1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 #ifndef _SECMODT_H_ 5 #define _SECMODT_H_ 1 6 7 #include "nssrwlkt.h" 8 #include "nssilckt.h" 9 #include "secoid.h" 10 #include "secasn1.h" 11 #include "pkcs11t.h" 12 #include "utilmodt.h" 13 14 SEC_BEGIN_PROTOS 15 16 /* find a better home for these... */ 17 extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[]; 18 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate) 19 extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; 20 SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate) 21 extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[]; 22 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate) 23 extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[]; 24 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate) 25 26 SEC_END_PROTOS 27 28 /* PKCS11 needs to be included */ 29 typedef struct SECMODModuleStr SECMODModule; 30 typedef struct SECMODModuleListStr SECMODModuleList; 31 typedef NSSRWLock SECMODListLock; 32 typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ 33 typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */ 34 typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ 35 typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ 36 typedef struct PK11SlotListStr PK11SlotList; 37 typedef struct PK11SlotListElementStr PK11SlotListElement; 38 typedef struct PK11RSAGenParamsStr PK11RSAGenParams; 39 typedef unsigned long SECMODModuleID; 40 typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry; 41 typedef struct PK11GenericObjectStr PK11GenericObject; 42 typedef void (*PK11FreeDataFunc)(void *); 43 44 struct SECMODModuleStr { 45 PLArenaPool *arena; 46 PRBool internal; /* true of internally linked modules, false 47 * for the loaded modules */ 48 PRBool loaded; /* Set to true if module has been loaded */ 49 PRBool isFIPS; /* Set to true if module is finst internal */ 50 char *dllName; /* name of the shared library which implements 51 * this module */ 52 char *commonName; /* name of the module to display to the user */ 53 void *library; /* pointer to the library. opaque. used only by 54 * pk11load.c */ 55 void *functionList; /* The PKCS #11 function table */ 56 PZLock *refLock; /* only used pk11db.c */ 57 int refCount; /* Module reference count */ 58 PK11SlotInfo **slots; /* array of slot points attached to this mod*/ 59 int slotCount; /* count of slot in above array */ 60 PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ 61 int slotInfoCount; /* count */ 62 SECMODModuleID moduleID; /* ID so we can find this module again */ 63 PRBool isThreadSafe; 64 unsigned long ssl[2]; /* SSL cipher enable flags */ 65 char *libraryParams; /* Module specific parameters */ 66 void *moduleDBFunc; /* function to return module configuration data*/ 67 SECMODModule *parent; /* module that loaded us */ 68 PRBool isCritical; /* This module must load successfully */ 69 PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ 70 PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ 71 int trustOrder; /* order for this module's certificate trust rollup */ 72 int cipherOrder; /* order for cipher operations */ 73 unsigned long evControlMask; /* control the running and shutdown of slot 74 * events (SECMOD_WaitForAnyTokenEvent) */ 75 CK_VERSION cryptokiVersion; /* version of this library */ 76 }; 77 78 /* evControlMask flags */ 79 /* 80 * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent. 81 * 82 * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in 83 * C_WaitForSlotEvent(). 84 * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code 85 * which polls for token insertion and removal events. 86 * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is 87 * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent 88 * should return immediately to it's caller. 89 */ 90 #define SECMOD_END_WAIT 0x01 91 #define SECMOD_WAIT_SIMULATED_EVENT 0x02 92 #define SECMOD_WAIT_PKCS11_EVENT 0x04 93 94 struct SECMODModuleListStr { 95 SECMODModuleList *next; 96 SECMODModule *module; 97 }; 98 99 struct PK11SlotListStr { 100 PK11SlotListElement *head; 101 PK11SlotListElement *tail; 102 PZLock *lock; 103 }; 104 105 struct PK11SlotListElementStr { 106 PK11SlotListElement *next; 107 PK11SlotListElement *prev; 108 PK11SlotInfo *slot; 109 int refCount; 110 }; 111 112 struct PK11RSAGenParamsStr { 113 int keySizeInBits; 114 unsigned long pe; 115 }; 116 117 typedef enum { 118 PK11CertListUnique = 0, /* get one instance of all certs */ 119 PK11CertListUser = 1, /* get all instances of user certs */ 120 PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key. 121 * deprecated. Use PK11CertListCAUnique 122 */ 123 PK11CertListCA = 3, /* get all instances of CA certs */ 124 PK11CertListCAUnique = 4, /* get one instance of CA certs */ 125 PK11CertListUserUnique = 5, /* get one instance of user certs */ 126 PK11CertListAll = 6 /* get all instances of all certs */ 127 } PK11CertListType; 128 129 /* 130 * Entry into the array which lists all the legal bits for the default flags 131 * in the slot, their definition, and the PKCS #11 mechanism they represent. 132 * Always statically allocated. 133 */ 134 struct PK11DefaultArrayEntryStr { 135 const char *name; 136 unsigned long flag; 137 unsigned long mechanism; /* this is a long so we don't include the 138 * whole pkcs 11 world to use this header */ 139 }; 140 141 /* 142 * PK11AttrFlags 143 * 144 * A 32-bit bitmask of PK11_ATTR_XXX flags 145 */ 146 typedef PRUint32 PK11AttrFlags; 147 148 /* 149 * PK11_ATTR_XXX 150 * 151 * The following PK11_ATTR_XXX bitflags are used to specify 152 * PKCS #11 object attributes that have Boolean values. Some NSS 153 * functions have a "PK11AttrFlags attrFlags" parameter whose value 154 * is the logical OR of these bitflags. NSS use these bitflags on 155 * private keys or secret keys. Some of these bitflags also apply 156 * to the public keys associated with the private keys. 157 * 158 * For each PKCS #11 object attribute, we need two bitflags to 159 * specify not only "true" and "false" but also "default". For 160 * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the 161 * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add 162 * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) } 163 * to the template. If PK11_ATTR_PUBLIC is set, we add 164 * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) } 165 * to the template. If neither flag is set, we don't add any 166 * CKA_PRIVATE entry to the template. 167 */ 168 169 /* 170 * Attributes for PKCS #11 storage objects, which include not only 171 * keys but also certificates and domain parameters. 172 */ 173 174 /* 175 * PK11_ATTR_TOKEN 176 * PK11_ATTR_SESSION 177 * 178 * These two flags determine whether the object is a token or 179 * session object. 180 * 181 * These two flags are related and cannot both be set. 182 * If the PK11_ATTR_TOKEN flag is set, the object is a token 183 * object. If the PK11_ATTR_SESSION flag is set, the object is 184 * a session object. If neither flag is set, the object is *by 185 * default* a session object. 186 * 187 * These two flags specify the value of the PKCS #11 CKA_TOKEN 188 * attribute. 189 */ 190 #define PK11_ATTR_TOKEN 0x00000001L 191 #define PK11_ATTR_SESSION 0x00000002L 192 193 /* 194 * PK11_ATTR_PRIVATE 195 * PK11_ATTR_PUBLIC 196 * 197 * These two flags determine whether the object is a private or 198 * public object. A user may not access a private object until the 199 * user has authenticated to the token. 200 * 201 * These two flags are related and cannot both be set. 202 * If the PK11_ATTR_PRIVATE flag is set, the object is a private 203 * object. If the PK11_ATTR_PUBLIC flag is set, the object is a 204 * public object. If neither flag is set, it is token-specific 205 * whether the object is private or public. 206 * 207 * These two flags specify the value of the PKCS #11 CKA_PRIVATE 208 * attribute. NSS only uses this attribute on private and secret 209 * keys, so public keys created by NSS get the token-specific 210 * default value of the CKA_PRIVATE attribute. 211 */ 212 #define PK11_ATTR_PRIVATE 0x00000004L 213 #define PK11_ATTR_PUBLIC 0x00000008L 214 215 /* 216 * PK11_ATTR_MODIFIABLE 217 * PK11_ATTR_UNMODIFIABLE 218 * 219 * These two flags determine whether the object is modifiable or 220 * read-only. 221 * 222 * These two flags are related and cannot both be set. 223 * If the PK11_ATTR_MODIFIABLE flag is set, the object can be 224 * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object 225 * is read-only. If neither flag is set, the object is *by default* 226 * modifiable. 227 * 228 * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE 229 * attribute. 230 */ 231 #define PK11_ATTR_MODIFIABLE 0x00000010L 232 #define PK11_ATTR_UNMODIFIABLE 0x00000020L 233 234 /* Attributes for PKCS #11 key objects. */ 235 236 /* 237 * PK11_ATTR_SENSITIVE 238 * PK11_ATTR_INSENSITIVE 239 * 240 * These two flags are related and cannot both be set. 241 * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive. 242 * If the PK11_ATTR_INSENSITIVE flag is set, the key is not 243 * sensitive. If neither flag is set, it is token-specific whether 244 * the key is sensitive or not. 245 * 246 * If a key is sensitive, certain attributes of the key cannot be 247 * revealed in plaintext outside the token. 248 * 249 * This flag specifies the value of the PKCS #11 CKA_SENSITIVE 250 * attribute. Although the default value of the CKA_SENSITIVE 251 * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS 252 * tokens set the default value to CK_TRUE because only CK_TRUE 253 * is allowed. So in practice the default value of this attribute 254 * is token-specific, hence the need for two bitflags. 255 */ 256 #define PK11_ATTR_SENSITIVE 0x00000040L 257 #define PK11_ATTR_INSENSITIVE 0x00000080L 258 259 /* 260 * PK11_ATTR_EXTRACTABLE 261 * PK11_ATTR_UNEXTRACTABLE 262 * 263 * These two flags are related and cannot both be set. 264 * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable 265 * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set, 266 * the key is not extractable, and certain attributes of the key 267 * cannot be revealed in plaintext outside the token (just like a 268 * sensitive key). If neither flag is set, it is token-specific 269 * whether the key is extractable or not. 270 * 271 * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE 272 * attribute. 273 */ 274 #define PK11_ATTR_EXTRACTABLE 0x00000100L 275 #define PK11_ATTR_UNEXTRACTABLE 0x00000200L 276 277 /* Cryptographic module types */ 278 #define SECMOD_EXTERNAL 0 /* external module */ 279 #define SECMOD_INTERNAL 1 /* internal default module */ 280 #define SECMOD_FIPS 2 /* internal fips module */ 281 282 /* default module configuration strings */ 283 #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" 284 285 #define SECMOD_MAKE_NSS_FLAGS(fips, slot) \ 286 "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})" 287 288 #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module" 289 #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1) 290 #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module" 291 #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3) 292 293 /* 294 * What is the origin of a given Key. Normally this doesn't matter, but 295 * the fortezza code needs to know if it needs to invoke the SSL3 fortezza 296 * hack. 297 */ 298 typedef enum { 299 PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ 300 PK11_OriginDerive = 1, /* Key was derived from some other key */ 301 PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ 302 PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */ 303 PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ 304 } PK11Origin; 305 306 /* PKCS #11 disable reasons */ 307 typedef enum { 308 PK11_DIS_NONE = 0, 309 PK11_DIS_USER_SELECTED = 1, 310 PK11_DIS_COULD_NOT_INIT_TOKEN = 2, 311 PK11_DIS_TOKEN_VERIFY_FAILED = 3, 312 PK11_DIS_TOKEN_NOT_PRESENT = 4 313 } PK11DisableReasons; 314 315 /* types of PKCS #11 objects 316 * used to identify which NSS data structure is 317 * passed to the PK11_Raw* functions. Types map as follows: 318 * PK11_TypeGeneric PK11GenericObject * 319 * PK11_TypePrivKey SECKEYPrivateKey * 320 * PK11_TypePubKey SECKEYPublicKey * 321 * PK11_TypeSymKey PK11SymKey * 322 * PK11_TypeCert CERTCertificate * (currently not used). 323 */ 324 typedef enum { 325 PK11_TypeGeneric = 0, 326 PK11_TypePrivKey = 1, 327 PK11_TypePubKey = 2, 328 PK11_TypeCert = 3, 329 PK11_TypeSymKey = 4 330 } PK11ObjectType; 331 332 /* function pointer type for password callback function. 333 * This type is passed in to PK11_SetPasswordFunc() 334 */ 335 typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg); 336 typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); 337 typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); 338 339 /* 340 * Special strings the password callback function can return only if 341 * the slot is an protected auth path slot. 342 */ 343 #define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate \ 344 * has already been made, just retry \ 345 * the operation */ 346 #define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \ 347 * has completed. Continue without \ 348 * another call to C_Login */ 349 /* All other non-null values mean that that NSS could call C_Login to force 350 * the authentication. The following define is to aid applications in 351 * documenting that is what it's trying to do */ 352 #define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \ 353 * to the user, initiate a C_Login \ 354 * to authenticate the token */ 355 356 /* 357 * PKCS #11 key structures 358 */ 359 360 /* 361 ** Attributes 362 */ 363 struct SECKEYAttributeStr { 364 SECItem attrType; 365 SECItem **attrValue; 366 }; 367 typedef struct SECKEYAttributeStr SECKEYAttribute; 368 369 /* 370 ** A PKCS#8 private key info object 371 */ 372 struct SECKEYPrivateKeyInfoStr { 373 PLArenaPool *arena; 374 SECItem version; 375 SECAlgorithmID algorithm; 376 SECItem privateKey; 377 SECKEYAttribute **attributes; 378 }; 379 typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo; 380 381 /* 382 ** A PKCS#8 private key info object 383 */ 384 struct SECKEYEncryptedPrivateKeyInfoStr { 385 PLArenaPool *arena; 386 SECAlgorithmID algorithm; 387 SECItem encryptedData; 388 }; 389 typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo; 390 391 /* 392 * token removal detection 393 */ 394 typedef enum { 395 PK11TokenNotRemovable = 0, 396 PK11TokenPresent = 1, 397 PK11TokenChanged = 2, 398 PK11TokenRemoved = 3 399 } PK11TokenStatus; 400 401 typedef enum { 402 PK11TokenRemovedOrChangedEvent = 0, 403 PK11TokenPresentEvent = 1 404 } PK11TokenEvent; 405 406 /* 407 * CRL Import Flags 408 */ 409 #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000 410 #define CRL_IMPORT_BYPASS_CHECKS 0x00000001 411 412 /* 413 * Merge Error Log 414 */ 415 typedef struct PK11MergeLogStr PK11MergeLog; 416 typedef struct PK11MergeLogNodeStr PK11MergeLogNode; 417 418 /* These need to be global, leave some open fields so we can 'expand' 419 * these without breaking binary compatibility */ 420 struct PK11MergeLogNodeStr { 421 PK11MergeLogNode *next; /* next entry in the list */ 422 PK11MergeLogNode *prev; /* last entry in the list */ 423 PK11GenericObject *object; /* object that failed */ 424 int error; /* what the error was */ 425 CK_RV reserved1; 426 unsigned long reserved2; /* future flags */ 427 unsigned long reserved3; /* future scalar */ 428 void *reserved4; /* future pointer */ 429 void *reserved5; /* future expansion pointer */ 430 }; 431 432 struct PK11MergeLogStr { 433 PK11MergeLogNode *head; 434 PK11MergeLogNode *tail; 435 PLArenaPool *arena; 436 int version; 437 unsigned long reserved1; 438 unsigned long reserved2; 439 unsigned long reserved3; 440 void *reserverd4; 441 void *reserverd5; 442 }; 443 444 #endif /*_SECMODT_H_ */ 445