1 /* 2 * Copyright (c) 1995-2000 Intel Corporation. All rights reserved. 3 */ 4 /* 5 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 6 * Use is subject to license terms. 7 */ 8 9 #ifndef _KMFTYPES_H 10 #define _KMFTYPES_H 11 12 #pragma ident "%Z%%M% %I% %E% SMI" 13 14 #include <sys/types.h> 15 #include <stdlib.h> 16 #include <strings.h> 17 #include <pthread.h> 18 19 #include <security/cryptoki.h> 20 21 #ifdef __cplusplus 22 extern "C" { 23 #endif 24 25 typedef uint32_t KMF_BOOL; 26 27 #define KMF_FALSE (0) 28 #define KMF_TRUE (1) 29 30 /* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */ 31 typedef struct _kmf_handle *KMF_HANDLE_T; 32 33 /* 34 * KMF_DATA 35 * The KMF_DATA structure is used to associate a length, in bytes, with 36 * an arbitrary block of contiguous memory. 37 */ 38 typedef struct kmf_data 39 { 40 size_t Length; /* in bytes */ 41 uchar_t *Data; 42 } KMF_DATA; 43 44 typedef struct { 45 uchar_t *val; 46 size_t len; 47 } KMF_BIGINT; 48 49 /* 50 * KMF_OID 51 * The object identifier (OID) structure is used to hold a unique identifier for 52 * the atomic data fields and the compound substructure that comprise the fields 53 * of a certificate or CRL. 54 */ 55 typedef KMF_DATA KMF_OID; 56 57 typedef struct kmf_x509_private { 58 int keystore_type; 59 int flags; /* see below */ 60 char *label; 61 #define KMF_FLAG_CERT_VALID 1 /* contains valid certificate */ 62 #define KMF_FLAG_CERT_SIGNED 2 /* this is a signed certificate */ 63 } KMF_X509_PRIVATE; 64 65 /* 66 * KMF_X509_DER_CERT 67 * This structure associates packed DER certificate data. 68 * Also, it contains the private information internal used 69 * by KMF layer. 70 */ 71 typedef struct 72 { 73 KMF_DATA certificate; 74 KMF_X509_PRIVATE kmf_private; 75 } KMF_X509_DER_CERT; 76 77 typedef int KMF_KEYSTORE_TYPE; 78 #define KMF_KEYSTORE_NSS 1 79 #define KMF_KEYSTORE_OPENSSL 2 80 #define KMF_KEYSTORE_PK11TOKEN 3 81 82 #define VALID_DEFAULT_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\ 83 (t <= KMF_KEYSTORE_PK11TOKEN)) 84 85 typedef enum { 86 KMF_FORMAT_UNDEF = 0, 87 KMF_FORMAT_ASN1 = 1, /* DER */ 88 KMF_FORMAT_PEM = 2, 89 KMF_FORMAT_PKCS12 = 3, 90 KMF_FORMAT_RAWKEY = 4, /* For FindKey operation */ 91 KMF_FORMAT_PEM_KEYPAIR = 5 92 } KMF_ENCODE_FORMAT; 93 94 #define KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF 95 96 typedef enum { 97 KMF_ALL_CERTS = 0, 98 KMF_NONEXPIRED_CERTS = 1, 99 KMF_EXPIRED_CERTS = 2 100 } KMF_CERT_VALIDITY; 101 102 103 typedef enum { 104 KMF_ALL_EXTNS = 0, 105 KMF_CRITICAL_EXTNS = 1, 106 KMF_NONCRITICAL_EXTNS = 2 107 } KMF_FLAG_CERT_EXTN; 108 109 110 typedef enum { 111 KMF_KU_SIGN_CERT = 0, 112 KMF_KU_SIGN_DATA = 1, 113 KMF_KU_ENCRYPT_DATA = 2 114 } KMF_KU_PURPOSE; 115 116 /* 117 * Algorithms 118 * This type defines a set of constants used to identify cryptographic 119 * algorithms. 120 */ 121 typedef enum { 122 KMF_ALGID_NONE = 0, 123 KMF_ALGID_CUSTOM, 124 KMF_ALGID_SHA1, 125 KMF_ALGID_RSA, 126 KMF_ALGID_DSA, 127 KMF_ALGID_MD5WithRSA, 128 KMF_ALGID_MD2WithRSA, 129 KMF_ALGID_SHA1WithRSA, 130 KMF_ALGID_SHA1WithDSA 131 } KMF_ALGORITHM_INDEX; 132 133 134 /* 135 * Generic credential structure used by other structures below 136 * to convey authentication information to the underlying 137 * mechanisms. 138 */ 139 typedef struct { 140 char *cred; 141 uint32_t credlen; 142 } KMF_CREDENTIAL; 143 144 typedef enum { 145 KMF_KEYALG_NONE = 0, 146 KMF_RSA = 1, 147 KMF_DSA = 2, 148 KMF_AES = 3, 149 KMF_RC4 = 4, 150 KMF_DES = 5, 151 KMF_DES3 = 6, 152 KMF_GENERIC_SECRET = 7 153 }KMF_KEY_ALG; 154 155 typedef enum { 156 KMF_KEYCLASS_NONE = 0, 157 KMF_ASYM_PUB = 1, /* public key of an asymmetric keypair */ 158 KMF_ASYM_PRI = 2, /* private key of an asymmetric keypair */ 159 KMF_SYMMETRIC = 3 /* symmetric key */ 160 }KMF_KEY_CLASS; 161 162 163 typedef enum { 164 KMF_CERT = 0, 165 KMF_CSR = 1, 166 KMF_CRL = 2 167 }KMF_OBJECT_TYPE; 168 169 170 typedef struct { 171 KMF_BIGINT mod; 172 KMF_BIGINT pubexp; 173 KMF_BIGINT priexp; 174 KMF_BIGINT prime1; 175 KMF_BIGINT prime2; 176 KMF_BIGINT exp1; 177 KMF_BIGINT exp2; 178 KMF_BIGINT coef; 179 } KMF_RAW_RSA_KEY; 180 181 typedef struct { 182 KMF_BIGINT prime; 183 KMF_BIGINT subprime; 184 KMF_BIGINT base; 185 KMF_BIGINT value; 186 KMF_BIGINT pubvalue; 187 } KMF_RAW_DSA_KEY; 188 189 typedef struct { 190 KMF_BIGINT keydata; 191 } KMF_RAW_SYM_KEY; 192 193 typedef struct { 194 KMF_KEY_ALG keytype; 195 boolean_t sensitive; 196 boolean_t not_extractable; 197 union { 198 KMF_RAW_RSA_KEY rsa; 199 KMF_RAW_DSA_KEY dsa; 200 KMF_RAW_SYM_KEY sym; 201 }rawdata; 202 char *label; 203 KMF_DATA id; 204 } KMF_RAW_KEY_DATA; 205 206 typedef struct { 207 KMF_KEYSTORE_TYPE kstype; 208 KMF_KEY_ALG keyalg; 209 KMF_KEY_CLASS keyclass; 210 boolean_t israw; 211 char *keylabel; 212 void *keyp; 213 } KMF_KEY_HANDLE; 214 215 typedef struct { 216 KMF_KEYSTORE_TYPE kstype; 217 uint32_t errcode; 218 } KMF_ERROR; 219 220 /* 221 * Typenames to use with subjectAltName 222 */ 223 typedef enum { 224 GENNAME_OTHERNAME = 0x00, 225 GENNAME_RFC822NAME, 226 GENNAME_DNSNAME, 227 GENNAME_X400ADDRESS, 228 GENNAME_DIRECTORYNAME, 229 GENNAME_EDIPARTYNAME, 230 GENNAME_URI, 231 GENNAME_IPADDRESS, 232 GENNAME_REGISTEREDID, 233 GENNAME_KRB5PRINC, 234 GENNAME_SCLOGON_UPN 235 } KMF_GENERALNAMECHOICES; 236 237 /* 238 * KMF_FIELD 239 * This structure contains the OID/value pair for any item that can be 240 * identified by an OID. 241 */ 242 typedef struct 243 { 244 KMF_OID FieldOid; 245 KMF_DATA FieldValue; 246 } KMF_FIELD; 247 248 typedef enum { 249 KMF_OK = 0x00, 250 KMF_ERR_BAD_PARAMETER = 0x01, 251 KMF_ERR_BAD_KEY_FORMAT = 0x02, 252 KMF_ERR_BAD_ALGORITHM = 0x03, 253 KMF_ERR_MEMORY = 0x04, 254 KMF_ERR_ENCODING = 0x05, 255 KMF_ERR_PLUGIN_INIT = 0x06, 256 KMF_ERR_PLUGIN_NOTFOUND = 0x07, 257 KMF_ERR_INTERNAL = 0x0b, 258 KMF_ERR_BAD_CERT_FORMAT = 0x0c, 259 KMF_ERR_KEYGEN_FAILED = 0x0d, 260 KMF_ERR_UNINITIALIZED = 0x10, 261 KMF_ERR_ISSUER = 0x11, 262 KMF_ERR_NOT_REVOKED = 0x12, 263 KMF_ERR_CERT_NOT_FOUND = 0x13, 264 KMF_ERR_CRL_NOT_FOUND = 0x14, 265 KMF_ERR_RDN_PARSER = 0x15, 266 KMF_ERR_RDN_ATTR = 0x16, 267 KMF_ERR_SLOTNAME = 0x17, 268 KMF_ERR_EMPTY_CRL = 0x18, 269 KMF_ERR_BUFFER_SIZE = 0x19, 270 KMF_ERR_AUTH_FAILED = 0x1a, 271 KMF_ERR_TOKEN_SELECTED = 0x1b, 272 KMF_ERR_NO_TOKEN_SELECTED = 0x1c, 273 KMF_ERR_TOKEN_NOT_PRESENT = 0x1d, 274 KMF_ERR_EXTENSION_NOT_FOUND = 0x1e, 275 KMF_ERR_POLICY_ENGINE = 0x1f, 276 KMF_ERR_POLICY_DB_FORMAT = 0x20, 277 KMF_ERR_POLICY_NOT_FOUND = 0x21, 278 KMF_ERR_POLICY_DB_FILE = 0x22, 279 KMF_ERR_POLICY_NAME = 0x23, 280 KMF_ERR_OCSP_POLICY = 0x24, 281 KMF_ERR_TA_POLICY = 0x25, 282 KMF_ERR_KEY_NOT_FOUND = 0x26, 283 KMF_ERR_OPEN_FILE = 0x27, 284 KMF_ERR_OCSP_BAD_ISSUER = 0x28, 285 KMF_ERR_OCSP_BAD_CERT = 0x29, 286 KMF_ERR_OCSP_CREATE_REQUEST = 0x2a, 287 KMF_ERR_CONNECT_SERVER = 0x2b, 288 KMF_ERR_SEND_REQUEST = 0x2c, 289 KMF_ERR_OCSP_CERTID = 0x2d, 290 KMF_ERR_OCSP_MALFORMED_RESPONSE = 0x2e, 291 KMF_ERR_OCSP_RESPONSE_STATUS = 0x2f, 292 KMF_ERR_OCSP_NO_BASIC_RESPONSE = 0x30, 293 KMF_ERR_OCSP_BAD_SIGNER = 0x31, 294 295 KMF_ERR_OCSP_RESPONSE_SIGNATURE = 0x32, 296 KMF_ERR_OCSP_UNKNOWN_CERT = 0x33, 297 KMF_ERR_OCSP_STATUS_TIME_INVALID = 0x34, 298 KMF_ERR_BAD_HTTP_RESPONSE = 0x35, 299 KMF_ERR_RECV_RESPONSE = 0x36, 300 KMF_ERR_RECV_TIMEOUT = 0x37, 301 KMF_ERR_DUPLICATE_KEYFILE = 0x38, 302 KMF_ERR_AMBIGUOUS_PATHNAME = 0x39, 303 KMF_ERR_FUNCTION_NOT_FOUND = 0x3a, 304 KMF_ERR_PKCS12_FORMAT = 0x3b, 305 KMF_ERR_BAD_KEY_TYPE = 0x3c, 306 KMF_ERR_BAD_KEY_CLASS = 0x3d, 307 KMF_ERR_BAD_KEY_SIZE = 0x3e, 308 KMF_ERR_BAD_HEX_STRING = 0x3f, 309 KMF_ERR_KEYUSAGE = 0x40, 310 KMF_ERR_VALIDITY_PERIOD = 0x41, 311 KMF_ERR_OCSP_REVOKED = 0x42, 312 KMF_ERR_CERT_MULTIPLE_FOUND = 0x43, 313 KMF_ERR_WRITE_FILE = 0x44, 314 KMF_ERR_BAD_URI = 0x45, 315 KMF_ERR_BAD_CRLFILE = 0x46, 316 KMF_ERR_BAD_CERTFILE = 0x47, 317 KMF_ERR_GETKEYVALUE_FAILED = 0x48, 318 KMF_ERR_BAD_KEYHANDLE = 0x49, 319 KMF_ERR_BAD_OBJECT_TYPE = 0x4a, 320 KMF_ERR_OCSP_RESPONSE_LIFETIME = 0x4b, 321 KMF_ERR_UNKNOWN_CSR_ATTRIBUTE = 0x4c, 322 KMF_ERR_UNINITIALIZED_TOKEN = 0x4d, 323 KMF_ERR_INCOMPLETE_TBS_CERT = 0x4e, 324 KMF_ERR_MISSING_ERRCODE = 0x4f, 325 KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50, 326 KMF_ERR_SENSITIVE_KEY = 0x51, 327 KMF_ERR_UNEXTRACTABLE_KEY = 0x52, 328 KMF_ERR_KEY_MISMATCH = 0x53, 329 KMF_ERR_ATTR_NOT_FOUND = 0x54, 330 KMF_ERR_KMF_CONF = 0x55 331 } KMF_RETURN; 332 333 /* Data structures for OCSP support */ 334 typedef enum { 335 OCSP_GOOD = 0, 336 OCSP_REVOKED = 1, 337 OCSP_UNKNOWN = 2 338 } KMF_OCSP_CERT_STATUS; 339 340 typedef enum { 341 OCSP_SUCCESS = 0, 342 OCSP_MALFORMED_REQUEST = 1, 343 OCSP_INTERNAL_ERROR = 2, 344 OCSP_TRYLATER = 3, 345 OCSP_SIGREQUIRED = 4, 346 OCSP_UNAUTHORIZED = 5 347 } KMF_OCSP_RESPONSE_STATUS; 348 349 typedef enum { 350 OCSP_NOSTATUS = -1, 351 OCSP_UNSPECIFIED = 0, 352 OCSP_KEYCOMPROMISE = 1, 353 OCSP_CACOMPROMISE = 2, 354 OCSP_AFFILIATIONCHANGE = 3, 355 OCSP_SUPERCEDED = 4, 356 OCSP_CESSATIONOFOPERATION = 5, 357 OCSP_CERTIFICATEHOLD = 6, 358 OCSP_REMOVEFROMCRL = 7 359 } KMF_OCSP_REVOKED_STATUS; 360 361 typedef enum { 362 KMF_ALGCLASS_NONE = 0, 363 KMF_ALGCLASS_CUSTOM, 364 KMF_ALGCLASS_SIGNATURE, 365 KMF_ALGCLASS_SYMMETRIC, 366 KMF_ALGCLASS_DIGEST, 367 KMF_ALGCLASS_RANDOMGEN, 368 KMF_ALGCLASS_UNIQUEGEN, 369 KMF_ALGCLASS_MAC, 370 KMF_ALGCLASS_ASYMMETRIC, 371 KMF_ALGCLASS_KEYGEN, 372 KMF_ALGCLASS_DERIVEKEY 373 } KMF_ALGCLASS; 374 375 typedef enum { 376 KMF_CERT_ISSUER = 1, 377 KMF_CERT_SUBJECT, 378 KMF_CERT_VERSION, 379 KMF_CERT_SERIALNUM, 380 KMF_CERT_NOTBEFORE, 381 KMF_CERT_NOTAFTER, 382 KMF_CERT_PUBKEY_ALG, 383 KMF_CERT_SIGNATURE_ALG, 384 KMF_CERT_EMAIL, 385 KMF_CERT_PUBKEY_DATA, 386 KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD, 387 KMF_X509_EXT_CERT_POLICIES, 388 KMF_X509_EXT_SUBJ_ALTNAME, 389 KMF_X509_EXT_ISSUER_ALTNAME, 390 KMF_X509_EXT_BASIC_CONSTRAINTS, 391 KMF_X509_EXT_NAME_CONSTRAINTS, 392 KMF_X509_EXT_POLICY_CONSTRAINTS, 393 KMF_X509_EXT_EXT_KEY_USAGE, 394 KMF_X509_EXT_INHIBIT_ANY_POLICY, 395 KMF_X509_EXT_AUTH_KEY_ID, 396 KMF_X509_EXT_SUBJ_KEY_ID, 397 KMF_X509_EXT_POLICY_MAPPINGS, 398 KMF_X509_EXT_CRL_DIST_POINTS, 399 KMF_X509_EXT_FRESHEST_CRL, 400 KMF_X509_EXT_KEY_USAGE 401 } KMF_PRINTABLE_ITEM; 402 403 /* 404 * KMF_X509_ALGORITHM_IDENTIFIER 405 * This structure holds an object identifier naming a 406 * cryptographic algorithm and an optional set of 407 * parameters to be used as input to that algorithm. 408 */ 409 typedef struct 410 { 411 KMF_OID algorithm; 412 KMF_DATA parameters; 413 } KMF_X509_ALGORITHM_IDENTIFIER; 414 415 /* 416 * KMF_X509_TYPE_VALUE_PAIR 417 * This structure contain an type-value pair. 418 */ 419 typedef struct 420 { 421 KMF_OID type; 422 uint8_t valueType; /* The Tag to use when BER encoded */ 423 KMF_DATA value; 424 } KMF_X509_TYPE_VALUE_PAIR; 425 426 427 /* 428 * KMF_X509_RDN 429 * This structure contains a Relative Distinguished Name 430 * composed of an ordered set of type-value pairs. 431 */ 432 typedef struct 433 { 434 uint32_t numberOfPairs; 435 KMF_X509_TYPE_VALUE_PAIR *AttributeTypeAndValue; 436 } KMF_X509_RDN; 437 438 /* 439 * KMF_X509_NAME 440 * This structure contains a set of Relative Distinguished Names. 441 */ 442 typedef struct 443 { 444 uint32_t numberOfRDNs; 445 KMF_X509_RDN *RelativeDistinguishedName; 446 } KMF_X509_NAME; 447 448 /* 449 * KMF_X509_SPKI 450 * This structure contains the public key and the 451 * description of the verification algorithm 452 * appropriate for use with this key. 453 */ 454 typedef struct 455 { 456 KMF_X509_ALGORITHM_IDENTIFIER algorithm; 457 KMF_DATA subjectPublicKey; 458 } KMF_X509_SPKI; 459 460 /* 461 * KMF_X509_TIME 462 * Time is represented as a string according to the 463 * definitions of GeneralizedTime and UTCTime 464 * defined in RFC 2459. 465 */ 466 typedef struct 467 { 468 uint8_t timeType; 469 KMF_DATA time; 470 } KMF_X509_TIME; 471 472 /* 473 * KMF_X509_VALIDITY 474 */ 475 typedef struct 476 { 477 KMF_X509_TIME notBefore; 478 KMF_X509_TIME notAfter; 479 } KMF_X509_VALIDITY; 480 481 /* 482 * KMF_X509EXT_BASICCONSTRAINTS 483 */ 484 typedef struct 485 { 486 KMF_BOOL cA; 487 KMF_BOOL pathLenConstraintPresent; 488 uint32_t pathLenConstraint; 489 } KMF_X509EXT_BASICCONSTRAINTS; 490 491 /* 492 * KMF_X509EXT_DATA_FORMAT 493 * This list defines the valid formats for a certificate extension. 494 */ 495 typedef enum 496 { 497 KMF_X509_DATAFORMAT_ENCODED = 0, 498 KMF_X509_DATAFORMAT_PARSED, 499 KMF_X509_DATAFORMAT_PAIR 500 } KMF_X509EXT_DATA_FORMAT; 501 502 503 /* 504 * KMF_X509EXT_TAGandVALUE 505 * This structure contains a BER/DER encoded 506 * extension value and the type of that value. 507 */ 508 typedef struct 509 { 510 uint8_t type; 511 KMF_DATA value; 512 } KMF_X509EXT_TAGandVALUE; 513 514 515 /* 516 * KMF_X509EXT_PAIR 517 * This structure aggregates two extension representations: 518 * a tag and value, and a parsed X509 extension representation. 519 */ 520 typedef struct 521 { 522 KMF_X509EXT_TAGandVALUE tagAndValue; 523 void *parsedValue; 524 } KMF_X509EXT_PAIR; 525 526 /* 527 * KMF_X509_EXTENSION 528 * This structure contains a complete certificate extension. 529 */ 530 typedef struct 531 { 532 KMF_OID extnId; 533 KMF_BOOL critical; 534 KMF_X509EXT_DATA_FORMAT format; 535 union 536 { 537 KMF_X509EXT_TAGandVALUE *tagAndValue; 538 void *parsedValue; 539 KMF_X509EXT_PAIR *valuePair; 540 } value; 541 KMF_DATA BERvalue; 542 } KMF_X509_EXTENSION; 543 544 545 /* 546 * KMF_X509_EXTENSIONS 547 * This structure contains the set of all certificate 548 * extensions contained in a certificate. 549 */ 550 typedef struct 551 { 552 uint32_t numberOfExtensions; 553 KMF_X509_EXTENSION *extensions; 554 } KMF_X509_EXTENSIONS; 555 556 /* 557 * KMF_X509_TBS_CERT 558 * This structure contains a complete X.509 certificate. 559 */ 560 typedef struct 561 { 562 KMF_DATA version; 563 KMF_BIGINT serialNumber; 564 KMF_X509_ALGORITHM_IDENTIFIER signature; 565 KMF_X509_NAME issuer; 566 KMF_X509_VALIDITY validity; 567 KMF_X509_NAME subject; 568 KMF_X509_SPKI subjectPublicKeyInfo; 569 KMF_DATA issuerUniqueIdentifier; 570 KMF_DATA subjectUniqueIdentifier; 571 KMF_X509_EXTENSIONS extensions; 572 } KMF_X509_TBS_CERT; 573 574 /* 575 * KMF_X509_SIGNATURE 576 * This structure contains a cryptographic digital signature. 577 */ 578 typedef struct 579 { 580 KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier; 581 KMF_DATA encrypted; 582 } KMF_X509_SIGNATURE; 583 584 /* 585 * KMF_X509_CERTIFICATE 586 * This structure associates a set of decoded certificate 587 * values with the signature covering those values. 588 */ 589 typedef struct 590 { 591 KMF_X509_TBS_CERT certificate; 592 KMF_X509_SIGNATURE signature; 593 } KMF_X509_CERTIFICATE; 594 595 #define CERT_ALG_OID(c) &c->certificate.signature.algorithm 596 #define CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm 597 598 /* 599 * KMF_TBS_CSR 600 * This structure contains a complete PKCS#10 certificate request 601 */ 602 typedef struct 603 { 604 KMF_DATA version; 605 KMF_X509_NAME subject; 606 KMF_X509_SPKI subjectPublicKeyInfo; 607 KMF_X509_EXTENSIONS extensions; 608 } KMF_TBS_CSR; 609 610 /* 611 * KMF_CSR_DATA 612 * This structure contains a complete PKCS#10 certificate signed request 613 */ 614 typedef struct 615 { 616 KMF_TBS_CSR csr; 617 KMF_X509_SIGNATURE signature; 618 } KMF_CSR_DATA; 619 620 /* 621 * KMF_X509EXT_POLICYQUALIFIERINFO 622 */ 623 typedef struct 624 { 625 KMF_OID policyQualifierId; 626 KMF_DATA value; 627 } KMF_X509EXT_POLICYQUALIFIERINFO; 628 629 /* 630 * KMF_X509EXT_POLICYQUALIFIERS 631 */ 632 typedef struct 633 { 634 uint32_t numberOfPolicyQualifiers; 635 KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier; 636 } KMF_X509EXT_POLICYQUALIFIERS; 637 638 /* 639 * KMF_X509EXT_POLICYINFO 640 */ 641 typedef struct 642 { 643 KMF_OID policyIdentifier; 644 KMF_X509EXT_POLICYQUALIFIERS policyQualifiers; 645 } KMF_X509EXT_POLICYINFO; 646 647 typedef struct 648 { 649 uint32_t numberOfPolicyInfo; 650 KMF_X509EXT_POLICYINFO *policyInfo; 651 } KMF_X509EXT_CERT_POLICIES; 652 653 typedef struct 654 { 655 uchar_t critical; 656 uint16_t KeyUsageBits; 657 } KMF_X509EXT_KEY_USAGE; 658 659 typedef struct 660 { 661 uchar_t critical; 662 uint16_t nEKUs; 663 KMF_OID *keyPurposeIdList; 664 } KMF_X509EXT_EKU; 665 666 667 /* 668 * X509 AuthorityInfoAccess extension 669 */ 670 typedef struct 671 { 672 KMF_OID AccessMethod; 673 KMF_DATA AccessLocation; 674 } KMF_X509EXT_ACCESSDESC; 675 676 typedef struct 677 { 678 uint32_t numberOfAccessDescription; 679 KMF_X509EXT_ACCESSDESC *AccessDesc; 680 } KMF_X509EXT_AUTHINFOACCESS; 681 682 683 /* 684 * X509 Crl Distribution Point extension 685 */ 686 typedef struct { 687 KMF_GENERALNAMECHOICES choice; 688 KMF_DATA name; 689 } KMF_GENERALNAME; 690 691 typedef struct { 692 uint32_t number; 693 KMF_GENERALNAME *namelist; 694 } KMF_GENERALNAMES; 695 696 typedef enum { 697 DP_GENERAL_NAME = 1, 698 DP_RELATIVE_NAME = 2 699 } KMF_CRL_DIST_POINT_TYPE; 700 701 typedef struct { 702 KMF_CRL_DIST_POINT_TYPE type; 703 union { 704 KMF_GENERALNAMES full_name; 705 KMF_DATA relative_name; 706 } name; 707 KMF_DATA reasons; 708 KMF_GENERALNAMES crl_issuer; 709 } KMF_CRL_DIST_POINT; 710 711 typedef struct { 712 uint32_t number; 713 KMF_CRL_DIST_POINT *dplist; 714 } KMF_X509EXT_CRLDISTPOINTS; 715 716 typedef enum { 717 KMF_DATA_ATTR, 718 KMF_OID_ATTR, 719 KMF_BIGINT_ATTR, 720 KMF_X509_DER_CERT_ATTR, 721 KMF_KEYSTORE_TYPE_ATTR, 722 KMF_ENCODE_FORMAT_ATTR, 723 KMF_CERT_VALIDITY_ATTR, 724 KMF_KU_PURPOSE_ATTR, 725 KMF_ALGORITHM_INDEX_ATTR, 726 KMF_TOKEN_LABEL_ATTR, 727 KMF_READONLY_ATTR, 728 KMF_DIRPATH_ATTR, 729 KMF_CERTPREFIX_ATTR, 730 KMF_KEYPREFIX_ATTR, 731 KMF_SECMODNAME_ATTR, 732 KMF_CREDENTIAL_ATTR, 733 KMF_TRUSTFLAG_ATTR, 734 KMF_CRL_FILENAME_ATTR, 735 KMF_CRL_CHECK_ATTR, 736 KMF_CRL_DATA_ATTR, 737 KMF_CRL_SUBJECT_ATTR, 738 KMF_CRL_ISSUER_ATTR, 739 KMF_CRL_NAMELIST_ATTR, 740 KMF_CRL_COUNT_ATTR, 741 KMF_CRL_OUTFILE_ATTR, 742 KMF_CERT_LABEL_ATTR, 743 KMF_SUBJECT_NAME_ATTR, 744 KMF_ISSUER_NAME_ATTR, 745 KMF_CERT_FILENAME_ATTR, 746 KMF_KEY_FILENAME_ATTR, 747 KMF_OUTPUT_FILENAME_ATTR, 748 KMF_IDSTR_ATTR, 749 KMF_CERT_DATA_ATTR, 750 KMF_OCSP_RESPONSE_DATA_ATTR, 751 KMF_OCSP_RESPONSE_STATUS_ATTR, 752 KMF_OCSP_RESPONSE_REASON_ATTR, 753 KMF_OCSP_RESPONSE_CERT_STATUS_ATTR, 754 KMF_OCSP_REQUEST_FILENAME_ATTR, 755 KMF_KEYALG_ATTR, 756 KMF_KEYCLASS_ATTR, 757 KMF_KEYLABEL_ATTR, 758 KMF_KEYLENGTH_ATTR, 759 KMF_RSAEXP_ATTR, 760 KMF_TACERT_DATA_ATTR, 761 KMF_SLOT_ID_ATTR, 762 KMF_PK12CRED_ATTR, 763 KMF_ISSUER_CERT_DATA_ATTR, 764 KMF_USER_CERT_DATA_ATTR, 765 KMF_SIGNER_CERT_DATA_ATTR, 766 KMF_IGNORE_RESPONSE_SIGN_ATTR, 767 KMF_RESPONSE_LIFETIME_ATTR, 768 KMF_KEY_HANDLE_ATTR, 769 KMF_PRIVKEY_HANDLE_ATTR, 770 KMF_PUBKEY_HANDLE_ATTR, 771 KMF_ERROR_ATTR, 772 KMF_X509_NAME_ATTR, 773 KMF_X509_SPKI_ATTR, 774 KMF_X509_CERTIFICATE_ATTR, 775 KMF_RAW_KEY_ATTR, 776 KMF_CSR_DATA_ATTR, 777 KMF_GENERALNAMECHOICES_ATTR, 778 KMF_STOREKEY_BOOL_ATTR, 779 KMF_SENSITIVE_BOOL_ATTR, 780 KMF_NON_EXTRACTABLE_BOOL_ATTR, 781 KMF_TOKEN_BOOL_ATTR, 782 KMF_PRIVATE_BOOL_ATTR, 783 KMF_NEWPIN_ATTR, 784 KMF_IN_SIGN_ATTR, 785 KMF_OUT_DATA_ATTR, 786 KMF_COUNT_ATTR, 787 KMF_DESTROY_BOOL_ATTR, 788 KMF_TBS_CERT_DATA_ATTR, 789 KMF_PLAINTEXT_DATA_ATTR, 790 KMF_CIPHERTEXT_DATA_ATTR, 791 KMF_VALIDATE_RESULT_ATTR, 792 KMF_KEY_DATA_ATTR 793 } KMF_ATTR_TYPE; 794 795 typedef struct { 796 KMF_ATTR_TYPE type; 797 void *pValue; 798 uint32_t valueLen; 799 } KMF_ATTRIBUTE; 800 801 /* 802 * Definitions for common X.509v3 certificate attribute OIDs 803 */ 804 #define OID_ISO_MEMBER 42 /* Also in PKCS */ 805 #define OID_US OID_ISO_MEMBER, 134, 72 /* Also in PKCS */ 806 #define OID_CA OID_ISO_MEMBER, 124 807 808 #define OID_ISO_IDENTIFIED_ORG 43 809 #define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 810 #define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 811 #define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 812 #define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */ 813 814 #define OID_ISO_CCITT_DIR_SERVICE 85 815 #define OID_ISO_CCITT_COUNTRY 96 816 #define OID_COUNTRY_US OID_ISO_CCITT_COUNTRY, 134, 72 817 #define OID_COUNTRY_CA OID_ISO_CCITT_COUNTRY, 124 818 #define OID_COUNTRY_US_ORG OID_COUNTRY_US, 1 819 #define OID_COUNTRY_US_MHS_MD OID_COUNTRY_US, 2 820 #define OID_COUNTRY_US_STATE OID_COUNTRY_US, 3 821 822 /* From the PKCS Standards */ 823 #define OID_ISO_MEMBER_LENGTH 1 824 #define OID_US_LENGTH (OID_ISO_MEMBER_LENGTH + 2) 825 826 #define OID_RSA OID_US, 134, 247, 13 827 #define OID_RSA_LENGTH (OID_US_LENGTH + 3) 828 829 #define OID_RSA_HASH OID_RSA, 2 830 #define OID_RSA_HASH_LENGTH (OID_RSA_LENGTH + 1) 831 832 #define OID_RSA_ENCRYPT OID_RSA, 3 833 #define OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1) 834 835 #define OID_PKCS OID_RSA, 1 836 #define OID_PKCS_LENGTH (OID_RSA_LENGTH + 1) 837 838 #define OID_PKCS_1 OID_PKCS, 1 839 #define OID_PKCS_1_LENGTH (OID_PKCS_LENGTH + 1) 840 841 #define OID_PKCS_2 OID_PKCS, 2 842 #define OID_PKCS_3 OID_PKCS, 3 843 #define OID_PKCS_3_LENGTH (OID_PKCS_LENGTH + 1) 844 845 #define OID_PKCS_4 OID_PKCS, 4 846 #define OID_PKCS_5 OID_PKCS, 5 847 #define OID_PKCS_5_LENGTH (OID_PKCS_LENGTH + 1) 848 #define OID_PKCS_6 OID_PKCS, 6 849 #define OID_PKCS_7 OID_PKCS, 7 850 #define OID_PKCS_7_LENGTH (OID_PKCS_LENGTH + 1) 851 852 #define OID_PKCS_7_Data OID_PKCS_7, 1 853 #define OID_PKCS_7_SignedData OID_PKCS_7, 2 854 #define OID_PKCS_7_EnvelopedData OID_PKCS_7, 3 855 #define OID_PKCS_7_SignedAndEnvelopedData OID_PKCS_7, 4 856 #define OID_PKCS_7_DigestedData OID_PKCS_7, 5 857 #define OID_PKCS_7_EncryptedData OID_PKCS_7, 6 858 859 #define OID_PKCS_8 OID_PKCS, 8 860 #define OID_PKCS_9 OID_PKCS, 9 861 #define OID_PKCS_9_LENGTH (OID_PKCS_LENGTH + 1) 862 863 #define OID_PKCS_9_CONTENT_TYPE OID_PKCS_9, 3 864 #define OID_PKCS_9_MESSAGE_DIGEST OID_PKCS_9, 4 865 #define OID_PKCS_9_SIGNING_TIME OID_PKCS_9, 5 866 #define OID_PKCS_9_COUNTER_SIGNATURE OID_PKCS_9, 6 867 #define OID_PKCS_9_EXTENSION_REQUEST OID_PKCS_9, 14 868 869 #define OID_PKCS_10 OID_PKCS, 10 870 871 #define OID_PKCS_12 OID_PKCS, 12 872 #define OID_PKCS_12_LENGTH (OID_PKCS_LENGTH + 1) 873 874 #define PBEWithSHAAnd128BitRC4 OID_PKCS_12, 1, 1 875 #define PBEWithSHAAnd40BitRC4 OID_PKCS_12, 1, 2 876 #define PBEWithSHAAnd3KeyTripleDES_CBC OID_PKCS_12, 1, 3 877 #define PBEWithSHAAnd2KeyTripleDES_CBC OID_PKCS_12, 1, 4 878 #define PBEWithSHAAnd128BitRC2_CBC OID_PKCS_12, 1, 5 879 #define PBEWithSHAAnd40BitRC2_CBC OID_PKCS_12, 1, 6 880 881 #define OID_BAG_TYPES OID_PKCS_12, 10, 1 882 #define OID_KeyBag OID_BAG_TYPES, 1 883 #define OID_PKCS8ShroudedKeyBag OID_BAG_TYPES, 2 884 #define OID_CertBag OID_BAG_TYPES, 3 885 #define OID_CrlBag OID_BAG_TYPES, 4 886 #define OID_SecretBag OID_BAG_TYPES, 5 887 #define OID_SafeContentsBag OID_BAG_TYPES, 6 888 889 #define OID_ContentInfo OID_PKCS_7, 0, 1 890 891 #define OID_CERT_TYPES OID_PKCS_9, 22 892 #define OID_x509Certificate OID_CERT_TYPES, 1 893 #define OID_sdsiCertificate OID_CERT_TYPES, 2 894 895 #define OID_CRL_TYPES OID_PKCS_9, 23 896 #define OID_x509Crl OID_CRL_TYPES, 1 897 898 #define OID_DS OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */ 899 #define OID_DS_LENGTH 1 900 901 #define OID_ATTR_TYPE OID_DS, 4 /* Also in X.501 */ 902 #define OID_ATTR_TYPE_LENGTH (OID_DS_LENGTH + 1) 903 904 #define OID_DSALG OID_DS, 8 /* Also in X.501 */ 905 #define OID_DSALG_LENGTH (OID_DS_LENGTH + 1) 906 907 #define OID_EXTENSION OID_DS, 29 /* Also in X.501 */ 908 #define OID_EXTENSION_LENGTH (OID_DS_LENGTH + 1) 909 910 /* 911 * From RFC 1274: 912 * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) } 913 */ 914 #define OID_PILOT 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1 915 #define OID_PILOT_LENGTH 9 916 917 #define OID_USERID OID_PILOT 1 918 #define OID_USERID_LENGTH (OID_PILOT_LENGTH + 1) 919 920 /* 921 * From PKIX part1 922 * { iso(1) identified-organization(3) dod(6) internet(1) 923 * security(5) mechanisms(5) pkix(7) } 924 */ 925 #define OID_PKIX 43, 6, 1, 5, 5, 7 926 #define OID_PKIX_LENGTH 6 927 928 /* private certificate extensions, { id-pkix 1 } */ 929 #define OID_PKIX_PE OID_PKIX, 1 930 #define OID_PKIX_PE_LENGTH (OID_PKIX_LENGTH + 1) 931 932 /* policy qualifier types {id-pkix 2 } */ 933 #define OID_PKIX_QT OID_PKIX, 2 934 #define OID_PKIX_QT_LENGTH (OID_PKIX_LENGTH + 1) 935 936 /* CPS qualifier, { id-qt 1 } */ 937 #define OID_PKIX_QT_CPS OID_PKIX_QT, 1 938 #define OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1) 939 /* user notice qualifier, { id-qt 2 } */ 940 #define OID_PKIX_QT_UNOTICE OID_PKIX_QT, 2 941 #define OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1) 942 943 /* extended key purpose OIDs {id-pkix 3 } */ 944 #define OID_PKIX_KP OID_PKIX, 3 945 #define OID_PKIX_KP_LENGTH (OID_PKIX_LENGTH + 1) 946 947 /* access descriptors {id-pkix 4 } */ 948 #define OID_PKIX_AD OID_PKIX, 48 949 #define OID_PKIX_AD_LENGTH (OID_PKIX_LENGTH + 1) 950 951 /* access descriptors */ 952 /* OCSP */ 953 #define OID_PKIX_AD_OCSP OID_PKIX_AD, 1 954 #define OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1) 955 956 /* cAIssuers */ 957 #define OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2 958 #define OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1) 959 960 /* end PKIX part1 */ 961 962 /* 963 * From RFC4556 (PKINIT) 964 * 965 * pkinit = { iso(1) identified-organization(3) dod(6) internet(1) 966 * security(5) kerberosv5(2) pkinit(3) } 967 */ 968 #define OID_KRB5_PKINIT 43, 6, 1, 5, 2, 3 969 #define OID_KRB5_PKINIT_LENGTH 6 970 971 #define OID_KRB5_PKINIT_KPCLIENTAUTH OID_KRB5_PKINIT, 4 972 #define OID_KRB5_PKINIT_KPCLIENTAUTH_LENGTH (OID_KRB5_PKINIT_LENGTH + 1) 973 974 #define OID_KRB5_PKINIT_KPKDC OID_KRB5_PKINIT, 5 975 #define OID_KRB5_PKINIT_KPKDC_LENGTH (OID_KRB5_PKINIT_LENGTH + 1) 976 977 #define OID_KRB5_SAN 43, 6, 1, 5, 2, 2 978 #define OID_KRB5_SAN_LENGTH 6 979 980 /* 981 * Microsoft OIDs: 982 * id-ms-san-sc-logon-upn = 983 * {iso(1) identified-organization(3) dod(6) internet(1) private(4) 984 * enterprise(1) microsoft(311) 20 2 3} 985 * 986 * id-ms-kp-sc-logon = 987 * {iso(1) identified-organization(3) dod(6) internet(1) private(4) 988 * enterprise(1) microsoft(311) 20 2 2} 989 */ 990 #define OID_MS 43, 6, 1, 4, 1, 130, 55 991 #define OID_MS_LENGTH 7 992 #define OID_MS_KP_SC_LOGON OID_MS, 20, 2, 2 993 #define OID_MS_KP_SC_LOGON_LENGTH (OID_MS_LENGTH + 3) 994 995 #define OID_MS_KP_SC_LOGON_UPN OID_MS, 20, 2, 3 996 #define OID_MS_KP_SC_LOGON_UPN_LENGTH (OID_MS_LENGTH + 3) 997 998 #define OID_APPL_TCP_PROTO 43, 6, 1, 2, 1, 27, 4 999 #define OID_APPL_TCP_PROTO_LENGTH 8 1000 1001 #define OID_DAP OID_DS, 3, 1 1002 #define OID_DAP_LENGTH (OID_DS_LENGTH + 2) 1003 1004 /* From x9.57 */ 1005 #define OID_OIW_LENGTH 2 1006 1007 #define OID_OIW_SECSIG OID_OIW, 3 1008 #define OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1) 1009 1010 #define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 1011 #define OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1) 1012 1013 #define OID_OIWDIR OID_OIW, 7, 2 1014 #define OID_OIWDIR_LENGTH (OID_OIW_LENGTH + 2) 1015 1016 #define OID_OIWDIR_CRPT OID_OIWDIR, 1 1017 1018 #define OID_OIWDIR_HASH OID_OIWDIR, 2 1019 #define OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1) 1020 1021 #define OID_OIWDIR_SIGN OID_OIWDIR, 3 1022 #define OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1) 1023 1024 #define OID_X9CM OID_US, 206, 56 1025 #define OID_X9CM_MODULE OID_X9CM, 1 1026 #define OID_X9CM_INSTRUCTION OID_X9CM, 2 1027 #define OID_X9CM_ATTR OID_X9CM, 3 1028 #define OID_X9CM_X9ALGORITHM OID_X9CM, 4 1029 #define OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1) 1030 1031 #define INTEL 96, 134, 72, 1, 134, 248, 77 1032 #define INTEL_LENGTH 7 1033 1034 #define INTEL_SEC_FORMATS INTEL_CDSASECURITY, 1 1035 #define INTEL_SEC_FORMATS_LENGTH (INTEL_CDSASECURITY_LENGTH + 1) 1036 1037 #define INTEL_SEC_ALGS INTEL_CDSASECURITY, 2, 5 1038 #define INTEL_SEC_ALGS_LENGTH (INTEL_CDSASECURITY_LENGTH + 2) 1039 1040 extern const KMF_OID 1041 KMFOID_AliasedEntryName, 1042 KMFOID_AuthorityRevocationList, 1043 KMFOID_BusinessCategory, 1044 KMFOID_CACertificate, 1045 KMFOID_CertificateRevocationList, 1046 KMFOID_ChallengePassword, 1047 KMFOID_CollectiveFacsimileTelephoneNumber, 1048 KMFOID_CollectiveInternationalISDNNumber, 1049 KMFOID_CollectiveOrganizationName, 1050 KMFOID_CollectiveOrganizationalUnitName, 1051 KMFOID_CollectivePhysicalDeliveryOfficeName, 1052 KMFOID_CollectivePostOfficeBox, 1053 KMFOID_CollectivePostalAddress, 1054 KMFOID_CollectivePostalCode, 1055 KMFOID_CollectiveStateProvinceName, 1056 KMFOID_CollectiveStreetAddress, 1057 KMFOID_CollectiveTelephoneNumber, 1058 KMFOID_CollectiveTelexNumber, 1059 KMFOID_CollectiveTelexTerminalIdentifier, 1060 KMFOID_CommonName, 1061 KMFOID_ContentType, 1062 KMFOID_CounterSignature, 1063 KMFOID_CountryName, 1064 KMFOID_CrossCertificatePair, 1065 KMFOID_DNQualifier, 1066 KMFOID_Description, 1067 KMFOID_DestinationIndicator, 1068 KMFOID_DistinguishedName, 1069 KMFOID_EmailAddress, 1070 KMFOID_EnhancedSearchGuide, 1071 KMFOID_ExtendedCertificateAttributes, 1072 KMFOID_ExtensionRequest, 1073 KMFOID_FacsimileTelephoneNumber, 1074 KMFOID_GenerationQualifier, 1075 KMFOID_GivenName, 1076 KMFOID_HouseIdentifier, 1077 KMFOID_Initials, 1078 KMFOID_InternationalISDNNumber, 1079 KMFOID_KnowledgeInformation, 1080 KMFOID_LocalityName, 1081 KMFOID_Member, 1082 KMFOID_MessageDigest, 1083 KMFOID_Name, 1084 KMFOID_ObjectClass, 1085 KMFOID_OrganizationName, 1086 KMFOID_OrganizationalUnitName, 1087 KMFOID_Owner, 1088 KMFOID_PhysicalDeliveryOfficeName, 1089 KMFOID_PostOfficeBox, 1090 KMFOID_PostalAddress, 1091 KMFOID_PostalCode, 1092 KMFOID_PreferredDeliveryMethod, 1093 KMFOID_PresentationAddress, 1094 KMFOID_ProtocolInformation, 1095 KMFOID_RFC822mailbox, 1096 KMFOID_RegisteredAddress, 1097 KMFOID_RoleOccupant, 1098 KMFOID_SearchGuide, 1099 KMFOID_SeeAlso, 1100 KMFOID_SerialNumber, 1101 KMFOID_SigningTime, 1102 KMFOID_StateProvinceName, 1103 KMFOID_StreetAddress, 1104 KMFOID_SupportedApplicationContext, 1105 KMFOID_Surname, 1106 KMFOID_TelephoneNumber, 1107 KMFOID_TelexNumber, 1108 KMFOID_TelexTerminalIdentifier, 1109 KMFOID_Title, 1110 KMFOID_UniqueIdentifier, 1111 KMFOID_UniqueMember, 1112 KMFOID_UnstructuredAddress, 1113 KMFOID_UnstructuredName, 1114 KMFOID_UserCertificate, 1115 KMFOID_UserPassword, 1116 KMFOID_X_121Address, 1117 KMFOID_domainComponent, 1118 KMFOID_userid; 1119 1120 extern const KMF_OID 1121 KMFOID_AuthorityKeyID, 1122 KMFOID_AuthorityInfoAccess, 1123 KMFOID_VerisignCertificatePolicy, 1124 KMFOID_KeyUsageRestriction, 1125 KMFOID_SubjectDirectoryAttributes, 1126 KMFOID_SubjectKeyIdentifier, 1127 KMFOID_KeyUsage, 1128 KMFOID_PrivateKeyUsagePeriod, 1129 KMFOID_SubjectAltName, 1130 KMFOID_IssuerAltName, 1131 KMFOID_BasicConstraints, 1132 KMFOID_CrlNumber, 1133 KMFOID_CrlReason, 1134 KMFOID_HoldInstructionCode, 1135 KMFOID_InvalidityDate, 1136 KMFOID_DeltaCrlIndicator, 1137 KMFOID_IssuingDistributionPoints, 1138 KMFOID_NameConstraints, 1139 KMFOID_CrlDistributionPoints, 1140 KMFOID_CertificatePolicies, 1141 KMFOID_PolicyMappings, 1142 KMFOID_PolicyConstraints, 1143 KMFOID_AuthorityKeyIdentifier, 1144 KMFOID_ExtendedKeyUsage, 1145 KMFOID_PkixAdOcsp, 1146 KMFOID_PkixAdCaIssuers, 1147 KMFOID_PKIX_PQ_CPSuri, 1148 KMFOID_PKIX_PQ_Unotice, 1149 KMFOID_PKIX_KP_ServerAuth, 1150 KMFOID_PKIX_KP_ClientAuth, 1151 KMFOID_PKIX_KP_CodeSigning, 1152 KMFOID_PKIX_KP_EmailProtection, 1153 KMFOID_PKIX_KP_IPSecEndSystem, 1154 KMFOID_PKIX_KP_IPSecTunnel, 1155 KMFOID_PKIX_KP_IPSecUser, 1156 KMFOID_PKIX_KP_TimeStamping, 1157 KMFOID_PKIX_KP_OCSPSigning, 1158 KMFOID_SHA1, 1159 KMFOID_RSA, 1160 KMFOID_DSA, 1161 KMFOID_MD5WithRSA, 1162 KMFOID_MD2WithRSA, 1163 KMFOID_SHA1WithRSA, 1164 KMFOID_SHA1WithDSA, 1165 KMFOID_OIW_DSAWithSHA1, 1166 KMFOID_X9CM_DSA, 1167 KMFOID_X9CM_DSAWithSHA1; 1168 1169 /* For PKINIT support */ 1170 extern const KMF_OID 1171 KMFOID_PKINIT_san, 1172 KMFOID_PKINIT_ClientAuth, 1173 KMFOID_PKINIT_Kdc, 1174 KMFOID_MS_KP_SCLogon, 1175 KMFOID_MS_KP_SCLogon_UPN; 1176 1177 /* 1178 * KMF Certificate validation codes. These may be masked together. 1179 */ 1180 #define KMF_CERT_VALIDATE_OK 0x00 1181 #define KMF_CERT_VALIDATE_ERR_TA 0x01 1182 #define KMF_CERT_VALIDATE_ERR_USER 0x02 1183 #define KMF_CERT_VALIDATE_ERR_SIGNATURE 0x04 1184 #define KMF_CERT_VALIDATE_ERR_KEYUSAGE 0x08 1185 #define KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE 0x10 1186 #define KMF_CERT_VALIDATE_ERR_TIME 0x20 1187 #define KMF_CERT_VALIDATE_ERR_CRL 0x40 1188 #define KMF_CERT_VALIDATE_ERR_OCSP 0x80 1189 #define KMF_CERT_VALIDATE_ERR_ISSUER 0x100 1190 1191 /* 1192 * KMF Key Usage bitmasks 1193 */ 1194 #define KMF_digitalSignature 0x8000 1195 #define KMF_nonRepudiation 0x4000 1196 #define KMF_keyEncipherment 0x2000 1197 #define KMF_dataEncipherment 0x1000 1198 #define KMF_keyAgreement 0x0800 1199 #define KMF_keyCertSign 0x0400 1200 #define KMF_cRLSign 0x0200 1201 #define KMF_encipherOnly 0x0100 1202 #define KMF_decipherOnly 0x0080 1203 1204 #define KMF_KUBITMASK 0xFF80 1205 1206 /* 1207 * KMF Extended KeyUsage OID definitions 1208 */ 1209 #define KMF_EKU_SERVERAUTH 0x01 1210 #define KMF_EKU_CLIENTAUTH 0x02 1211 #define KMF_EKU_CODESIGNING 0x04 1212 #define KMF_EKU_EMAIL 0x08 1213 #define KMF_EKU_TIMESTAMP 0x10 1214 #define KMF_EKU_OCSPSIGNING 0x20 1215 1216 1217 /* 1218 * Legacy support only - do not use these data structures - they can be 1219 * removed at any time. 1220 */ 1221 1222 /* Keystore Configuration */ 1223 typedef struct { 1224 char *configdir; 1225 char *certPrefix; 1226 char *keyPrefix; 1227 char *secModName; 1228 } KMF_NSS_CONFIG; 1229 1230 typedef struct { 1231 char *label; 1232 boolean_t readonly; 1233 } KMF_PKCS11_CONFIG; 1234 1235 typedef struct { 1236 KMF_KEYSTORE_TYPE kstype; 1237 union { 1238 KMF_NSS_CONFIG nss_conf; 1239 KMF_PKCS11_CONFIG pkcs11_conf; 1240 } ks_config_u; 1241 } KMF_CONFIG_PARAMS; 1242 1243 #define nssconfig ks_config_u.nss_conf 1244 #define pkcs11config ks_config_u.pkcs11_conf 1245 1246 1247 typedef struct 1248 { 1249 char *trustflag; 1250 char *slotlabel; /* "internal" by default */ 1251 int issuerId; 1252 int subjectId; 1253 char *crlfile; /* for ImportCRL */ 1254 boolean_t crl_check; /* for ImportCRL */ 1255 1256 /* 1257 * The following 2 variables are for FindCertInCRL. The caller can 1258 * either specify certLabel or provide the entire certificate in 1259 * DER format as input. 1260 */ 1261 char *certLabel; /* for FindCertInCRL */ 1262 KMF_DATA *certificate; /* for FindCertInCRL */ 1263 1264 /* 1265 * crl_subjName and crl_issuerName are used as the CRL deletion 1266 * criteria. One should be non-NULL and the other one should be NULL. 1267 * If crl_subjName is not NULL, then delete CRL by the subject name. 1268 * Othewise, delete by the issuer name. 1269 */ 1270 char *crl_subjName; 1271 char *crl_issuerName; 1272 } KMF_NSS_PARAMS; 1273 1274 typedef struct { 1275 char *dirpath; 1276 char *certfile; 1277 char *crlfile; 1278 char *keyfile; 1279 char *outcrlfile; 1280 boolean_t crl_check; /* CRL import check; default is true */ 1281 KMF_ENCODE_FORMAT format; /* output file format */ 1282 } KMF_OPENSSL_PARAMS; 1283 1284 typedef struct { 1285 boolean_t private; /* for finding CKA_PRIVATE objects */ 1286 boolean_t sensitive; 1287 boolean_t not_extractable; 1288 boolean_t token; /* true == token object, false == session */ 1289 } KMF_PKCS11_PARAMS; 1290 1291 typedef struct { 1292 KMF_KEYSTORE_TYPE kstype; 1293 char *certLabel; 1294 char *issuer; 1295 char *subject; 1296 char *idstr; 1297 KMF_BIGINT *serial; 1298 KMF_CERT_VALIDITY find_cert_validity; 1299 1300 union { 1301 KMF_NSS_PARAMS nss_opts; 1302 KMF_OPENSSL_PARAMS openssl_opts; 1303 KMF_PKCS11_PARAMS pkcs11_opts; 1304 } ks_opt_u; 1305 } KMF_FINDCERT_PARAMS, KMF_DELETECERT_PARAMS; 1306 1307 typedef struct { 1308 KMF_KEYSTORE_TYPE kstype; 1309 KMF_CREDENTIAL cred; 1310 KMF_KEY_CLASS keyclass; 1311 KMF_KEY_ALG keytype; 1312 KMF_ENCODE_FORMAT format; /* for key */ 1313 char *findLabel; 1314 char *idstr; 1315 union { 1316 KMF_NSS_PARAMS nss_opts; 1317 KMF_OPENSSL_PARAMS openssl_opts; 1318 KMF_PKCS11_PARAMS pkcs11_opts; 1319 } ks_opt_u; 1320 } KMF_FINDKEY_PARAMS; 1321 1322 typedef struct { 1323 KMF_KEYSTORE_TYPE kstype; 1324 KMF_KEY_ALG keytype; 1325 uint32_t keylength; 1326 char *keylabel; 1327 KMF_CREDENTIAL cred; 1328 KMF_BIGINT rsa_exponent; 1329 union { 1330 KMF_NSS_PARAMS nss_opts; 1331 KMF_OPENSSL_PARAMS openssl_opts; 1332 }ks_opt_u; 1333 } KMF_CREATEKEYPAIR_PARAMS; 1334 1335 1336 typedef struct { 1337 KMF_KEYSTORE_TYPE kstype; 1338 KMF_CREDENTIAL cred; 1339 KMF_ENCODE_FORMAT format; /* for key */ 1340 char *certLabel; 1341 KMF_ALGORITHM_INDEX algid; 1342 union { 1343 KMF_NSS_PARAMS nss_opts; 1344 KMF_OPENSSL_PARAMS openssl_opts; 1345 }ks_opt_u; 1346 } KMF_CRYPTOWITHCERT_PARAMS; 1347 1348 typedef struct { 1349 char *crl_name; 1350 } KMF_CHECKCRLDATE_PARAMS; 1351 1352 #define nssparms ks_opt_u.nss_opts 1353 #define sslparms ks_opt_u.openssl_opts 1354 #define pkcs11parms ks_opt_u.pkcs11_opts 1355 1356 #ifdef __cplusplus 1357 } 1358 #endif 1359 #endif /* _KMFTYPES_H */ 1360