path: root/lib/pk11wrap/secmodt.h

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECMODT_H_
#define _SECMODT_H_ 1

#include "nssrwlkt.h"
#include "nssilckt.h"
#include "secoid.h"
#include "secasn1.h"
#include "pkcs11t.h"
#include "utilmodt.h"

SEC_BEGIN_PROTOS

/* find a better home for these... */
extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)

SEC_END_PROTOS

/* PKCS11 needs to be included */
typedef struct SECMODModuleStr SECMODModule;
typedef struct SECMODModuleListStr SECMODModuleList;
typedef NSSRWLock SECMODListLock;
typedef struct PK11SlotInfoStr PK11SlotInfo;          /* defined in secmodti.h */
typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
typedef struct PK11SymKeyStr PK11SymKey;              /* defined in secmodti.h */
typedef struct PK11ContextStr PK11Context;            /* defined in secmodti.h */
typedef struct PK11SlotListStr PK11SlotList;
typedef struct PK11SlotListElementStr PK11SlotListElement;
typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
typedef unsigned long SECMODModuleID;
typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
typedef struct PK11GenericObjectStr PK11GenericObject;
typedef void (*PK11FreeDataFunc)(void *);

struct SECMODModuleStr {
    PLArenaPool *arena;
    PRBool internal;           /* true of internally linked modules, false
                                * for the loaded modules */
    PRBool loaded;             /* Set to true if module has been loaded */
    PRBool isFIPS;             /* Set to true if module is finst internal */
    char *dllName;             /* name of the shared library which implements
                                * this module */
    char *commonName;          /* name of the module to display to the user */
    void *library;             /* pointer to the library. opaque. used only by
                                * pk11load.c */
    void *functionList;        /* The PKCS #11 function table */
    PZLock *refLock;           /* only used pk11db.c */
    int refCount;              /* Module reference count */
    PK11SlotInfo **slots;      /* array of slot points attached to this mod*/
    int slotCount;             /* count of slot in above array */
    PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
    int slotInfoCount;         /* count */
    SECMODModuleID moduleID;   /* ID so we can find this module again */
    PRBool isThreadSafe;
    unsigned long ssl[2];        /* SSL cipher enable flags */
    char *libraryParams;         /* Module specific parameters */
    void *moduleDBFunc;          /* function to return module configuration data*/
    SECMODModule *parent;        /* module that loaded us */
    PRBool isCritical;           /* This module must load successfully */
    PRBool isModuleDB;           /* this module has lists of PKCS #11 modules */
    PRBool moduleDBOnly;         /* this module only has lists of PKCS #11 modules */
    int trustOrder;              /* order for this module's certificate trust rollup */
    int cipherOrder;             /* order for cipher operations */
    unsigned long evControlMask; /* control the running and shutdown of slot
                                  * events (SECMOD_WaitForAnyTokenEvent) */
    CK_VERSION cryptokiVersion;  /* version of this library */
    CK_FLAGS flags;              /* pkcs11 v3 flags */
    /* Warning this could go way in future versions of NSS
     * when FIPS indicators wind up in the functionList */
    CK_NSS_GetFIPSStatus fipsIndicator;
};

/* evControlMask flags */
/*
 * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
 *
 * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
 *  C_WaitForSlotEvent().
 * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
 *  which polls for token insertion and removal events.
 * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
 *  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
 *  should return immediately to it's caller.
 */
#define SECMOD_END_WAIT 0x01
#define SECMOD_WAIT_SIMULATED_EVENT 0x02
#define SECMOD_WAIT_PKCS11_EVENT 0x04

struct SECMODModuleListStr {
    SECMODModuleList *next;
    SECMODModule *module;
};

struct PK11SlotListStr {
    PK11SlotListElement *head;
    PK11SlotListElement *tail;
    PZLock *lock;
};

struct PK11SlotListElementStr {
    PK11SlotListElement *next;
    PK11SlotListElement *prev;
    PK11SlotInfo *slot;
    int refCount;
};

struct PK11RSAGenParamsStr {
    int keySizeInBits;
    unsigned long pe;
};

typedef enum {
    PK11CertListUnique = 0,     /* get one instance of all certs */
    PK11CertListUser = 1,       /* get all instances of user certs */
    PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
                                 * deprecated. Use PK11CertListCAUnique
                                 */
    PK11CertListCA = 3,         /* get all instances of CA certs */
    PK11CertListCAUnique = 4,   /* get one instance of CA certs */
    PK11CertListUserUnique = 5, /* get one instance of user certs */
    PK11CertListAll = 6         /* get all instances of all certs */
} PK11CertListType;

/*
 * Entry into the array which lists all the legal bits for the default flags
 * in the slot, their definition, and the PKCS #11 mechanism they represent.
 * Always statically allocated.
 */
struct PK11DefaultArrayEntryStr {
    const char *name;
    unsigned long flag;
    unsigned long mechanism; /* this is a long so we don't include the
                              * whole pkcs 11 world to use this header */
};

/*
 * PK11AttrFlags
 *
 * A 32-bit bitmask of PK11_ATTR_XXX flags
 */
typedef PRUint32 PK11AttrFlags;

/*
 * PK11_ATTR_XXX
 *
 * The following PK11_ATTR_XXX bitflags are used to specify
 * PKCS #11 object attributes that have Boolean values.  Some NSS
 * functions have a "PK11AttrFlags attrFlags" parameter whose value
 * is the logical OR of these bitflags.  NSS use these bitflags on
 * private keys or secret keys.  Some of these bitflags also apply
 * to the public keys associated with the private keys.
 *
 * For each PKCS #11 object attribute, we need two bitflags to
 * specify not only "true" and "false" but also "default".  For
 * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
 * CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
 *     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
 * to the template.  If PK11_ATTR_PUBLIC is set, we add
 *     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
 * to the template.  If neither flag is set, we don't add any
 * CKA_PRIVATE entry to the template.
 */

/*
 * Attributes for PKCS #11 storage objects, which include not only
 * keys but also certificates and domain parameters.
 */

/*
 * PK11_ATTR_TOKEN
 * PK11_ATTR_SESSION
 *
 * These two flags determine whether the object is a token or
 * session object.
 *
 * These two flags are related and cannot both be set.
 * If the PK11_ATTR_TOKEN flag is set, the object is a token
 * object.  If the PK11_ATTR_SESSION flag is set, the object is
 * a session object.  If neither flag is set, the object is *by
 * default* a session object.
 *
 * These two flags specify the value of the PKCS #11 CKA_TOKEN
 * attribute.
 */
#define PK11_ATTR_TOKEN 0x00000001L
#define PK11_ATTR_SESSION 0x00000002L

/*
 * PK11_ATTR_PRIVATE
 * PK11_ATTR_PUBLIC
 *
 * These two flags determine whether the object is a private or
 * public object.  A user may not access a private object until the
 * user has authenticated to the token.
 *
 * These two flags are related and cannot both be set.
 * If the PK11_ATTR_PRIVATE flag is set, the object is a private
 * object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
 * public object.  If neither flag is set, it is token-specific
 * whether the object is private or public.
 *
 * These two flags specify the value of the PKCS #11 CKA_PRIVATE
 * attribute.  NSS only uses this attribute on private and secret
 * keys, so public keys created by NSS get the token-specific
 * default value of the CKA_PRIVATE attribute.
 */
#define PK11_ATTR_PRIVATE 0x00000004L
#define PK11_ATTR_PUBLIC 0x00000008L

/*
 * PK11_ATTR_MODIFIABLE
 * PK11_ATTR_UNMODIFIABLE
 *
 * These two flags determine whether the object is modifiable or
 * read-only.
 *
 * These two flags are related and cannot both be set.
 * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
 * modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
 * is read-only.  If neither flag is set, the object is *by default*
 * modifiable.
 *
 * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
 * attribute.
 */
#define PK11_ATTR_MODIFIABLE 0x00000010L
#define PK11_ATTR_UNMODIFIABLE 0x00000020L

/* Attributes for PKCS #11 key objects. */

/*
 * PK11_ATTR_SENSITIVE
 * PK11_ATTR_INSENSITIVE
 *
 * These two flags are related and cannot both be set.
 * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
 * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
 * sensitive.  If neither flag is set, it is token-specific whether
 * the key is sensitive or not.
 *
 * If a key is sensitive, certain attributes of the key cannot be
 * revealed in plaintext outside the token.
 *
 * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
 * attribute.  Although the default value of the CKA_SENSITIVE
 * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
 * tokens set the default value to CK_TRUE because only CK_TRUE
 * is allowed.  So in practice the default value of this attribute
 * is token-specific, hence the need for two bitflags.
 */
#define PK11_ATTR_SENSITIVE 0x00000040L
#define PK11_ATTR_INSENSITIVE 0x00000080L

/*
 * PK11_ATTR_EXTRACTABLE
 * PK11_ATTR_UNEXTRACTABLE
 *
 * These two flags are related and cannot both be set.
 * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
 * and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
 * the key is not extractable, and certain attributes of the key
 * cannot be revealed in plaintext outside the token (just like a
 * sensitive key).  If neither flag is set, it is token-specific
 * whether the key is extractable or not.
 *
 * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
 * attribute.
 */
#define PK11_ATTR_EXTRACTABLE 0x00000100L
#define PK11_ATTR_UNEXTRACTABLE 0x00000200L

/* Cryptographic module types */
#define SECMOD_EXTERNAL 0 /* external module */
#define SECMOD_INTERNAL 1 /* internal default module */
#define SECMOD_FIPS 2     /* internal fips module */

/* default module configuration strings */
#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"

#define SECMOD_MAKE_NSS_FLAGS(fips, slot) \
    "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"

#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1)
#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3)

/*
 * What is the origin of a given Key. Normally this doesn't matter, but
 * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
 * hack.
 */
typedef enum {
    PK11_OriginNULL = 0,         /* There is not key, it's a null SymKey */
    PK11_OriginDerive = 1,       /* Key was derived from some other key */
    PK11_OriginGenerated = 2,    /* Key was generated (also PBE keys) */
    PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */
    PK11_OriginUnwrap = 4        /* Key was unwrapped or decrypted */
} PK11Origin;

/* PKCS #11 disable reasons */
typedef enum {
    PK11_DIS_NONE = 0,
    PK11_DIS_USER_SELECTED = 1,
    PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
    PK11_DIS_TOKEN_VERIFY_FAILED = 3,
    PK11_DIS_TOKEN_NOT_PRESENT = 4
} PK11DisableReasons;

/* types of PKCS #11 objects
 * used to identify which NSS data structure is
 * passed to the PK11_Raw* functions. Types map as follows:
 *   PK11_TypeGeneric            PK11GenericObject *
 *   PK11_TypePrivKey            SECKEYPrivateKey *
 *   PK11_TypePubKey             SECKEYPublicKey *
 *   PK11_TypeSymKey             PK11SymKey *
 *   PK11_TypeCert               CERTCertificate * (currently not used).
 */
typedef enum {
    PK11_TypeGeneric = 0,
    PK11_TypePrivKey = 1,
    PK11_TypePubKey = 2,
    PK11_TypeCert = 3,
    PK11_TypeSymKey = 4
} PK11ObjectType;

/* function pointer type for password callback function.
 * This type is passed in to PK11_SetPasswordFunc()
 */
typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);

/*
 * Special strings the password callback function can return only if
 * the slot is an protected auth path slot.
 */
#define PK11_PW_RETRY "RETRY"        /* an failed attempt to authenticate \
                                      * has already been made, just retry \
                                      * the operation */
#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \
                                      * has completed. Continue without      \
                                      * another call to C_Login */
/* All other non-null values mean that that NSS could call C_Login to force
 * the authentication. The following define is to aid applications in
 * documenting that is what it's trying to do */
#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \
                           * to the user, initiate a C_Login      \
                           * to authenticate the token */

/*
 * PKCS #11 key structures
 */

/*
** Attributes
*/
struct SECKEYAttributeStr {
    SECItem attrType;
    SECItem **attrValue;
};
typedef struct SECKEYAttributeStr SECKEYAttribute;

/*
** A PKCS#8 private key info object
*/
struct SECKEYPrivateKeyInfoStr {
    PLArenaPool *arena;
    SECItem version;
    SECAlgorithmID algorithm;
    SECItem privateKey;
    SECKEYAttribute **attributes;
};
typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;

/*
** A PKCS#8 private key info object
*/
struct SECKEYEncryptedPrivateKeyInfoStr {
    PLArenaPool *arena;
    SECAlgorithmID algorithm;
    SECItem encryptedData;
};
typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;

/*
 * token removal detection
 */
typedef enum {
    PK11TokenNotRemovable = 0,
    PK11TokenPresent = 1,
    PK11TokenChanged = 2,
    PK11TokenRemoved = 3
} PK11TokenStatus;

typedef enum {
    PK11TokenRemovedOrChangedEvent = 0,
    PK11TokenPresentEvent = 1
} PK11TokenEvent;

/*
 * CRL Import Flags
 */
#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
#define CRL_IMPORT_BYPASS_CHECKS 0x00000001

/*
 * Merge Error Log
 */
typedef struct PK11MergeLogStr PK11MergeLog;
typedef struct PK11MergeLogNodeStr PK11MergeLogNode;

/* These need to be global, leave some open fields so we can 'expand'
 * these without breaking binary compatibility */
struct PK11MergeLogNodeStr {
    PK11MergeLogNode *next;    /* next entry in the list */
    PK11MergeLogNode *prev;    /* last entry in the list */
    PK11GenericObject *object; /* object that failed */
    int error;                 /* what the error was */
    CK_RV reserved1;
    unsigned long reserved2; /* future flags */
    unsigned long reserved3; /* future scalar */
    void *reserved4;         /* future pointer */
    void *reserved5;         /* future expansion pointer */
};

struct PK11MergeLogStr {
    PK11MergeLogNode *head;
    PK11MergeLogNode *tail;
    PLArenaPool *arena;
    int version;
    unsigned long reserved1;
    unsigned long reserved2;
    unsigned long reserved3;
    void *reserverd4;
    void *reserverd5;
};

#endif /*_SECMODT_H_ */