andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: andre@0: #ifndef _PKCS11N_H_ andre@0: #define _PKCS11N_H_ andre@0: andre@0: /* andre@0: * pkcs11n.h andre@0: * andre@0: * This file contains the NSS-specific type definitions for Cryptoki andre@0: * (PKCS#11). andre@0: */ andre@0: andre@0: /* andre@0: * NSSCK_VENDOR_NSS andre@0: * andre@0: * Cryptoki reserves the high half of all the number spaces for andre@0: * vendor-defined use. I'd like to keep all of our NSS- andre@0: * specific values together, but not in the oh-so-obvious andre@0: * 0x80000001, 0x80000002, etc. area. So I've picked an offset, andre@0: * and constructed values for the beginnings of our spaces. andre@0: * andre@0: * Note that some "historical" Netscape values don't fall within andre@0: * this range. andre@0: */ andre@0: #define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */ andre@0: andre@0: /* andre@0: * NSS-defined object classes andre@0: * andre@0: */ andre@0: #define CKO_NSS (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) andre@0: andre@0: #define CKO_NSS_CRL (CKO_NSS + 1) andre@0: #define CKO_NSS_SMIME (CKO_NSS + 2) andre@0: #define CKO_NSS_TRUST (CKO_NSS + 3) andre@0: #define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4) andre@0: #define CKO_NSS_NEWSLOT (CKO_NSS + 5) andre@0: #define CKO_NSS_DELSLOT (CKO_NSS + 6) andre@0: andre@0: andre@0: /* andre@0: * NSS-defined key types andre@0: * andre@0: */ andre@0: #define CKK_NSS (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NSS) andre@0: andre@0: #define CKK_NSS_PKCS8 (CKK_NSS + 1) andre@0: andre@0: #define CKK_NSS_JPAKE_ROUND1 (CKK_NSS + 2) andre@0: #define CKK_NSS_JPAKE_ROUND2 (CKK_NSS + 3) andre@0: andre@0: #define CKK_NSS_CHACHA20 (CKK_NSS + 4) andre@0: andre@0: /* andre@0: * NSS-defined certificate types andre@0: * andre@0: */ andre@0: #define CKC_NSS (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NSS) andre@0: andre@0: /* FAKE PKCS #11 defines */ andre@0: #define CKA_DIGEST 0x81000000L andre@0: #define CKA_FLAGS_ONLY 0 /* CKA_CLASS */ andre@0: andre@0: /* andre@0: * NSS-defined object attributes andre@0: * andre@0: */ andre@0: #define CKA_NSS (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NSS) andre@0: andre@0: #define CKA_NSS_URL (CKA_NSS + 1) andre@0: #define CKA_NSS_EMAIL (CKA_NSS + 2) andre@0: #define CKA_NSS_SMIME_INFO (CKA_NSS + 3) andre@0: #define CKA_NSS_SMIME_TIMESTAMP (CKA_NSS + 4) andre@0: #define CKA_NSS_PKCS8_SALT (CKA_NSS + 5) andre@0: #define CKA_NSS_PASSWORD_CHECK (CKA_NSS + 6) andre@0: #define CKA_NSS_EXPIRES (CKA_NSS + 7) andre@0: #define CKA_NSS_KRL (CKA_NSS + 8) andre@0: andre@0: #define CKA_NSS_PQG_COUNTER (CKA_NSS + 20) andre@0: #define CKA_NSS_PQG_SEED (CKA_NSS + 21) andre@0: #define CKA_NSS_PQG_H (CKA_NSS + 22) andre@0: #define CKA_NSS_PQG_SEED_BITS (CKA_NSS + 23) andre@0: #define CKA_NSS_MODULE_SPEC (CKA_NSS + 24) andre@0: #define CKA_NSS_OVERRIDE_EXTENSIONS (CKA_NSS + 25) andre@0: andre@0: #define CKA_NSS_JPAKE_SIGNERID (CKA_NSS + 26) andre@0: #define CKA_NSS_JPAKE_PEERID (CKA_NSS + 27) andre@0: #define CKA_NSS_JPAKE_GX1 (CKA_NSS + 28) andre@0: #define CKA_NSS_JPAKE_GX2 (CKA_NSS + 29) andre@0: #define CKA_NSS_JPAKE_GX3 (CKA_NSS + 30) andre@0: #define CKA_NSS_JPAKE_GX4 (CKA_NSS + 31) andre@0: #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32) andre@0: #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33) andre@0: andre@0: /* andre@0: * Trust attributes: andre@0: * andre@0: * If trust goes standard, these probably will too. So I'll andre@0: * put them all in one place. andre@0: */ andre@0: andre@0: #define CKA_TRUST (CKA_NSS + 0x2000) andre@0: andre@0: /* "Usage" key information */ andre@0: #define CKA_TRUST_DIGITAL_SIGNATURE (CKA_TRUST + 1) andre@0: #define CKA_TRUST_NON_REPUDIATION (CKA_TRUST + 2) andre@0: #define CKA_TRUST_KEY_ENCIPHERMENT (CKA_TRUST + 3) andre@0: #define CKA_TRUST_DATA_ENCIPHERMENT (CKA_TRUST + 4) andre@0: #define CKA_TRUST_KEY_AGREEMENT (CKA_TRUST + 5) andre@0: #define CKA_TRUST_KEY_CERT_SIGN (CKA_TRUST + 6) andre@0: #define CKA_TRUST_CRL_SIGN (CKA_TRUST + 7) andre@0: andre@0: /* "Purpose" trust information */ andre@0: #define CKA_TRUST_SERVER_AUTH (CKA_TRUST + 8) andre@0: #define CKA_TRUST_CLIENT_AUTH (CKA_TRUST + 9) andre@0: #define CKA_TRUST_CODE_SIGNING (CKA_TRUST + 10) andre@0: #define CKA_TRUST_EMAIL_PROTECTION (CKA_TRUST + 11) andre@0: #define CKA_TRUST_IPSEC_END_SYSTEM (CKA_TRUST + 12) andre@0: #define CKA_TRUST_IPSEC_TUNNEL (CKA_TRUST + 13) andre@0: #define CKA_TRUST_IPSEC_USER (CKA_TRUST + 14) andre@0: #define CKA_TRUST_TIME_STAMPING (CKA_TRUST + 15) andre@0: #define CKA_TRUST_STEP_UP_APPROVED (CKA_TRUST + 16) andre@0: andre@0: #define CKA_CERT_SHA1_HASH (CKA_TRUST + 100) andre@0: #define CKA_CERT_MD5_HASH (CKA_TRUST + 101) andre@0: andre@0: /* NSS trust stuff */ andre@0: andre@0: /* HISTORICAL: define used to pass in the database key for DSA private keys */ andre@0: #define CKA_NETSCAPE_DB 0xD5A0DB00L andre@0: #define CKA_NETSCAPE_TRUST 0x80000001L andre@0: andre@0: /* FAKE PKCS #11 defines */ andre@0: #define CKM_FAKE_RANDOM 0x80000efeUL andre@0: #define CKM_INVALID_MECHANISM 0xffffffffUL andre@0: andre@0: /* andre@0: * NSS-defined crypto mechanisms andre@0: * andre@0: */ andre@0: #define CKM_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) andre@0: andre@0: #define CKM_NSS_AES_KEY_WRAP (CKM_NSS + 1) andre@0: #define CKM_NSS_AES_KEY_WRAP_PAD (CKM_NSS + 2) andre@0: andre@0: /* HKDF key derivation mechanisms. See CK_NSS_HKDFParams for documentation. */ andre@0: #define CKM_NSS_HKDF_SHA1 (CKM_NSS + 3) andre@0: #define CKM_NSS_HKDF_SHA256 (CKM_NSS + 4) andre@0: #define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5) andre@0: #define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6) andre@0: andre@0: /* J-PAKE round 1 key generation mechanisms. andre@0: * andre@0: * Required template attributes: CKA_PRIME, CKA_SUBPRIME, CKA_BASE, andre@0: * CKA_NSS_JPAKE_SIGNERID andre@0: * Output key type: CKK_NSS_JPAKE_ROUND1 andre@0: * Output key class: CKO_PRIVATE_KEY andre@0: * Parameter type: CK_NSS_JPAKERound1Params andre@0: * andre@0: */ andre@0: #define CKM_NSS_JPAKE_ROUND1_SHA1 (CKM_NSS + 7) andre@0: #define CKM_NSS_JPAKE_ROUND1_SHA256 (CKM_NSS + 8) andre@0: #define CKM_NSS_JPAKE_ROUND1_SHA384 (CKM_NSS + 9) andre@0: #define CKM_NSS_JPAKE_ROUND1_SHA512 (CKM_NSS + 10) andre@0: andre@0: /* J-PAKE round 2 key derivation mechanisms. andre@0: * andre@0: * Required template attributes: CKA_NSS_JPAKE_PEERID andre@0: * Input key type: CKK_NSS_JPAKE_ROUND1 andre@0: * Output key type: CKK_NSS_JPAKE_ROUND2 andre@0: * Output key class: CKO_PRIVATE_KEY andre@0: * Parameter type: CK_NSS_JPAKERound2Params andre@0: */ andre@0: #define CKM_NSS_JPAKE_ROUND2_SHA1 (CKM_NSS + 11) andre@0: #define CKM_NSS_JPAKE_ROUND2_SHA256 (CKM_NSS + 12) andre@0: #define CKM_NSS_JPAKE_ROUND2_SHA384 (CKM_NSS + 13) andre@0: #define CKM_NSS_JPAKE_ROUND2_SHA512 (CKM_NSS + 14) andre@0: andre@0: /* J-PAKE final key material derivation mechanisms andre@0: * andre@0: * Input key type: CKK_NSS_JPAKE_ROUND2 andre@0: * Output key type: CKK_GENERIC_SECRET andre@0: * Output key class: CKO_SECRET_KEY andre@0: * Parameter type: CK_NSS_JPAKEFinalParams andre@0: * andre@0: * You must apply a KDF (e.g. CKM_NSS_HKDF_*) to resultant keying material andre@0: * to get a key with uniformly distributed bits. andre@0: */ andre@0: #define CKM_NSS_JPAKE_FINAL_SHA1 (CKM_NSS + 15) andre@0: #define CKM_NSS_JPAKE_FINAL_SHA256 (CKM_NSS + 16) andre@0: #define CKM_NSS_JPAKE_FINAL_SHA384 (CKM_NSS + 17) andre@0: #define CKM_NSS_JPAKE_FINAL_SHA512 (CKM_NSS + 18) andre@0: andre@0: /* Constant-time MAC mechanisms: andre@0: * andre@0: * These operations verify a padded, MAC-then-encrypt block of data in andre@0: * constant-time. Because of the order of operations, the padding bytes are not andre@0: * protected by the MAC. However, disclosing the value of the padding bytes andre@0: * gives an attacker the ability to decrypt ciphertexts. Such disclosure can be andre@0: * as subtle as taking slightly less time to perform the MAC when the padding andre@0: * is one byte longer. See https://www.isg.rhul.ac.uk/tls/ andre@0: * andre@0: * CKM_NSS_HMAC_CONSTANT_TIME: performs an HMAC authentication. andre@0: * CKM_NSS_SSL3_MAC_CONSTANT_TIME: performs an authentication with SSLv3 MAC. andre@0: * andre@0: * Parameter type: CK_NSS_MAC_CONSTANT_TIME_PARAMS andre@0: */ andre@0: #define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19) andre@0: #define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20) andre@0: andre@0: /* TLS 1.2 mechanisms */ andre@0: #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) andre@0: #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) andre@0: #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) andre@0: #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) andre@0: andre@0: #define CKM_NSS_CHACHA20_KEY_GEN (CKM_NSS + 25) andre@0: #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26) andre@0: andre@0: /* andre@0: * HISTORICAL: andre@0: * Do not attempt to use these. They are only used by NETSCAPE's internal andre@0: * PKCS #11 interface. Most of these are place holders for other mechanism andre@0: * and will change in the future. andre@0: */ andre@0: #define CKM_NETSCAPE_PBE_SHA1_DES_CBC 0x80000002UL andre@0: #define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC 0x80000003UL andre@0: #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC 0x80000004UL andre@0: #define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC 0x80000005UL andre@0: #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4 0x80000006UL andre@0: #define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4 0x80000007UL andre@0: #define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC 0x80000008UL andre@0: #define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN 0x80000009UL andre@0: #define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN 0x8000000aUL andre@0: #define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN 0x8000000bUL andre@0: andre@0: #define CKM_TLS_PRF_GENERAL 0x80000373UL andre@0: andre@0: typedef struct CK_NSS_JPAKEPublicValue { andre@0: CK_BYTE * pGX; andre@0: CK_ULONG ulGXLen; andre@0: CK_BYTE * pGV; andre@0: CK_ULONG ulGVLen; andre@0: CK_BYTE * pR; andre@0: CK_ULONG ulRLen; andre@0: } CK_NSS_JPAKEPublicValue; andre@0: andre@0: typedef struct CK_NSS_JPAKERound1Params { andre@0: CK_NSS_JPAKEPublicValue gx1; /* out */ andre@0: CK_NSS_JPAKEPublicValue gx2; /* out */ andre@0: } CK_NSS_JPAKERound1Params; andre@0: andre@0: typedef struct CK_NSS_JPAKERound2Params { andre@0: CK_BYTE * pSharedKey; /* in */ andre@0: CK_ULONG ulSharedKeyLen; /* in */ andre@0: CK_NSS_JPAKEPublicValue gx3; /* in */ andre@0: CK_NSS_JPAKEPublicValue gx4; /* in */ andre@0: CK_NSS_JPAKEPublicValue A; /* out */ andre@0: } CK_NSS_JPAKERound2Params; andre@0: andre@0: typedef struct CK_NSS_JPAKEFinalParams { andre@0: CK_NSS_JPAKEPublicValue B; /* in */ andre@0: } CK_NSS_JPAKEFinalParams; andre@0: andre@0: /* macAlg: the MAC algorithm to use. This determines the hash function used in andre@0: * the HMAC/SSLv3 MAC calculations. andre@0: * ulBodyTotalLen: the total length of the data, including padding bytes and andre@0: * padding length. andre@0: * pHeader: points to a block of data that contains additional data to andre@0: * authenticate. For TLS this includes the sequence number etc. For SSLv3, andre@0: * this also includes the initial padding bytes. andre@0: * andre@0: * NOTE: the softoken's implementation of CKM_NSS_HMAC_CONSTANT_TIME and andre@0: * CKM_NSS_SSL3_MAC_CONSTANT_TIME requires that the sum of ulBodyTotalLen andre@0: * and ulHeaderLen be much smaller than 2^32 / 8 bytes because it uses an andre@0: * unsigned int variable to represent the length in bits. This should not andre@0: * be a problem because the SSL/TLS protocol limits the size of an SSL andre@0: * record to something considerably less than 2^32 bytes. andre@0: */ andre@0: typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS { andre@0: CK_MECHANISM_TYPE macAlg; /* in */ andre@0: CK_ULONG ulBodyTotalLen; /* in */ andre@0: CK_BYTE * pHeader; /* in */ andre@0: CK_ULONG ulHeaderLen; /* in */ andre@0: } CK_NSS_MAC_CONSTANT_TIME_PARAMS; andre@0: andre@0: typedef struct CK_NSS_AEAD_PARAMS { andre@0: CK_BYTE_PTR pIv; /* This is the nonce. */ andre@0: CK_ULONG ulIvLen; andre@0: CK_BYTE_PTR pAAD; andre@0: CK_ULONG ulAADLen; andre@0: CK_ULONG ulTagLen; andre@0: } CK_NSS_AEAD_PARAMS; andre@0: andre@0: /* andre@0: * NSS-defined return values andre@0: * andre@0: */ andre@0: #define CKR_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) andre@0: andre@0: #define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1) andre@0: #define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2) andre@0: andre@0: /* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms. andre@0: See RFC 5869. andre@0: andre@0: bExtract: If set, HKDF-Extract will be applied to the input key. If andre@0: the optional salt is given, it is used; otherwise, the salt is andre@0: set to a sequence of zeros equal in length to the HMAC output. andre@0: If bExpand is not set, then the key template given to andre@0: C_DeriveKey must indicate an output key size less than or equal andre@0: to the output size of the HMAC. andre@0: andre@0: bExpand: If set, HKDF-Expand will be applied to the input key (if andre@0: bExtract is not set) or to the result of HKDF-Extract (if andre@0: bExtract is set). Any info given in the optional pInfo field will andre@0: be included in the calculation. andre@0: andre@0: The size of the output key must be specified in the template passed to andre@0: C_DeriveKey. andre@0: */ andre@0: typedef struct CK_NSS_HKDFParams { andre@0: CK_BBOOL bExtract; andre@0: CK_BYTE_PTR pSalt; andre@0: CK_ULONG ulSaltLen; andre@0: CK_BBOOL bExpand; andre@0: CK_BYTE_PTR pInfo; andre@0: CK_ULONG ulInfoLen; andre@0: } CK_NSS_HKDFParams; andre@0: andre@0: /* andre@0: * Trust info andre@0: * andre@0: * This isn't part of the Cryptoki standard (yet), so I'm putting andre@0: * all the definitions here. Some of this would move to nssckt.h andre@0: * if trust info were made part of the standard. In view of this andre@0: * possibility, I'm putting my (NSS) values in the NSS andre@0: * vendor space, like everything else. andre@0: */ andre@0: andre@0: typedef CK_ULONG CK_TRUST; andre@0: andre@0: /* The following trust types are defined: */ andre@0: #define CKT_VENDOR_DEFINED 0x80000000 andre@0: andre@0: #define CKT_NSS (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NSS) andre@0: andre@0: /* If trust goes standard, these'll probably drop out of vendor space. */ andre@0: #define CKT_NSS_TRUSTED (CKT_NSS + 1) andre@0: #define CKT_NSS_TRUSTED_DELEGATOR (CKT_NSS + 2) andre@0: #define CKT_NSS_MUST_VERIFY_TRUST (CKT_NSS + 3) andre@0: #define CKT_NSS_NOT_TRUSTED (CKT_NSS + 10) andre@0: #define CKT_NSS_TRUST_UNKNOWN (CKT_NSS + 5) /* default */ andre@0: andre@0: /* andre@0: * These may well remain NSS-specific; I'm only using them andre@0: * to cache resolution data. andre@0: */ andre@0: #define CKT_NSS_VALID_DELEGATOR (CKT_NSS + 11) andre@0: andre@0: andre@0: /* andre@0: * old definitions. They still exist, but the plain meaning of the andre@0: * labels have never been accurate to what was really implemented. andre@0: * The new labels correctly reflect what the values effectively mean. andre@0: */ andre@0: #if defined(__GNUC__) && (__GNUC__ > 3) andre@0: /* make GCC warn when we use these #defines */ andre@0: /* andre@0: * This is really painful because GCC doesn't allow us to mark random andre@0: * #defines as deprecated. We can only mark the following: andre@0: * functions, variables, and types. andre@0: * const variables will create extra storage for everyone including this andre@0: * header file, so it's undesirable. andre@0: * functions could be inlined to prevent storage creation, but will fail andre@0: * when constant values are expected (like switch statements). andre@0: * enum types do not seem to pay attention to the deprecated attribute. andre@0: * andre@0: * That leaves typedefs. We declare new types that we then deprecate, then andre@0: * cast the resulting value to the deprecated type in the #define, thus andre@0: * producting the warning when the #define is used. andre@0: */ andre@0: #if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5) andre@0: /* The mac doesn't like the friendlier deprecate messages. I'm assuming this andre@0: * is a gcc version issue rather than mac or ppc specific */ andre@0: typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated)); andre@0: typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated)); andre@0: typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated)); andre@0: #else andre@0: /* when possible, get a full deprecation warning. This works on gcc 4.5 andre@0: * it may work on earlier versions of gcc */ andre@0: typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated andre@0: ("CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST"))); andre@0: typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated andre@0: ("CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED"))); andre@0: typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated andre@0: ("CKT_NSS_MUST_VERIFY really functions as CKT_NSS_TRUST_UNKNOWN"))); andre@0: #endif andre@0: #define CKT_NSS_UNTRUSTED ((__CKT_NSS_UNTRUSTED)CKT_NSS_MUST_VERIFY_TRUST) andre@0: #define CKT_NSS_VALID ((__CKT_NSS_VALID) CKT_NSS_NOT_TRUSTED) andre@0: /* keep the old value for compatibility reasons*/ andre@0: #define CKT_NSS_MUST_VERIFY ((__CKT_NSS_MUST_VERIFY)(CKT_NSS +4)) andre@0: #else andre@0: #ifdef _WIN32 andre@0: /* This magic gets the windows compiler to give us a deprecation andre@0: * warning */ andre@0: #pragma deprecated(CKT_NSS_UNTRUSTED, CKT_NSS_MUST_VERIFY, CKT_NSS_VALID) andre@0: #endif andre@0: /* CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST */ andre@0: #define CKT_NSS_UNTRUSTED CKT_NSS_MUST_VERIFY_TRUST andre@0: /* CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED */ andre@0: #define CKT_NSS_VALID CKT_NSS_NOT_TRUSTED andre@0: /* CKT_NSS_MUST_VERIFY was always treated as CKT_NSS_TRUST_UNKNOWN */ andre@0: #define CKT_NSS_MUST_VERIFY (CKT_NSS + 4) /*really means trust unknown*/ andre@0: #endif andre@0: andre@0: /* don't leave old programs in a lurch just yet, give them the old NETSCAPE andre@0: * synonym */ andre@0: #define CKO_NETSCAPE_CRL CKO_NSS_CRL andre@0: #define CKO_NETSCAPE_SMIME CKO_NSS_SMIME andre@0: #define CKO_NETSCAPE_TRUST CKO_NSS_TRUST andre@0: #define CKO_NETSCAPE_BUILTIN_ROOT_LIST CKO_NSS_BUILTIN_ROOT_LIST andre@0: #define CKO_NETSCAPE_NEWSLOT CKO_NSS_NEWSLOT andre@0: #define CKO_NETSCAPE_DELSLOT CKO_NSS_DELSLOT andre@0: #define CKK_NETSCAPE_PKCS8 CKK_NSS_PKCS8 andre@0: #define CKA_NETSCAPE_URL CKA_NSS_URL andre@0: #define CKA_NETSCAPE_EMAIL CKA_NSS_EMAIL andre@0: #define CKA_NETSCAPE_SMIME_INFO CKA_NSS_SMIME_INFO andre@0: #define CKA_NETSCAPE_SMIME_TIMESTAMP CKA_NSS_SMIME_TIMESTAMP andre@0: #define CKA_NETSCAPE_PKCS8_SALT CKA_NSS_PKCS8_SALT andre@0: #define CKA_NETSCAPE_PASSWORD_CHECK CKA_NSS_PASSWORD_CHECK andre@0: #define CKA_NETSCAPE_EXPIRES CKA_NSS_EXPIRES andre@0: #define CKA_NETSCAPE_KRL CKA_NSS_KRL andre@0: #define CKA_NETSCAPE_PQG_COUNTER CKA_NSS_PQG_COUNTER andre@0: #define CKA_NETSCAPE_PQG_SEED CKA_NSS_PQG_SEED andre@0: #define CKA_NETSCAPE_PQG_H CKA_NSS_PQG_H andre@0: #define CKA_NETSCAPE_PQG_SEED_BITS CKA_NSS_PQG_SEED_BITS andre@0: #define CKA_NETSCAPE_MODULE_SPEC CKA_NSS_MODULE_SPEC andre@0: #define CKM_NETSCAPE_AES_KEY_WRAP CKM_NSS_AES_KEY_WRAP andre@0: #define CKM_NETSCAPE_AES_KEY_WRAP_PAD CKM_NSS_AES_KEY_WRAP_PAD andre@0: #define CKR_NETSCAPE_CERTDB_FAILED CKR_NSS_CERTDB_FAILED andre@0: #define CKR_NETSCAPE_KEYDB_FAILED CKR_NSS_KEYDB_FAILED andre@0: andre@0: #define CKT_NETSCAPE_TRUSTED CKT_NSS_TRUSTED andre@0: #define CKT_NETSCAPE_TRUSTED_DELEGATOR CKT_NSS_TRUSTED_DELEGATOR andre@0: #define CKT_NETSCAPE_UNTRUSTED CKT_NSS_UNTRUSTED andre@0: #define CKT_NETSCAPE_MUST_VERIFY CKT_NSS_MUST_VERIFY andre@0: #define CKT_NETSCAPE_TRUST_UNKNOWN CKT_NSS_TRUST_UNKNOWN andre@0: #define CKT_NETSCAPE_VALID CKT_NSS_VALID andre@0: #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR andre@0: andre@0: /* andre@0: * These are not really PKCS #11 values specifically. They are the 'loadable' andre@0: * module spec NSS uses. The are available for others to use as well, but not andre@0: * part of the formal PKCS #11 spec. andre@0: * andre@0: * The function 'FIND' returns an array of PKCS #11 initialization strings andre@0: * The function 'ADD' takes a PKCS #11 initialization string and stores it. andre@0: * The function 'DEL' takes a 'name= library=' value and deletes the associated andre@0: * string. andre@0: * The function 'RELEASE' frees the array returned by 'FIND' andre@0: */ andre@0: #define SECMOD_MODULE_DB_FUNCTION_FIND 0 andre@0: #define SECMOD_MODULE_DB_FUNCTION_ADD 1 andre@0: #define SECMOD_MODULE_DB_FUNCTION_DEL 2 andre@0: #define SECMOD_MODULE_DB_FUNCTION_RELEASE 3 andre@0: typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function, andre@0: char *parameters, void *moduleSpec); andre@0: andre@0: /* softoken slot ID's */ andre@0: #define SFTK_MIN_USER_SLOT_ID 4 andre@0: #define SFTK_MAX_USER_SLOT_ID 100 andre@0: #define SFTK_MIN_FIPS_USER_SLOT_ID 101 andre@0: #define SFTK_MAX_FIPS_USER_SLOT_ID 127 andre@0: andre@0: andre@0: #endif /* _PKCS11N_H_ */