1 /* This Source Code Form is subject to the terms of the Mozilla Public
2  * License, v. 2.0. If a copy of the MPL was not distributed with this
3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 #ifndef _SECMODT_H_
5 #define _SECMODT_H_ 1
6 
7 #include "nssrwlkt.h"
8 #include "nssilckt.h"
9 #include "secoid.h"
10 #include "secasn1.h"
11 #include "pkcs11t.h"
12 #include "utilmodt.h"
13 
14 SEC_BEGIN_PROTOS
15 
16 /* find a better home for these... */
17 extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
18 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
19 extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
20 SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
21 extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
22 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
23 extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
24 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
25 
26 SEC_END_PROTOS
27 
28 /* PKCS11 needs to be included */
29 typedef struct SECMODModuleStr SECMODModule;
30 typedef struct SECMODModuleListStr SECMODModuleList;
31 typedef NSSRWLock SECMODListLock;
32 typedef struct PK11SlotInfoStr PK11SlotInfo;          /* defined in secmodti.h */
33 typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
34 typedef struct PK11SymKeyStr PK11SymKey;              /* defined in secmodti.h */
35 typedef struct PK11ContextStr PK11Context;            /* defined in secmodti.h */
36 typedef struct PK11SlotListStr PK11SlotList;
37 typedef struct PK11SlotListElementStr PK11SlotListElement;
38 typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
39 typedef unsigned long SECMODModuleID;
40 typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
41 typedef struct PK11GenericObjectStr PK11GenericObject;
42 typedef void (*PK11FreeDataFunc)(void *);
43 
44 struct SECMODModuleStr {
45     PLArenaPool *arena;
46     PRBool internal;           /* true of internally linked modules, false
47                                 * for the loaded modules */
48     PRBool loaded;             /* Set to true if module has been loaded */
49     PRBool isFIPS;             /* Set to true if module is finst internal */
50     char *dllName;             /* name of the shared library which implements
51                                 * this module */
52     char *commonName;          /* name of the module to display to the user */
53     void *library;             /* pointer to the library. opaque. used only by
54                                 * pk11load.c */
55     void *functionList;        /* The PKCS #11 function table */
56     PZLock *refLock;           /* only used pk11db.c */
57     int refCount;              /* Module reference count */
58     PK11SlotInfo **slots;      /* array of slot points attached to this mod*/
59     int slotCount;             /* count of slot in above array */
60     PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
61     int slotInfoCount;         /* count */
62     SECMODModuleID moduleID;   /* ID so we can find this module again */
63     PRBool isThreadSafe;
64     unsigned long ssl[2];        /* SSL cipher enable flags */
65     char *libraryParams;         /* Module specific parameters */
66     void *moduleDBFunc;          /* function to return module configuration data*/
67     SECMODModule *parent;        /* module that loaded us */
68     PRBool isCritical;           /* This module must load successfully */
69     PRBool isModuleDB;           /* this module has lists of PKCS #11 modules */
70     PRBool moduleDBOnly;         /* this module only has lists of PKCS #11 modules */
71     int trustOrder;              /* order for this module's certificate trust rollup */
72     int cipherOrder;             /* order for cipher operations */
73     unsigned long evControlMask; /* control the running and shutdown of slot
74                                   * events (SECMOD_WaitForAnyTokenEvent) */
75     CK_VERSION cryptokiVersion;  /* version of this library */
76     CK_FLAGS flags;              /* pkcs11 v3 flags */
77 };
78 
79 /* evControlMask flags */
80 /*
81  * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
82  *
83  * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
84  *  C_WaitForSlotEvent().
85  * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
86  *  which polls for token insertion and removal events.
87  * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
88  *  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
89  *  should return immediately to it's caller.
90  */
91 #define SECMOD_END_WAIT 0x01
92 #define SECMOD_WAIT_SIMULATED_EVENT 0x02
93 #define SECMOD_WAIT_PKCS11_EVENT 0x04
94 
95 struct SECMODModuleListStr {
96     SECMODModuleList *next;
97     SECMODModule *module;
98 };
99 
100 struct PK11SlotListStr {
101     PK11SlotListElement *head;
102     PK11SlotListElement *tail;
103     PZLock *lock;
104 };
105 
106 struct PK11SlotListElementStr {
107     PK11SlotListElement *next;
108     PK11SlotListElement *prev;
109     PK11SlotInfo *slot;
110     int refCount;
111 };
112 
113 struct PK11RSAGenParamsStr {
114     int keySizeInBits;
115     unsigned long pe;
116 };
117 
118 typedef enum {
119     PK11CertListUnique = 0,     /* get one instance of all certs */
120     PK11CertListUser = 1,       /* get all instances of user certs */
121     PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
122                                  * deprecated. Use PK11CertListCAUnique
123                                  */
124     PK11CertListCA = 3,         /* get all instances of CA certs */
125     PK11CertListCAUnique = 4,   /* get one instance of CA certs */
126     PK11CertListUserUnique = 5, /* get one instance of user certs */
127     PK11CertListAll = 6         /* get all instances of all certs */
128 } PK11CertListType;
129 
130 /*
131  * Entry into the array which lists all the legal bits for the default flags
132  * in the slot, their definition, and the PKCS #11 mechanism they represent.
133  * Always statically allocated.
134  */
135 struct PK11DefaultArrayEntryStr {
136     const char *name;
137     unsigned long flag;
138     unsigned long mechanism; /* this is a long so we don't include the
139                               * whole pkcs 11 world to use this header */
140 };
141 
142 /*
143  * PK11AttrFlags
144  *
145  * A 32-bit bitmask of PK11_ATTR_XXX flags
146  */
147 typedef PRUint32 PK11AttrFlags;
148 
149 /*
150  * PK11_ATTR_XXX
151  *
152  * The following PK11_ATTR_XXX bitflags are used to specify
153  * PKCS #11 object attributes that have Boolean values.  Some NSS
154  * functions have a "PK11AttrFlags attrFlags" parameter whose value
155  * is the logical OR of these bitflags.  NSS use these bitflags on
156  * private keys or secret keys.  Some of these bitflags also apply
157  * to the public keys associated with the private keys.
158  *
159  * For each PKCS #11 object attribute, we need two bitflags to
160  * specify not only "true" and "false" but also "default".  For
161  * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
162  * CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
163  *     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
164  * to the template.  If PK11_ATTR_PUBLIC is set, we add
165  *     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
166  * to the template.  If neither flag is set, we don't add any
167  * CKA_PRIVATE entry to the template.
168  */
169 
170 /*
171  * Attributes for PKCS #11 storage objects, which include not only
172  * keys but also certificates and domain parameters.
173  */
174 
175 /*
176  * PK11_ATTR_TOKEN
177  * PK11_ATTR_SESSION
178  *
179  * These two flags determine whether the object is a token or
180  * session object.
181  *
182  * These two flags are related and cannot both be set.
183  * If the PK11_ATTR_TOKEN flag is set, the object is a token
184  * object.  If the PK11_ATTR_SESSION flag is set, the object is
185  * a session object.  If neither flag is set, the object is *by
186  * default* a session object.
187  *
188  * These two flags specify the value of the PKCS #11 CKA_TOKEN
189  * attribute.
190  */
191 #define PK11_ATTR_TOKEN 0x00000001L
192 #define PK11_ATTR_SESSION 0x00000002L
193 
194 /*
195  * PK11_ATTR_PRIVATE
196  * PK11_ATTR_PUBLIC
197  *
198  * These two flags determine whether the object is a private or
199  * public object.  A user may not access a private object until the
200  * user has authenticated to the token.
201  *
202  * These two flags are related and cannot both be set.
203  * If the PK11_ATTR_PRIVATE flag is set, the object is a private
204  * object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
205  * public object.  If neither flag is set, it is token-specific
206  * whether the object is private or public.
207  *
208  * These two flags specify the value of the PKCS #11 CKA_PRIVATE
209  * attribute.  NSS only uses this attribute on private and secret
210  * keys, so public keys created by NSS get the token-specific
211  * default value of the CKA_PRIVATE attribute.
212  */
213 #define PK11_ATTR_PRIVATE 0x00000004L
214 #define PK11_ATTR_PUBLIC 0x00000008L
215 
216 /*
217  * PK11_ATTR_MODIFIABLE
218  * PK11_ATTR_UNMODIFIABLE
219  *
220  * These two flags determine whether the object is modifiable or
221  * read-only.
222  *
223  * These two flags are related and cannot both be set.
224  * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
225  * modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
226  * is read-only.  If neither flag is set, the object is *by default*
227  * modifiable.
228  *
229  * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
230  * attribute.
231  */
232 #define PK11_ATTR_MODIFIABLE 0x00000010L
233 #define PK11_ATTR_UNMODIFIABLE 0x00000020L
234 
235 /* Attributes for PKCS #11 key objects. */
236 
237 /*
238  * PK11_ATTR_SENSITIVE
239  * PK11_ATTR_INSENSITIVE
240  *
241  * These two flags are related and cannot both be set.
242  * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
243  * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
244  * sensitive.  If neither flag is set, it is token-specific whether
245  * the key is sensitive or not.
246  *
247  * If a key is sensitive, certain attributes of the key cannot be
248  * revealed in plaintext outside the token.
249  *
250  * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
251  * attribute.  Although the default value of the CKA_SENSITIVE
252  * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
253  * tokens set the default value to CK_TRUE because only CK_TRUE
254  * is allowed.  So in practice the default value of this attribute
255  * is token-specific, hence the need for two bitflags.
256  */
257 #define PK11_ATTR_SENSITIVE 0x00000040L
258 #define PK11_ATTR_INSENSITIVE 0x00000080L
259 
260 /*
261  * PK11_ATTR_EXTRACTABLE
262  * PK11_ATTR_UNEXTRACTABLE
263  *
264  * These two flags are related and cannot both be set.
265  * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
266  * and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
267  * the key is not extractable, and certain attributes of the key
268  * cannot be revealed in plaintext outside the token (just like a
269  * sensitive key).  If neither flag is set, it is token-specific
270  * whether the key is extractable or not.
271  *
272  * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
273  * attribute.
274  */
275 #define PK11_ATTR_EXTRACTABLE 0x00000100L
276 #define PK11_ATTR_UNEXTRACTABLE 0x00000200L
277 
278 /* Cryptographic module types */
279 #define SECMOD_EXTERNAL 0 /* external module */
280 #define SECMOD_INTERNAL 1 /* internal default module */
281 #define SECMOD_FIPS 2     /* internal fips module */
282 
283 /* default module configuration strings */
284 #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
285 
286 #define SECMOD_MAKE_NSS_FLAGS(fips, slot) \
287     "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
288 
289 #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
290 #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1)
291 #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
292 #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3)
293 
294 /*
295  * What is the origin of a given Key. Normally this doesn't matter, but
296  * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
297  * hack.
298  */
299 typedef enum {
300     PK11_OriginNULL = 0,         /* There is not key, it's a null SymKey */
301     PK11_OriginDerive = 1,       /* Key was derived from some other key */
302     PK11_OriginGenerated = 2,    /* Key was generated (also PBE keys) */
303     PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */
304     PK11_OriginUnwrap = 4        /* Key was unwrapped or decrypted */
305 } PK11Origin;
306 
307 /* PKCS #11 disable reasons */
308 typedef enum {
309     PK11_DIS_NONE = 0,
310     PK11_DIS_USER_SELECTED = 1,
311     PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
312     PK11_DIS_TOKEN_VERIFY_FAILED = 3,
313     PK11_DIS_TOKEN_NOT_PRESENT = 4
314 } PK11DisableReasons;
315 
316 /* types of PKCS #11 objects
317  * used to identify which NSS data structure is
318  * passed to the PK11_Raw* functions. Types map as follows:
319  *   PK11_TypeGeneric            PK11GenericObject *
320  *   PK11_TypePrivKey            SECKEYPrivateKey *
321  *   PK11_TypePubKey             SECKEYPublicKey *
322  *   PK11_TypeSymKey             PK11SymKey *
323  *   PK11_TypeCert               CERTCertificate * (currently not used).
324  */
325 typedef enum {
326     PK11_TypeGeneric = 0,
327     PK11_TypePrivKey = 1,
328     PK11_TypePubKey = 2,
329     PK11_TypeCert = 3,
330     PK11_TypeSymKey = 4
331 } PK11ObjectType;
332 
333 /* function pointer type for password callback function.
334  * This type is passed in to PK11_SetPasswordFunc()
335  */
336 typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
337 typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
338 typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
339 
340 /*
341  * Special strings the password callback function can return only if
342  * the slot is an protected auth path slot.
343  */
344 #define PK11_PW_RETRY "RETRY"        /* an failed attempt to authenticate \
345                                       * has already been made, just retry \
346                                       * the operation */
347 #define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \
348                                       * has completed. Continue without      \
349                                       * another call to C_Login */
350 /* All other non-null values mean that that NSS could call C_Login to force
351  * the authentication. The following define is to aid applications in
352  * documenting that is what it's trying to do */
353 #define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \
354                            * to the user, initiate a C_Login      \
355                            * to authenticate the token */
356 
357 /*
358  * PKCS #11 key structures
359  */
360 
361 /*
362 ** Attributes
363 */
364 struct SECKEYAttributeStr {
365     SECItem attrType;
366     SECItem **attrValue;
367 };
368 typedef struct SECKEYAttributeStr SECKEYAttribute;
369 
370 /*
371 ** A PKCS#8 private key info object
372 */
373 struct SECKEYPrivateKeyInfoStr {
374     PLArenaPool *arena;
375     SECItem version;
376     SECAlgorithmID algorithm;
377     SECItem privateKey;
378     SECKEYAttribute **attributes;
379 };
380 typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
381 
382 /*
383 ** A PKCS#8 private key info object
384 */
385 struct SECKEYEncryptedPrivateKeyInfoStr {
386     PLArenaPool *arena;
387     SECAlgorithmID algorithm;
388     SECItem encryptedData;
389 };
390 typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
391 
392 /*
393  * token removal detection
394  */
395 typedef enum {
396     PK11TokenNotRemovable = 0,
397     PK11TokenPresent = 1,
398     PK11TokenChanged = 2,
399     PK11TokenRemoved = 3
400 } PK11TokenStatus;
401 
402 typedef enum {
403     PK11TokenRemovedOrChangedEvent = 0,
404     PK11TokenPresentEvent = 1
405 } PK11TokenEvent;
406 
407 /*
408  * CRL Import Flags
409  */
410 #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
411 #define CRL_IMPORT_BYPASS_CHECKS 0x00000001
412 
413 /*
414  * Merge Error Log
415  */
416 typedef struct PK11MergeLogStr PK11MergeLog;
417 typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
418 
419 /* These need to be global, leave some open fields so we can 'expand'
420  * these without breaking binary compatibility */
421 struct PK11MergeLogNodeStr {
422     PK11MergeLogNode *next;    /* next entry in the list */
423     PK11MergeLogNode *prev;    /* last entry in the list */
424     PK11GenericObject *object; /* object that failed */
425     int error;                 /* what the error was */
426     CK_RV reserved1;
427     unsigned long reserved2; /* future flags */
428     unsigned long reserved3; /* future scalar */
429     void *reserved4;         /* future pointer */
430     void *reserved5;         /* future expansion pointer */
431 };
432 
433 struct PK11MergeLogStr {
434     PK11MergeLogNode *head;
435     PK11MergeLogNode *tail;
436     PLArenaPool *arena;
437     int version;
438     unsigned long reserved1;
439     unsigned long reserved2;
440     unsigned long reserved3;
441     void *reserverd4;
442     void *reserverd5;
443 };
444 
445 #endif /*_SECMODT_H_ */
446