1 /* This Source Code Form is subject to the terms of the Mozilla Public
2  * License, v. 2.0. If a copy of the MPL was not distributed with this
3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 #ifndef _SECMODT_H_
5 #define _SECMODT_H_ 1
6 
7 #include "nssrwlkt.h"
8 #include "nssilckt.h"
9 #include "secoid.h"
10 #include "secasn1.h"
11 #include "pkcs11t.h"
12 #include "utilmodt.h"
13 
14 SEC_BEGIN_PROTOS
15 
16 /* find a better home for these... */
17 extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
18 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
19 extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
20 SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
21 extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
22 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
23 extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
24 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
25 
26 SEC_END_PROTOS
27 
28 /* PKCS11 needs to be included */
29 typedef struct SECMODModuleStr SECMODModule;
30 typedef struct SECMODModuleListStr SECMODModuleList;
31 typedef NSSRWLock SECMODListLock;
32 typedef struct PK11SlotInfoStr PK11SlotInfo;          /* defined in secmodti.h */
33 typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
34 typedef struct PK11SymKeyStr PK11SymKey;              /* defined in secmodti.h */
35 typedef struct PK11ContextStr PK11Context;            /* defined in secmodti.h */
36 typedef struct PK11SlotListStr PK11SlotList;
37 typedef struct PK11SlotListElementStr PK11SlotListElement;
38 typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
39 typedef unsigned long SECMODModuleID;
40 typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
41 typedef struct PK11GenericObjectStr PK11GenericObject;
42 typedef void (*PK11FreeDataFunc)(void *);
43 
44 struct SECMODModuleStr {
45     PLArenaPool *arena;
46     PRBool internal;           /* true of internally linked modules, false
47                                 * for the loaded modules */
48     PRBool loaded;             /* Set to true if module has been loaded */
49     PRBool isFIPS;             /* Set to true if module is finst internal */
50     char *dllName;             /* name of the shared library which implements
51                                 * this module */
52     char *commonName;          /* name of the module to display to the user */
53     void *library;             /* pointer to the library. opaque. used only by
54                                 * pk11load.c */
55     void *functionList;        /* The PKCS #11 function table */
56     PZLock *refLock;           /* only used pk11db.c */
57     int refCount;              /* Module reference count */
58     PK11SlotInfo **slots;      /* array of slot points attached to this mod*/
59     int slotCount;             /* count of slot in above array */
60     PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
61     int slotInfoCount;         /* count */
62     SECMODModuleID moduleID;   /* ID so we can find this module again */
63     PRBool isThreadSafe;
64     unsigned long ssl[2];        /* SSL cipher enable flags */
65     char *libraryParams;         /* Module specific parameters */
66     void *moduleDBFunc;          /* function to return module configuration data*/
67     SECMODModule *parent;        /* module that loaded us */
68     PRBool isCritical;           /* This module must load successfully */
69     PRBool isModuleDB;           /* this module has lists of PKCS #11 modules */
70     PRBool moduleDBOnly;         /* this module only has lists of PKCS #11 modules */
71     int trustOrder;              /* order for this module's certificate trust rollup */
72     int cipherOrder;             /* order for cipher operations */
73     unsigned long evControlMask; /* control the running and shutdown of slot
74                                   * events (SECMOD_WaitForAnyTokenEvent) */
75     CK_VERSION cryptokiVersion;  /* version of this library */
76 };
77 
78 /* evControlMask flags */
79 /*
80  * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
81  *
82  * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
83  *  C_WaitForSlotEvent().
84  * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
85  *  which polls for token insertion and removal events.
86  * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
87  *  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
88  *  should return immediately to it's caller.
89  */
90 #define SECMOD_END_WAIT 0x01
91 #define SECMOD_WAIT_SIMULATED_EVENT 0x02
92 #define SECMOD_WAIT_PKCS11_EVENT 0x04
93 
94 struct SECMODModuleListStr {
95     SECMODModuleList *next;
96     SECMODModule *module;
97 };
98 
99 struct PK11SlotListStr {
100     PK11SlotListElement *head;
101     PK11SlotListElement *tail;
102     PZLock *lock;
103 };
104 
105 struct PK11SlotListElementStr {
106     PK11SlotListElement *next;
107     PK11SlotListElement *prev;
108     PK11SlotInfo *slot;
109     int refCount;
110 };
111 
112 struct PK11RSAGenParamsStr {
113     int keySizeInBits;
114     unsigned long pe;
115 };
116 
117 typedef enum {
118     PK11CertListUnique = 0,     /* get one instance of all certs */
119     PK11CertListUser = 1,       /* get all instances of user certs */
120     PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
121                                  * deprecated. Use PK11CertListCAUnique
122                                  */
123     PK11CertListCA = 3,         /* get all instances of CA certs */
124     PK11CertListCAUnique = 4,   /* get one instance of CA certs */
125     PK11CertListUserUnique = 5, /* get one instance of user certs */
126     PK11CertListAll = 6         /* get all instances of all certs */
127 } PK11CertListType;
128 
129 /*
130  * Entry into the array which lists all the legal bits for the default flags
131  * in the slot, their definition, and the PKCS #11 mechanism they represent.
132  * Always statically allocated.
133  */
134 struct PK11DefaultArrayEntryStr {
135     const char *name;
136     unsigned long flag;
137     unsigned long mechanism; /* this is a long so we don't include the
138                               * whole pkcs 11 world to use this header */
139 };
140 
141 /*
142  * PK11AttrFlags
143  *
144  * A 32-bit bitmask of PK11_ATTR_XXX flags
145  */
146 typedef PRUint32 PK11AttrFlags;
147 
148 /*
149  * PK11_ATTR_XXX
150  *
151  * The following PK11_ATTR_XXX bitflags are used to specify
152  * PKCS #11 object attributes that have Boolean values.  Some NSS
153  * functions have a "PK11AttrFlags attrFlags" parameter whose value
154  * is the logical OR of these bitflags.  NSS use these bitflags on
155  * private keys or secret keys.  Some of these bitflags also apply
156  * to the public keys associated with the private keys.
157  *
158  * For each PKCS #11 object attribute, we need two bitflags to
159  * specify not only "true" and "false" but also "default".  For
160  * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
161  * CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
162  *     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
163  * to the template.  If PK11_ATTR_PUBLIC is set, we add
164  *     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
165  * to the template.  If neither flag is set, we don't add any
166  * CKA_PRIVATE entry to the template.
167  */
168 
169 /*
170  * Attributes for PKCS #11 storage objects, which include not only
171  * keys but also certificates and domain parameters.
172  */
173 
174 /*
175  * PK11_ATTR_TOKEN
176  * PK11_ATTR_SESSION
177  *
178  * These two flags determine whether the object is a token or
179  * session object.
180  *
181  * These two flags are related and cannot both be set.
182  * If the PK11_ATTR_TOKEN flag is set, the object is a token
183  * object.  If the PK11_ATTR_SESSION flag is set, the object is
184  * a session object.  If neither flag is set, the object is *by
185  * default* a session object.
186  *
187  * These two flags specify the value of the PKCS #11 CKA_TOKEN
188  * attribute.
189  */
190 #define PK11_ATTR_TOKEN 0x00000001L
191 #define PK11_ATTR_SESSION 0x00000002L
192 
193 /*
194  * PK11_ATTR_PRIVATE
195  * PK11_ATTR_PUBLIC
196  *
197  * These two flags determine whether the object is a private or
198  * public object.  A user may not access a private object until the
199  * user has authenticated to the token.
200  *
201  * These two flags are related and cannot both be set.
202  * If the PK11_ATTR_PRIVATE flag is set, the object is a private
203  * object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
204  * public object.  If neither flag is set, it is token-specific
205  * whether the object is private or public.
206  *
207  * These two flags specify the value of the PKCS #11 CKA_PRIVATE
208  * attribute.  NSS only uses this attribute on private and secret
209  * keys, so public keys created by NSS get the token-specific
210  * default value of the CKA_PRIVATE attribute.
211  */
212 #define PK11_ATTR_PRIVATE 0x00000004L
213 #define PK11_ATTR_PUBLIC 0x00000008L
214 
215 /*
216  * PK11_ATTR_MODIFIABLE
217  * PK11_ATTR_UNMODIFIABLE
218  *
219  * These two flags determine whether the object is modifiable or
220  * read-only.
221  *
222  * These two flags are related and cannot both be set.
223  * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
224  * modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
225  * is read-only.  If neither flag is set, the object is *by default*
226  * modifiable.
227  *
228  * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
229  * attribute.
230  */
231 #define PK11_ATTR_MODIFIABLE 0x00000010L
232 #define PK11_ATTR_UNMODIFIABLE 0x00000020L
233 
234 /* Attributes for PKCS #11 key objects. */
235 
236 /*
237  * PK11_ATTR_SENSITIVE
238  * PK11_ATTR_INSENSITIVE
239  *
240  * These two flags are related and cannot both be set.
241  * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
242  * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
243  * sensitive.  If neither flag is set, it is token-specific whether
244  * the key is sensitive or not.
245  *
246  * If a key is sensitive, certain attributes of the key cannot be
247  * revealed in plaintext outside the token.
248  *
249  * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
250  * attribute.  Although the default value of the CKA_SENSITIVE
251  * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
252  * tokens set the default value to CK_TRUE because only CK_TRUE
253  * is allowed.  So in practice the default value of this attribute
254  * is token-specific, hence the need for two bitflags.
255  */
256 #define PK11_ATTR_SENSITIVE 0x00000040L
257 #define PK11_ATTR_INSENSITIVE 0x00000080L
258 
259 /*
260  * PK11_ATTR_EXTRACTABLE
261  * PK11_ATTR_UNEXTRACTABLE
262  *
263  * These two flags are related and cannot both be set.
264  * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
265  * and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
266  * the key is not extractable, and certain attributes of the key
267  * cannot be revealed in plaintext outside the token (just like a
268  * sensitive key).  If neither flag is set, it is token-specific
269  * whether the key is extractable or not.
270  *
271  * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
272  * attribute.
273  */
274 #define PK11_ATTR_EXTRACTABLE 0x00000100L
275 #define PK11_ATTR_UNEXTRACTABLE 0x00000200L
276 
277 /* Cryptographic module types */
278 #define SECMOD_EXTERNAL 0 /* external module */
279 #define SECMOD_INTERNAL 1 /* internal default module */
280 #define SECMOD_FIPS 2     /* internal fips module */
281 
282 /* default module configuration strings */
283 #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
284 
285 #define SECMOD_MAKE_NSS_FLAGS(fips, slot) \
286     "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
287 
288 #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
289 #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1)
290 #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
291 #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3)
292 
293 /*
294  * What is the origin of a given Key. Normally this doesn't matter, but
295  * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
296  * hack.
297  */
298 typedef enum {
299     PK11_OriginNULL = 0,         /* There is not key, it's a null SymKey */
300     PK11_OriginDerive = 1,       /* Key was derived from some other key */
301     PK11_OriginGenerated = 2,    /* Key was generated (also PBE keys) */
302     PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */
303     PK11_OriginUnwrap = 4        /* Key was unwrapped or decrypted */
304 } PK11Origin;
305 
306 /* PKCS #11 disable reasons */
307 typedef enum {
308     PK11_DIS_NONE = 0,
309     PK11_DIS_USER_SELECTED = 1,
310     PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
311     PK11_DIS_TOKEN_VERIFY_FAILED = 3,
312     PK11_DIS_TOKEN_NOT_PRESENT = 4
313 } PK11DisableReasons;
314 
315 /* types of PKCS #11 objects
316  * used to identify which NSS data structure is
317  * passed to the PK11_Raw* functions. Types map as follows:
318  *   PK11_TypeGeneric            PK11GenericObject *
319  *   PK11_TypePrivKey            SECKEYPrivateKey *
320  *   PK11_TypePubKey             SECKEYPublicKey *
321  *   PK11_TypeSymKey             PK11SymKey *
322  *   PK11_TypeCert               CERTCertificate * (currently not used).
323  */
324 typedef enum {
325     PK11_TypeGeneric = 0,
326     PK11_TypePrivKey = 1,
327     PK11_TypePubKey = 2,
328     PK11_TypeCert = 3,
329     PK11_TypeSymKey = 4
330 } PK11ObjectType;
331 
332 /* function pointer type for password callback function.
333  * This type is passed in to PK11_SetPasswordFunc()
334  */
335 typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
336 typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
337 typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
338 
339 /*
340  * Special strings the password callback function can return only if
341  * the slot is an protected auth path slot.
342  */
343 #define PK11_PW_RETRY "RETRY"        /* an failed attempt to authenticate \
344                                       * has already been made, just retry \
345                                       * the operation */
346 #define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \
347                                       * has completed. Continue without      \
348                                       * another call to C_Login */
349 /* All other non-null values mean that that NSS could call C_Login to force
350  * the authentication. The following define is to aid applications in
351  * documenting that is what it's trying to do */
352 #define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \
353                            * to the user, initiate a C_Login      \
354                            * to authenticate the token */
355 
356 /*
357  * PKCS #11 key structures
358  */
359 
360 /*
361 ** Attributes
362 */
363 struct SECKEYAttributeStr {
364     SECItem attrType;
365     SECItem **attrValue;
366 };
367 typedef struct SECKEYAttributeStr SECKEYAttribute;
368 
369 /*
370 ** A PKCS#8 private key info object
371 */
372 struct SECKEYPrivateKeyInfoStr {
373     PLArenaPool *arena;
374     SECItem version;
375     SECAlgorithmID algorithm;
376     SECItem privateKey;
377     SECKEYAttribute **attributes;
378 };
379 typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
380 
381 /*
382 ** A PKCS#8 private key info object
383 */
384 struct SECKEYEncryptedPrivateKeyInfoStr {
385     PLArenaPool *arena;
386     SECAlgorithmID algorithm;
387     SECItem encryptedData;
388 };
389 typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
390 
391 /*
392  * token removal detection
393  */
394 typedef enum {
395     PK11TokenNotRemovable = 0,
396     PK11TokenPresent = 1,
397     PK11TokenChanged = 2,
398     PK11TokenRemoved = 3
399 } PK11TokenStatus;
400 
401 typedef enum {
402     PK11TokenRemovedOrChangedEvent = 0,
403     PK11TokenPresentEvent = 1
404 } PK11TokenEvent;
405 
406 /*
407  * CRL Import Flags
408  */
409 #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
410 #define CRL_IMPORT_BYPASS_CHECKS 0x00000001
411 
412 /*
413  * Merge Error Log
414  */
415 typedef struct PK11MergeLogStr PK11MergeLog;
416 typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
417 
418 /* These need to be global, leave some open fields so we can 'expand'
419  * these without breaking binary compatibility */
420 struct PK11MergeLogNodeStr {
421     PK11MergeLogNode *next;    /* next entry in the list */
422     PK11MergeLogNode *prev;    /* last entry in the list */
423     PK11GenericObject *object; /* object that failed */
424     int error;                 /* what the error was */
425     CK_RV reserved1;
426     unsigned long reserved2; /* future flags */
427     unsigned long reserved3; /* future scalar */
428     void *reserved4;         /* future pointer */
429     void *reserved5;         /* future expansion pointer */
430 };
431 
432 struct PK11MergeLogStr {
433     PK11MergeLogNode *head;
434     PK11MergeLogNode *tail;
435     PLArenaPool *arena;
436     int version;
437     unsigned long reserved1;
438     unsigned long reserved2;
439     unsigned long reserved3;
440     void *reserverd4;
441     void *reserverd5;
442 };
443 
444 #endif /*_SECMODT_H_ */
445