/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECMODT_H_
#define _SECMODT_H_ 1
#include "nssrwlkt.h"
#include "nssilckt.h"
#include "secoid.h"
#include "secasn1.h"
#include "pkcs11t.h"
#include "utilmodt.h"
SEC_BEGIN_PROTOS
/* find a better home for these... */
extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
SEC_END_PROTOS
/* PKCS11 needs to be included */
typedef struct SECMODModuleStr SECMODModule;
typedef struct SECMODModuleListStr SECMODModuleList;
typedef NSSRWLock SECMODListLock;
typedef struct PK11SlotInfoStr PK11SlotInfo;
/* defined in secmodti.h */
typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo;
/* defined in secmodti.h */
typedef struct PK11SymKeyStr PK11SymKey;
/* defined in secmodti.h */
typedef struct PK11ContextStr PK11Context;
/* defined in secmodti.h */
typedef struct PK11SlotListStr PK11SlotList;
typedef struct PK11SlotListElementStr PK11SlotListElement;
typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
typedef unsigned long SECMODModuleID;
typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
typedef struct PK11GenericObjectStr PK11GenericObject;
typedef void (*PK11FreeDataFunc)(
void *);
struct SECMODModuleStr {
PLArenaPool *arena;
PRBool internal;
/* true of internally linked modules, false
* for the loaded modules */
PRBool loaded;
/* Set to true if module has been loaded */
PRBool isFIPS;
/* Set to true if module is finst internal */
char *dllName;
/* name of the shared library which implements
* this module */
char *commonName;
/* name of the module to display to the user */
void *library;
/* pointer to the library. opaque. used only by
* pk11load.c */
void *functionList;
/* The PKCS #11 function table */
PZLock *refLock;
/* only used pk11db.c */
int refCount;
/* Module reference count */
PK11SlotInfo **slots;
/* array of slot points attached to this mod*/
int slotCount;
/* count of slot in above array */
PK11PreSlotInfo *slotInfo;
/* special info about slots default settings */
int slotInfoCount;
/* count */
SECMODModuleID moduleID;
/* ID so we can find this module again */
PRBool isThreadSafe;
unsigned long ssl[2];
/* SSL cipher enable flags */
char *libraryParams;
/* Module specific parameters */
void *moduleDBFunc;
/* function to return module configuration data*/
SECMODModule *parent;
/* module that loaded us */
PRBool isCritical;
/* This module must load successfully */
PRBool isModuleDB;
/* this module has lists of PKCS #11 modules */
PRBool moduleDBOnly;
/* this module only has lists of PKCS #11 modules */
int trustOrder;
/* order for this module's certificate trust rollup */
int cipherOrder;
/* order for cipher operations */
unsigned long evControlMask;
/* control the running and shutdown of slot
* events (SECMOD_WaitForAnyTokenEvent) */
CK_VERSION cryptokiVersion;
/* version of this library */
CK_FLAGS flags;
/* pkcs11 v3 flags */
/* Warning this could go way in future versions of NSS
* when FIPS indicators wind up in the functionList */
CK_NSS_GetFIPSStatus fipsIndicator;
};
/* evControlMask flags */
/*
* These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
*
* SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
* C_WaitForSlotEvent().
* SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
* which polls for token insertion and removal events.
* SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
* waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
* should return immediately to it's caller.
*/
#define SECMOD_END_WAIT 0x01
#define SECMOD_WAIT_SIMULATED_EVENT 0x02
#define SECMOD_WAIT_PKCS11_EVENT 0x04
struct SECMODModuleListStr {
SECMODModuleList *next;
SECMODModule *module;
};
struct PK11SlotListStr {
PK11SlotListElement *head;
PK11SlotListElement *tail;
PZLock *lock;
};
struct PK11SlotListElementStr {
PK11SlotListElement *next;
PK11SlotListElement *prev;
PK11SlotInfo *slot;
int refCount;
};
struct PK11RSAGenParamsStr {
int keySizeInBits;
unsigned long pe;
};
typedef enum {
PK11CertListUnique = 0,
/* get one instance of all certs */
PK11CertListUser = 1,
/* get all instances of user certs */
PK11CertListRootUnique = 2,
/* get one instance of CA certs without a private key.
* deprecated. Use PK11CertListCAUnique
*/
PK11CertListCA = 3,
/* get all instances of CA certs */
PK11CertListCAUnique = 4,
/* get one instance of CA certs */
PK11CertListUserUnique = 5,
/* get one instance of user certs */
PK11CertListAll = 6
/* get all instances of all certs */
} PK11CertListType;
/*
* Entry into the array which lists all the legal bits for the default flags
* in the slot, their definition, and the PKCS #11 mechanism they represent.
* Always statically allocated.
*/
struct PK11DefaultArrayEntryStr {
const char *name;
unsigned long flag;
unsigned long mechanism;
/* this is a long so we don't include the
* whole pkcs 11 world to use this header */
};
/*
* PK11AttrFlags
*
* A 32-bit bitmask of PK11_ATTR_XXX flags
*/
typedef PRUint32 PK11AttrFlags;
/*
* PK11_ATTR_XXX
*
* The following PK11_ATTR_XXX bitflags are used to specify
* PKCS #11 object attributes that have Boolean values. Some NSS
* functions have a "PK11AttrFlags attrFlags" parameter whose value
* is the logical OR of these bitflags. NSS use these bitflags on
* private keys or secret keys. Some of these bitflags also apply
* to the public keys associated with the private keys.
*
* For each PKCS #11 object attribute, we need two bitflags to
* specify not only "true" and "false" but also "default". For
* example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
* CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add
* { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
* to the template. If PK11_ATTR_PUBLIC is set, we add
* { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
* to the template. If neither flag is set, we don't add any
* CKA_PRIVATE entry to the template.
*/
/*
* Attributes for PKCS #11 storage objects, which include not only
* keys but also certificates and domain parameters.
*/
/*
* PK11_ATTR_TOKEN
* PK11_ATTR_SESSION
*
* These two flags determine whether the object is a token or
* session object.
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_TOKEN flag is set, the object is a token
* object. If the PK11_ATTR_SESSION flag is set, the object is
* a session object. If neither flag is set, the object is *by
* default* a session object.
*
* These two flags specify the value of the PKCS #11 CKA_TOKEN
* attribute.
*/
#define PK11_ATTR_TOKEN 0x00000001L
#define PK11_ATTR_SESSION 0x00000002L
/*
* PK11_ATTR_PRIVATE
* PK11_ATTR_PUBLIC
*
* These two flags determine whether the object is a private or
* public object. A user may not access a private object until the
* user has authenticated to the token.
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_PRIVATE flag is set, the object is a private
* object. If the PK11_ATTR_PUBLIC flag is set, the object is a
* public object. If neither flag is set, it is token-specific
* whether the object is private or public.
*
* These two flags specify the value of the PKCS #11 CKA_PRIVATE
* attribute. NSS only uses this attribute on private and secret
* keys, so public keys created by NSS get the token-specific
* default value of the CKA_PRIVATE attribute.
*/
#define PK11_ATTR_PRIVATE 0x00000004L
#define PK11_ATTR_PUBLIC 0x00000008L
/*
* PK11_ATTR_MODIFIABLE
* PK11_ATTR_UNMODIFIABLE
*
* These two flags determine whether the object is modifiable or
* read-only.
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_MODIFIABLE flag is set, the object can be
* modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object
* is read-only. If neither flag is set, the object is *by default*
* modifiable.
*
* These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
* attribute.
*/
#define PK11_ATTR_MODIFIABLE 0x00000010L
#define PK11_ATTR_UNMODIFIABLE 0x00000020L
/* Attributes for PKCS #11 key objects. */
/*
* PK11_ATTR_SENSITIVE
* PK11_ATTR_INSENSITIVE
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
* If the PK11_ATTR_INSENSITIVE flag is set, the key is not
* sensitive. If neither flag is set, it is token-specific whether
* the key is sensitive or not.
*
* If a key is sensitive, certain attributes of the key cannot be
* revealed in plaintext outside the token.
*
* This flag specifies the value of the PKCS #11 CKA_SENSITIVE
* attribute. Although the default value of the CKA_SENSITIVE
* attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
* tokens set the default value to CK_TRUE because only CK_TRUE
* is allowed. So in practice the default value of this attribute
* is token-specific, hence the need for two bitflags.
*/
#define PK11_ATTR_SENSITIVE 0x00000040L
#define PK11_ATTR_INSENSITIVE 0x00000080L
/*
* PK11_ATTR_EXTRACTABLE
* PK11_ATTR_UNEXTRACTABLE
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
* and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set,
* the key is not extractable, and certain attributes of the key
* cannot be revealed in plaintext outside the token (just like a
* sensitive key). If neither flag is set, it is token-specific
* whether the key is extractable or not.
*
* These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
* attribute.
*/
#define PK11_ATTR_EXTRACTABLE 0x00000100L
#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
/* Cryptographic module types */
#define SECMOD_EXTERNAL 0
/* external module */
#define SECMOD_INTERNAL 1
/* internal default module */
#define SECMOD_FIPS 2
/* internal fips module */
/* default module configuration strings */
#define SECMOD_SLOT_FLAGS
"slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
#define SECMOD_MAKE_NSS_FLAGS(fips, slot) \
"Flags=internal,critical" fips
" slotparams=(" #slot "={" SECMOD_SLOT_FLAGS
"})"
#define SECMOD_INT_NAME
"NSS Internal PKCS #11 Module"
#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS(
"", 1)
#define SECMOD_FIPS_NAME
"NSS Internal FIPS PKCS #11 Module"
#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(
",fips", 3)
/*
* What is the origin of a given Key. Normally this doesn't matter, but
* the fortezza code needs to know if it needs to invoke the SSL3 fortezza
* hack.
*/
typedef enum {
PK11_OriginNULL = 0,
/* There is not key, it's a null SymKey */
PK11_OriginDerive = 1,
/* Key was derived from some other key */
PK11_OriginGenerated = 2,
/* Key was generated (also PBE keys) */
PK11_OriginFortezzaHack = 3,
/* Key was marked for fortezza hack */
PK11_OriginUnwrap = 4
/* Key was unwrapped or decrypted */
} PK11Origin;
/* PKCS #11 disable reasons */
typedef enum {
PK11_DIS_NONE = 0,
PK11_DIS_USER_SELECTED = 1,
PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
PK11_DIS_TOKEN_VERIFY_FAILED = 3,
PK11_DIS_TOKEN_NOT_PRESENT = 4
} PK11DisableReasons;
/* types of PKCS #11 objects
* used to identify which NSS data structure is
* passed to the PK11_Raw* functions. Types map as follows:
* PK11_TypeGeneric PK11GenericObject *
* PK11_TypePrivKey SECKEYPrivateKey *
* PK11_TypePubKey SECKEYPublicKey *
* PK11_TypeSymKey PK11SymKey *
* PK11_TypeCert CERTCertificate * (currently not used).
*/
typedef enum {
PK11_TypeGeneric = 0,
PK11_TypePrivKey = 1,
PK11_TypePubKey = 2,
PK11_TypeCert = 3,
PK11_TypeSymKey = 4
} PK11ObjectType;
/* function pointer type for password callback function.
* This type is passed in to PK11_SetPasswordFunc()
*/
typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry,
void *ar
g);
typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
/*
* Special strings the password callback function can return only if
* the slot is an protected auth path slot.
*/
#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate \
* has already been made, just retry \
* the operation */
#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \
* has completed. Continue without \
* another call to C_Login */
/* All other non-null values mean that that NSS could call C_Login to force
* the authentication. The following define is to aid applications in
* documenting that is what it's trying to do */
#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \
* to the user, initiate a C_Login \
* to authenticate the token */
/*
* PKCS #11 key structures
*/
/*
** Attributes
*/
struct SECKEYAttributeStr {
SECItem attrType;
SECItem **attrValue;
};
typedef struct SECKEYAttributeStr SECKEYAttribute;
/*
** A PKCS#8 private key info object
*/
struct SECKEYPrivateKeyInfoStr {
PLArenaPool *arena;
SECItem version;
SECAlgorithmID algorithm;
SECItem privateKey;
SECKEYAttribute **attributes;
};
typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
/*
** A PKCS#8 private key info object
*/
struct SECKEYEncryptedPrivateKeyInfoStr {
PLArenaPool *arena;
SECAlgorithmID algorithm;
SECItem encryptedData;
};
typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
/*
* token removal detection
*/
typedef enum {
PK11TokenNotRemovable = 0,
PK11TokenPresent = 1,
PK11TokenChanged = 2,
PK11TokenRemoved = 3
} PK11TokenStatus;
typedef enum {
PK11TokenRemovedOrChangedEvent = 0,
PK11TokenPresentEvent = 1
} PK11TokenEvent;
/*
* CRL Import Flags
*/
#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
#define CRL_IMPORT_BYPASS_CHECKS 0x00000001
/*
* Merge Error Log
*/
typedef struct PK11MergeLogStr PK11MergeLog;
typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
/* These need to be global, leave some open fields so we can 'expand'
* these without breaking binary compatibility */
struct PK11MergeLogNodeStr {
PK11MergeLogNode *next; /* next entry in the list */
PK11MergeLogNode *prev; /* last entry in the list */
PK11GenericObject *object; /* object that failed */
int error; /* what the error was */
CK_RV reserved1;
unsigned long reserved2; /* future flags */
unsigned long reserved3; /* future scalar */
void *reserved4; /* future pointer */
void *reserved5; /* future expansion pointer */
};
struct PK11MergeLogStr {
PK11MergeLogNode *head;
PK11MergeLogNode *tail;
PLArenaPool *arena;
int version;
unsigned long reserved1;
unsigned long reserved2;
unsigned long reserved3;
void *reserverd4;
void *reserverd5;
};
#endif /*_SECMODT_H_ */
