/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef _SECMODT_H_ #define _SECMODT_H_ 1 #include "nssrwlkt.h" #include "nssilckt.h" #include "secoid.h" #include "secasn1.h" #include "pkcs11t.h" #include "utilmodt.h" SEC_BEGIN_PROTOS /* find a better home for these... */ extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[]; SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate) extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate) extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[]; SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate) extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[]; SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate) SEC_END_PROTOS /* PKCS11 needs to be included */ typedef struct SECMODModuleStr SECMODModule; typedef struct SECMODModuleListStr SECMODModuleList; typedef NSSRWLock SECMODListLock; typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */ typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ typedef struct PK11SlotListStr PK11SlotList; typedef struct PK11SlotListElementStr PK11SlotListElement; typedef struct PK11RSAGenParamsStr PK11RSAGenParams; typedef unsigned long SECMODModuleID; typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry; typedef struct PK11GenericObjectStr PK11GenericObject; typedef void (*PK11FreeDataFunc)(void *); struct SECMODModuleStr { PLArenaPool *arena; PRBool internal; /* true of internally linked modules, false * for the loaded modules */ PRBool loaded; /* Set to true if module has been loaded */ PRBool isFIPS; /* Set to true if module is finst internal */ char *dllName; /* name of the shared library which implements * this module */ char *commonName; /* name of the module to display to the user */ void *library; /* pointer to the library. opaque. used only by * pk11load.c */ void *functionList; /* The PKCS #11 function table */ PZLock *refLock; /* only used pk11db.c */ int refCount; /* Module reference count */ PK11SlotInfo **slots; /* array of slot points attached to this mod*/ int slotCount; /* count of slot in above array */ PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ int slotInfoCount; /* count */ SECMODModuleID moduleID; /* ID so we can find this module again */ PRBool isThreadSafe; unsigned long ssl[2]; /* SSL cipher enable flags */ char *libraryParams; /* Module specific parameters */ void *moduleDBFunc; /* function to return module configuration data*/ SECMODModule *parent; /* module that loaded us */ PRBool isCritical; /* This module must load successfully */ PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ int trustOrder; /* order for this module's certificate trust rollup */ int cipherOrder; /* order for cipher operations */ unsigned long evControlMask; /* control the running and shutdown of slot * events (SECMOD_WaitForAnyTokenEvent) */ CK_VERSION cryptokiVersion; /* version of this library */ CK_FLAGS flags; /* pkcs11 v3 flags */ /* Warning this could go way in future versions of NSS * when FIPS indicators wind up in the functionList */ CK_NSS_GetFIPSStatus fipsIndicator; }; /* evControlMask flags */ /* * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent. * * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in * C_WaitForSlotEvent(). * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code * which polls for token insertion and removal events. * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent * should return immediately to it's caller. */ #define SECMOD_END_WAIT 0x01 #define SECMOD_WAIT_SIMULATED_EVENT 0x02 #define SECMOD_WAIT_PKCS11_EVENT 0x04 struct SECMODModuleListStr { SECMODModuleList *next; SECMODModule *module; }; struct PK11SlotListStr { PK11SlotListElement *head; PK11SlotListElement *tail; PZLock *lock; }; struct PK11SlotListElementStr { PK11SlotListElement *next; PK11SlotListElement *prev; PK11SlotInfo *slot; int refCount; }; struct PK11RSAGenParamsStr { int keySizeInBits; unsigned long pe; }; typedef enum { PK11CertListUnique = 0, /* get one instance of all certs */ PK11CertListUser = 1, /* get all instances of user certs */ PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key. * deprecated. Use PK11CertListCAUnique */ PK11CertListCA = 3, /* get all instances of CA certs */ PK11CertListCAUnique = 4, /* get one instance of CA certs */ PK11CertListUserUnique = 5, /* get one instance of user certs */ PK11CertListAll = 6 /* get all instances of all certs */ } PK11CertListType; /* * Entry into the array which lists all the legal bits for the default flags * in the slot, their definition, and the PKCS #11 mechanism they represent. * Always statically allocated. */ struct PK11DefaultArrayEntryStr { const char *name; unsigned long flag; unsigned long mechanism; /* this is a long so we don't include the * whole pkcs 11 world to use this header */ }; /* * PK11AttrFlags * * A 32-bit bitmask of PK11_ATTR_XXX flags */ typedef PRUint32 PK11AttrFlags; /* * PK11_ATTR_XXX * * The following PK11_ATTR_XXX bitflags are used to specify * PKCS #11 object attributes that have Boolean values. Some NSS * functions have a "PK11AttrFlags attrFlags" parameter whose value * is the logical OR of these bitflags. NSS use these bitflags on * private keys or secret keys. Some of these bitflags also apply * to the public keys associated with the private keys. * * For each PKCS #11 object attribute, we need two bitflags to * specify not only "true" and "false" but also "default". For * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) } * to the template. If PK11_ATTR_PUBLIC is set, we add * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) } * to the template. If neither flag is set, we don't add any * CKA_PRIVATE entry to the template. */ /* * Attributes for PKCS #11 storage objects, which include not only * keys but also certificates and domain parameters. */ /* * PK11_ATTR_TOKEN * PK11_ATTR_SESSION * * These two flags determine whether the object is a token or * session object. * * These two flags are related and cannot both be set. * If the PK11_ATTR_TOKEN flag is set, the object is a token * object. If the PK11_ATTR_SESSION flag is set, the object is * a session object. If neither flag is set, the object is *by * default* a session object. * * These two flags specify the value of the PKCS #11 CKA_TOKEN * attribute. */ #define PK11_ATTR_TOKEN 0x00000001L #define PK11_ATTR_SESSION 0x00000002L /* * PK11_ATTR_PRIVATE * PK11_ATTR_PUBLIC * * These two flags determine whether the object is a private or * public object. A user may not access a private object until the * user has authenticated to the token. * * These two flags are related and cannot both be set. * If the PK11_ATTR_PRIVATE flag is set, the object is a private * object. If the PK11_ATTR_PUBLIC flag is set, the object is a * public object. If neither flag is set, it is token-specific * whether the object is private or public. * * These two flags specify the value of the PKCS #11 CKA_PRIVATE * attribute. NSS only uses this attribute on private and secret * keys, so public keys created by NSS get the token-specific * default value of the CKA_PRIVATE attribute. */ #define PK11_ATTR_PRIVATE 0x00000004L #define PK11_ATTR_PUBLIC 0x00000008L /* * PK11_ATTR_MODIFIABLE * PK11_ATTR_UNMODIFIABLE * * These two flags determine whether the object is modifiable or * read-only. * * These two flags are related and cannot both be set. * If the PK11_ATTR_MODIFIABLE flag is set, the object can be * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object * is read-only. If neither flag is set, the object is *by default* * modifiable. * * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE * attribute. */ #define PK11_ATTR_MODIFIABLE 0x00000010L #define PK11_ATTR_UNMODIFIABLE 0x00000020L /* Attributes for PKCS #11 key objects. */ /* * PK11_ATTR_SENSITIVE * PK11_ATTR_INSENSITIVE * * These two flags are related and cannot both be set. * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive. * If the PK11_ATTR_INSENSITIVE flag is set, the key is not * sensitive. If neither flag is set, it is token-specific whether * the key is sensitive or not. * * If a key is sensitive, certain attributes of the key cannot be * revealed in plaintext outside the token. * * This flag specifies the value of the PKCS #11 CKA_SENSITIVE * attribute. Although the default value of the CKA_SENSITIVE * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS * tokens set the default value to CK_TRUE because only CK_TRUE * is allowed. So in practice the default value of this attribute * is token-specific, hence the need for two bitflags. */ #define PK11_ATTR_SENSITIVE 0x00000040L #define PK11_ATTR_INSENSITIVE 0x00000080L /* * PK11_ATTR_EXTRACTABLE * PK11_ATTR_UNEXTRACTABLE * * These two flags are related and cannot both be set. * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set, * the key is not extractable, and certain attributes of the key * cannot be revealed in plaintext outside the token (just like a * sensitive key). If neither flag is set, it is token-specific * whether the key is extractable or not. * * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE * attribute. */ #define PK11_ATTR_EXTRACTABLE 0x00000100L #define PK11_ATTR_UNEXTRACTABLE 0x00000200L /* Cryptographic module types */ #define SECMOD_EXTERNAL 0 /* external module */ #define SECMOD_INTERNAL 1 /* internal default module */ #define SECMOD_FIPS 2 /* internal fips module */ /* default module configuration strings */ #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" #define SECMOD_MAKE_NSS_FLAGS(fips, slot) \ "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})" #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module" #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1) #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module" #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3) /* * What is the origin of a given Key. Normally this doesn't matter, but * the fortezza code needs to know if it needs to invoke the SSL3 fortezza * hack. */ typedef enum { PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ PK11_OriginDerive = 1, /* Key was derived from some other key */ PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */ PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ } PK11Origin; /* PKCS #11 disable reasons */ typedef enum { PK11_DIS_NONE = 0, PK11_DIS_USER_SELECTED = 1, PK11_DIS_COULD_NOT_INIT_TOKEN = 2, PK11_DIS_TOKEN_VERIFY_FAILED = 3, PK11_DIS_TOKEN_NOT_PRESENT = 4 } PK11DisableReasons; /* types of PKCS #11 objects * used to identify which NSS data structure is * passed to the PK11_Raw* functions. Types map as follows: * PK11_TypeGeneric PK11GenericObject * * PK11_TypePrivKey SECKEYPrivateKey * * PK11_TypePubKey SECKEYPublicKey * * PK11_TypeSymKey PK11SymKey * * PK11_TypeCert CERTCertificate * (currently not used). */ typedef enum { PK11_TypeGeneric = 0, PK11_TypePrivKey = 1, PK11_TypePubKey = 2, PK11_TypeCert = 3, PK11_TypeSymKey = 4 } PK11ObjectType; /* function pointer type for password callback function. * This type is passed in to PK11_SetPasswordFunc() */ typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg); typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); /* * Special strings the password callback function can return only if * the slot is an protected auth path slot. */ #define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate \ * has already been made, just retry \ * the operation */ #define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \ * has completed. Continue without \ * another call to C_Login */ /* All other non-null values mean that that NSS could call C_Login to force * the authentication. The following define is to aid applications in * documenting that is what it's trying to do */ #define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \ * to the user, initiate a C_Login \ * to authenticate the token */ /* * PKCS #11 key structures */ /* ** Attributes */ struct SECKEYAttributeStr { SECItem attrType; SECItem **attrValue; }; typedef struct SECKEYAttributeStr SECKEYAttribute; /* ** A PKCS#8 private key info object */ struct SECKEYPrivateKeyInfoStr { PLArenaPool *arena; SECItem version; SECAlgorithmID algorithm; SECItem privateKey; SECKEYAttribute **attributes; }; typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo; /* ** A PKCS#8 private key info object */ struct SECKEYEncryptedPrivateKeyInfoStr { PLArenaPool *arena; SECAlgorithmID algorithm; SECItem encryptedData; }; typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo; /* * token removal detection */ typedef enum { PK11TokenNotRemovable = 0, PK11TokenPresent = 1, PK11TokenChanged = 2, PK11TokenRemoved = 3 } PK11TokenStatus; typedef enum { PK11TokenRemovedOrChangedEvent = 0, PK11TokenPresentEvent = 1 } PK11TokenEvent; /* * CRL Import Flags */ #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000 #define CRL_IMPORT_BYPASS_CHECKS 0x00000001 /* * Merge Error Log */ typedef struct PK11MergeLogStr PK11MergeLog; typedef struct PK11MergeLogNodeStr PK11MergeLogNode; /* These need to be global, leave some open fields so we can 'expand' * these without breaking binary compatibility */ struct PK11MergeLogNodeStr { PK11MergeLogNode *next; /* next entry in the list */ PK11MergeLogNode *prev; /* last entry in the list */ PK11GenericObject *object; /* object that failed */ int error; /* what the error was */ CK_RV reserved1; unsigned long reserved2; /* future flags */ unsigned long reserved3; /* future scalar */ void *reserved4; /* future pointer */ void *reserved5; /* future expansion pointer */ }; struct PK11MergeLogStr { PK11MergeLogNode *head; PK11MergeLogNode *tail; PLArenaPool *arena; int version; unsigned long reserved1; unsigned long reserved2; unsigned long reserved3; void *reserverd4; void *reserverd5; }; #endif /*_SECMODT_H_ */