C_Login to force
+* the authentication. The following define is to aid applications in
+* documenting that is what it's trying to do */
+#define PK11_PW_TRY		"TRY"   /* Default: a prompt has been presented
+					 * to the user, initiate a C_Login
+					 * to authenticate the token */
+/*
+* PKCS #11 key structures
+*/
+/*
+** Attributes
+*/
+struct SECKEYAttributeStr {
+SECItem attrType;
+SECItem **attrValue;
+};
+typedef struct SECKEYAttributeStr SECKEYAttribute;
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYPrivateKeyInfoStr {
+PLArenaPool *arena;
+SECItem version;
+SECAlgorithmID algorithm;
+SECItem privateKey;
+SECKEYAttribute **attributes;
+};
+typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYEncryptedPrivateKeyInfoStr {
+PLArenaPool *arena;
+SECAlgorithmID algorithm;
+SECItem encryptedData;
+};
+typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
+/*
+* token removal detection
+*/
+typedef enum {
+PK11TokenNotRemovable = 0,
+PK11TokenPresent = 1,
+PK11TokenChanged = 2,
+PK11TokenRemoved = 3
+} PK11TokenStatus;
+typedef enum {
+PK11TokenRemovedOrChangedEvent = 0,
+PK11TokenPresentEvent = 1
+} PK11TokenEvent;
+/*
+* CRL Import Flags
+*/
+#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
+#define CRL_IMPORT_BYPASS_CHECKS   0x00000001
+/*
+* Merge Error Log
+*/
+typedef struct PK11MergeLogStr PK11MergeLog;
+typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
+/* These need to be global, leave some open fields so we can 'expand'
+* these without breaking binary compatibility */
+struct PK11MergeLogNodeStr {
+PK11MergeLogNode *next;   /* next entry in the list */
+PK11MergeLogNode *prev;   /* last entry in the list */
+PK11GenericObject *object; /* object that failed */
+int	error;		       /* what the error was */
+CK_RV reserved1;
+unsigned long reserved2; /* future flags */
+unsigned long reserved3; /* future scalar */
+void *reserved4; 	      /* future pointer */
+void *reserved5;	      /* future expansion pointer */
+};
+struct PK11MergeLogStr {
+PK11MergeLogNode *head;
+PK11MergeLogNode *tail;
+PLArenaPool *arena;
+int version;
+unsigned long reserved1;
+unsigned long reserved2;
+unsigned long reserved3;
+void *reserverd4;
+void *reserverd5;
+};
+#endif /*_SECMODT_H_ */

Mercurial > trustbridge > nss-cmake-static

comparison nss/lib/pk11wrap/secmodt.h @ 0:1e5118fa0cb1