1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 #ifndef _SECMODT_H_ 5 #define _SECMODT_H_ 1 6 7 #include "nssrwlkt.h" 8 #include "nssilckt.h" 9 #include "secoid.h" 10 #include "secasn1.h" 11 #include "pkcs11t.h" 12 #include "utilmodt.h" 13 14 SEC_BEGIN_PROTOS 15 16 /* find a better home for these... */ 17 extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[]; 18 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate) 19 extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; 20 SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate) 21 extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[]; 22 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate) 23 extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[]; 24 SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate) 25 26 SEC_END_PROTOS 27 28 /* PKCS11 needs to be included */ 29 typedef struct SECMODModuleStr SECMODModule; 30 typedef struct SECMODModuleListStr SECMODModuleList; 31 typedef NSSRWLock SECMODListLock; 32 typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ 33 typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */ 34 typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ 35 typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ 36 typedef struct PK11SlotListStr PK11SlotList; 37 typedef struct PK11SlotListElementStr PK11SlotListElement; 38 typedef struct PK11RSAGenParamsStr PK11RSAGenParams; 39 typedef unsigned long SECMODModuleID; 40 typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry; 41 typedef struct PK11GenericObjectStr PK11GenericObject; 42 typedef void (*PK11FreeDataFunc)(void *); 43 44 struct SECMODModuleStr { 45 PLArenaPool *arena; 46 PRBool internal; /* true of internally linked modules, false 47 * for the loaded modules */ 48 PRBool loaded; /* Set to true if module has been loaded */ 49 PRBool isFIPS; /* Set to true if module is finst internal */ 50 char *dllName; /* name of the shared library which implements 51 * this module */ 52 char *commonName; /* name of the module to display to the user */ 53 void *library; /* pointer to the library. opaque. used only by 54 * pk11load.c */ 55 void *functionList; /* The PKCS #11 function table */ 56 PZLock *refLock; /* only used pk11db.c */ 57 int refCount; /* Module reference count */ 58 PK11SlotInfo **slots; /* array of slot points attached to this mod*/ 59 int slotCount; /* count of slot in above array */ 60 PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ 61 int slotInfoCount; /* count */ 62 SECMODModuleID moduleID; /* ID so we can find this module again */ 63 PRBool isThreadSafe; 64 unsigned long ssl[2]; /* SSL cipher enable flags */ 65 char *libraryParams; /* Module specific parameters */ 66 void *moduleDBFunc; /* function to return module configuration data*/ 67 SECMODModule *parent; /* module that loaded us */ 68 PRBool isCritical; /* This module must load successfully */ 69 PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ 70 PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ 71 int trustOrder; /* order for this module's certificate trust rollup */ 72 int cipherOrder; /* order for cipher operations */ 73 unsigned long evControlMask; /* control the running and shutdown of slot 74 * events (SECMOD_WaitForAnyTokenEvent) */ 75 CK_VERSION cryptokiVersion; /* version of this library */ 76 CK_FLAGS flags; /* pkcs11 v3 flags */ 77 }; 78 79 /* evControlMask flags */ 80 /* 81 * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent. 82 * 83 * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in 84 * C_WaitForSlotEvent(). 85 * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code 86 * which polls for token insertion and removal events. 87 * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is 88 * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent 89 * should return immediately to it's caller. 90 */ 91 #define SECMOD_END_WAIT 0x01 92 #define SECMOD_WAIT_SIMULATED_EVENT 0x02 93 #define SECMOD_WAIT_PKCS11_EVENT 0x04 94 95 struct SECMODModuleListStr { 96 SECMODModuleList *next; 97 SECMODModule *module; 98 }; 99 100 struct PK11SlotListStr { 101 PK11SlotListElement *head; 102 PK11SlotListElement *tail; 103 PZLock *lock; 104 }; 105 106 struct PK11SlotListElementStr { 107 PK11SlotListElement *next; 108 PK11SlotListElement *prev; 109 PK11SlotInfo *slot; 110 int refCount; 111 }; 112 113 struct PK11RSAGenParamsStr { 114 int keySizeInBits; 115 unsigned long pe; 116 }; 117 118 typedef enum { 119 PK11CertListUnique = 0, /* get one instance of all certs */ 120 PK11CertListUser = 1, /* get all instances of user certs */ 121 PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key. 122 * deprecated. Use PK11CertListCAUnique 123 */ 124 PK11CertListCA = 3, /* get all instances of CA certs */ 125 PK11CertListCAUnique = 4, /* get one instance of CA certs */ 126 PK11CertListUserUnique = 5, /* get one instance of user certs */ 127 PK11CertListAll = 6 /* get all instances of all certs */ 128 } PK11CertListType; 129 130 /* 131 * Entry into the array which lists all the legal bits for the default flags 132 * in the slot, their definition, and the PKCS #11 mechanism they represent. 133 * Always statically allocated. 134 */ 135 struct PK11DefaultArrayEntryStr { 136 const char *name; 137 unsigned long flag; 138 unsigned long mechanism; /* this is a long so we don't include the 139 * whole pkcs 11 world to use this header */ 140 }; 141 142 /* 143 * PK11AttrFlags 144 * 145 * A 32-bit bitmask of PK11_ATTR_XXX flags 146 */ 147 typedef PRUint32 PK11AttrFlags; 148 149 /* 150 * PK11_ATTR_XXX 151 * 152 * The following PK11_ATTR_XXX bitflags are used to specify 153 * PKCS #11 object attributes that have Boolean values. Some NSS 154 * functions have a "PK11AttrFlags attrFlags" parameter whose value 155 * is the logical OR of these bitflags. NSS use these bitflags on 156 * private keys or secret keys. Some of these bitflags also apply 157 * to the public keys associated with the private keys. 158 * 159 * For each PKCS #11 object attribute, we need two bitflags to 160 * specify not only "true" and "false" but also "default". For 161 * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the 162 * CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add 163 * { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) } 164 * to the template. If PK11_ATTR_PUBLIC is set, we add 165 * { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) } 166 * to the template. If neither flag is set, we don't add any 167 * CKA_PRIVATE entry to the template. 168 */ 169 170 /* 171 * Attributes for PKCS #11 storage objects, which include not only 172 * keys but also certificates and domain parameters. 173 */ 174 175 /* 176 * PK11_ATTR_TOKEN 177 * PK11_ATTR_SESSION 178 * 179 * These two flags determine whether the object is a token or 180 * session object. 181 * 182 * These two flags are related and cannot both be set. 183 * If the PK11_ATTR_TOKEN flag is set, the object is a token 184 * object. If the PK11_ATTR_SESSION flag is set, the object is 185 * a session object. If neither flag is set, the object is *by 186 * default* a session object. 187 * 188 * These two flags specify the value of the PKCS #11 CKA_TOKEN 189 * attribute. 190 */ 191 #define PK11_ATTR_TOKEN 0x00000001L 192 #define PK11_ATTR_SESSION 0x00000002L 193 194 /* 195 * PK11_ATTR_PRIVATE 196 * PK11_ATTR_PUBLIC 197 * 198 * These two flags determine whether the object is a private or 199 * public object. A user may not access a private object until the 200 * user has authenticated to the token. 201 * 202 * These two flags are related and cannot both be set. 203 * If the PK11_ATTR_PRIVATE flag is set, the object is a private 204 * object. If the PK11_ATTR_PUBLIC flag is set, the object is a 205 * public object. If neither flag is set, it is token-specific 206 * whether the object is private or public. 207 * 208 * These two flags specify the value of the PKCS #11 CKA_PRIVATE 209 * attribute. NSS only uses this attribute on private and secret 210 * keys, so public keys created by NSS get the token-specific 211 * default value of the CKA_PRIVATE attribute. 212 */ 213 #define PK11_ATTR_PRIVATE 0x00000004L 214 #define PK11_ATTR_PUBLIC 0x00000008L 215 216 /* 217 * PK11_ATTR_MODIFIABLE 218 * PK11_ATTR_UNMODIFIABLE 219 * 220 * These two flags determine whether the object is modifiable or 221 * read-only. 222 * 223 * These two flags are related and cannot both be set. 224 * If the PK11_ATTR_MODIFIABLE flag is set, the object can be 225 * modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object 226 * is read-only. If neither flag is set, the object is *by default* 227 * modifiable. 228 * 229 * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE 230 * attribute. 231 */ 232 #define PK11_ATTR_MODIFIABLE 0x00000010L 233 #define PK11_ATTR_UNMODIFIABLE 0x00000020L 234 235 /* Attributes for PKCS #11 key objects. */ 236 237 /* 238 * PK11_ATTR_SENSITIVE 239 * PK11_ATTR_INSENSITIVE 240 * 241 * These two flags are related and cannot both be set. 242 * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive. 243 * If the PK11_ATTR_INSENSITIVE flag is set, the key is not 244 * sensitive. If neither flag is set, it is token-specific whether 245 * the key is sensitive or not. 246 * 247 * If a key is sensitive, certain attributes of the key cannot be 248 * revealed in plaintext outside the token. 249 * 250 * This flag specifies the value of the PKCS #11 CKA_SENSITIVE 251 * attribute. Although the default value of the CKA_SENSITIVE 252 * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS 253 * tokens set the default value to CK_TRUE because only CK_TRUE 254 * is allowed. So in practice the default value of this attribute 255 * is token-specific, hence the need for two bitflags. 256 */ 257 #define PK11_ATTR_SENSITIVE 0x00000040L 258 #define PK11_ATTR_INSENSITIVE 0x00000080L 259 260 /* 261 * PK11_ATTR_EXTRACTABLE 262 * PK11_ATTR_UNEXTRACTABLE 263 * 264 * These two flags are related and cannot both be set. 265 * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable 266 * and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set, 267 * the key is not extractable, and certain attributes of the key 268 * cannot be revealed in plaintext outside the token (just like a 269 * sensitive key). If neither flag is set, it is token-specific 270 * whether the key is extractable or not. 271 * 272 * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE 273 * attribute. 274 */ 275 #define PK11_ATTR_EXTRACTABLE 0x00000100L 276 #define PK11_ATTR_UNEXTRACTABLE 0x00000200L 277 278 /* Cryptographic module types */ 279 #define SECMOD_EXTERNAL 0 /* external module */ 280 #define SECMOD_INTERNAL 1 /* internal default module */ 281 #define SECMOD_FIPS 2 /* internal fips module */ 282 283 /* default module configuration strings */ 284 #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" 285 286 #define SECMOD_MAKE_NSS_FLAGS(fips, slot) \ 287 "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})" 288 289 #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module" 290 #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1) 291 #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module" 292 #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3) 293 294 /* 295 * What is the origin of a given Key. Normally this doesn't matter, but 296 * the fortezza code needs to know if it needs to invoke the SSL3 fortezza 297 * hack. 298 */ 299 typedef enum { 300 PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ 301 PK11_OriginDerive = 1, /* Key was derived from some other key */ 302 PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ 303 PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */ 304 PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ 305 } PK11Origin; 306 307 /* PKCS #11 disable reasons */ 308 typedef enum { 309 PK11_DIS_NONE = 0, 310 PK11_DIS_USER_SELECTED = 1, 311 PK11_DIS_COULD_NOT_INIT_TOKEN = 2, 312 PK11_DIS_TOKEN_VERIFY_FAILED = 3, 313 PK11_DIS_TOKEN_NOT_PRESENT = 4 314 } PK11DisableReasons; 315 316 /* types of PKCS #11 objects 317 * used to identify which NSS data structure is 318 * passed to the PK11_Raw* functions. Types map as follows: 319 * PK11_TypeGeneric PK11GenericObject * 320 * PK11_TypePrivKey SECKEYPrivateKey * 321 * PK11_TypePubKey SECKEYPublicKey * 322 * PK11_TypeSymKey PK11SymKey * 323 * PK11_TypeCert CERTCertificate * (currently not used). 324 */ 325 typedef enum { 326 PK11_TypeGeneric = 0, 327 PK11_TypePrivKey = 1, 328 PK11_TypePubKey = 2, 329 PK11_TypeCert = 3, 330 PK11_TypeSymKey = 4 331 } PK11ObjectType; 332 333 /* function pointer type for password callback function. 334 * This type is passed in to PK11_SetPasswordFunc() 335 */ 336 typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg); 337 typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); 338 typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); 339 340 /* 341 * Special strings the password callback function can return only if 342 * the slot is an protected auth path slot. 343 */ 344 #define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate \ 345 * has already been made, just retry \ 346 * the operation */ 347 #define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \ 348 * has completed. Continue without \ 349 * another call to C_Login */ 350 /* All other non-null values mean that that NSS could call C_Login to force 351 * the authentication. The following define is to aid applications in 352 * documenting that is what it's trying to do */ 353 #define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \ 354 * to the user, initiate a C_Login \ 355 * to authenticate the token */ 356 357 /* 358 * PKCS #11 key structures 359 */ 360 361 /* 362 ** Attributes 363 */ 364 struct SECKEYAttributeStr { 365 SECItem attrType; 366 SECItem **attrValue; 367 }; 368 typedef struct SECKEYAttributeStr SECKEYAttribute; 369 370 /* 371 ** A PKCS#8 private key info object 372 */ 373 struct SECKEYPrivateKeyInfoStr { 374 PLArenaPool *arena; 375 SECItem version; 376 SECAlgorithmID algorithm; 377 SECItem privateKey; 378 SECKEYAttribute **attributes; 379 }; 380 typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo; 381 382 /* 383 ** A PKCS#8 private key info object 384 */ 385 struct SECKEYEncryptedPrivateKeyInfoStr { 386 PLArenaPool *arena; 387 SECAlgorithmID algorithm; 388 SECItem encryptedData; 389 }; 390 typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo; 391 392 /* 393 * token removal detection 394 */ 395 typedef enum { 396 PK11TokenNotRemovable = 0, 397 PK11TokenPresent = 1, 398 PK11TokenChanged = 2, 399 PK11TokenRemoved = 3 400 } PK11TokenStatus; 401 402 typedef enum { 403 PK11TokenRemovedOrChangedEvent = 0, 404 PK11TokenPresentEvent = 1 405 } PK11TokenEvent; 406 407 /* 408 * CRL Import Flags 409 */ 410 #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000 411 #define CRL_IMPORT_BYPASS_CHECKS 0x00000001 412 413 /* 414 * Merge Error Log 415 */ 416 typedef struct PK11MergeLogStr PK11MergeLog; 417 typedef struct PK11MergeLogNodeStr PK11MergeLogNode; 418 419 /* These need to be global, leave some open fields so we can 'expand' 420 * these without breaking binary compatibility */ 421 struct PK11MergeLogNodeStr { 422 PK11MergeLogNode *next; /* next entry in the list */ 423 PK11MergeLogNode *prev; /* last entry in the list */ 424 PK11GenericObject *object; /* object that failed */ 425 int error; /* what the error was */ 426 CK_RV reserved1; 427 unsigned long reserved2; /* future flags */ 428 unsigned long reserved3; /* future scalar */ 429 void *reserved4; /* future pointer */ 430 void *reserved5; /* future expansion pointer */ 431 }; 432 433 struct PK11MergeLogStr { 434 PK11MergeLogNode *head; 435 PK11MergeLogNode *tail; 436 PLArenaPool *arena; 437 int version; 438 unsigned long reserved1; 439 unsigned long reserved2; 440 unsigned long reserved3; 441 void *reserverd4; 442 void *reserverd5; 443 }; 444 445 #endif /*_SECMODT_H_ */ 446