1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #include "secoid.h"
6 #include "pkcs11t.h"
7 #include "secitem.h"
8 #include "secerr.h"
9 #include "prenv.h"
10 #include "plhash.h"
11 #include "nssrwlk.h"
12 #include "nssutil.h"
13
14 /* Library identity and versioning */
15
16 #if defined(DEBUG)
17 #define _DEBUG_STRING " (debug)"
18 #else
19 #define _DEBUG_STRING ""
20 #endif
21
22 /*
23 * Version information
24 */
25 const char __nss_util_version[] = "Version: NSS " NSSUTIL_VERSION _DEBUG_STRING;
26
27 /* MISSI Mosaic Object ID space */
28 /* USGov algorithm OID space: { 2 16 840 1 101 } */
29 #define USGOV 0x60, 0x86, 0x48, 0x01, 0x65
30 #define MISSI USGOV, 0x02, 0x01, 0x01
31 #define MISSI_OLD_KEA_DSS MISSI, 0x0c
32 #define MISSI_OLD_DSS MISSI, 0x02
33 #define MISSI_KEA_DSS MISSI, 0x14
34 #define MISSI_DSS MISSI, 0x13
35 #define MISSI_KEA MISSI, 0x0a
36 #define MISSI_ALT_KEA MISSI, 0x16
37
38 #define NISTALGS USGOV, 3, 4
39 #define AES NISTALGS, 1
40 #define SHAXXX NISTALGS, 2
41 #define DSA2 NISTALGS, 3
42
43 /**
44 ** The Netscape OID space is allocated by Terry Hayes. If you need
45 ** a piece of the space, contact him at thayes@netscape.com.
46 **/
47
48 /* Netscape Communications Corporation Object ID space */
49 /* { 2 16 840 1 113730 } */
50 #define NETSCAPE_OID 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42
51 #define NETSCAPE_CERT_EXT NETSCAPE_OID, 0x01
52 #define NETSCAPE_DATA_TYPE NETSCAPE_OID, 0x02
53 /* netscape directory oid - owned by Mark Smith (mcs@netscape.com) */
54 #define NETSCAPE_DIRECTORY NETSCAPE_OID, 0x03
55 #define NETSCAPE_POLICY NETSCAPE_OID, 0x04
56 #define NETSCAPE_CERT_SERVER NETSCAPE_OID, 0x05
57 #define NETSCAPE_ALGS NETSCAPE_OID, 0x06 /* algorithm OIDs */
58 #define NETSCAPE_NAME_COMPONENTS NETSCAPE_OID, 0x07
59
60 #define NETSCAPE_CERT_EXT_AIA NETSCAPE_CERT_EXT, 0x10
61 #define NETSCAPE_CERT_SERVER_CRMF NETSCAPE_CERT_SERVER, 0x01
62
63 /* these are old and should go away soon */
64 #define OLD_NETSCAPE 0x60, 0x86, 0x48, 0xd8, 0x6a
65 #define NS_CERT_EXT OLD_NETSCAPE, 0x01
66 #define NS_FILE_TYPE OLD_NETSCAPE, 0x02
67 #define NS_IMAGE_TYPE OLD_NETSCAPE, 0x03
68
69 /* RSA OID name space */
70 #define RSADSI 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d
71 #define PKCS RSADSI, 0x01
72 #define DIGEST RSADSI, 0x02
73 #define CIPHER RSADSI, 0x03
74 #define PKCS1 PKCS, 0x01
75 #define PKCS5 PKCS, 0x05
76 #define PKCS7 PKCS, 0x07
77 #define PKCS9 PKCS, 0x09
78 #define PKCS12 PKCS, 0x0c
79
80 /* Other OID name spaces */
81 #define ALGORITHM 0x2b, 0x0e, 0x03, 0x02
82 #define X500 0x55
83 #define X520_ATTRIBUTE_TYPE X500, 0x04
84 #define X500_ALG X500, 0x08
85 #define X500_ALG_ENCRYPTION X500_ALG, 0x01
86
87 /** X.509 v3 Extension OID
88 ** {joint-iso-ccitt (2) ds(5) 29}
89 **/
90 #define ID_CE_OID X500, 0x1d
91
92 #define RFC1274_ATTR_TYPE 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
93 /* #define RFC2247_ATTR_TYPE 0x09, 0x92, 0x26, 0xf5, 0x98, 0x1e, 0x64, 0x1 this is WRONG! */
94
95 /* PKCS #12 name spaces */
96 #define PKCS12_MODE_IDS PKCS12, 0x01
97 #define PKCS12_ESPVK_IDS PKCS12, 0x02
98 #define PKCS12_BAG_IDS PKCS12, 0x03
99 #define PKCS12_CERT_BAG_IDS PKCS12, 0x04
100 #define PKCS12_OIDS PKCS12, 0x05
101 #define PKCS12_PBE_IDS PKCS12_OIDS, 0x01
102 #define PKCS12_ENVELOPING_IDS PKCS12_OIDS, 0x02
103 #define PKCS12_SIGNATURE_IDS PKCS12_OIDS, 0x03
104 #define PKCS12_V2_PBE_IDS PKCS12, 0x01
105 #define PKCS9_CERT_TYPES PKCS9, 0x16
106 #define PKCS9_CRL_TYPES PKCS9, 0x17
107 #define PKCS9_SMIME_IDS PKCS9, 0x10
108 #define PKCS9_SMIME_ATTRS PKCS9_SMIME_IDS, 2
109 #define PKCS9_SMIME_ALGS PKCS9_SMIME_IDS, 3
110 #define PKCS12_VERSION1 PKCS12, 0x0a
111 #define PKCS12_V1_BAG_IDS PKCS12_VERSION1, 1
112
113 /* for DSA algorithm */
114 /* { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) } */
115 #define ANSI_X9_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x38, 0x4
116
117 /* for DH algorithm */
118 /* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */
119 /* need real OID person to look at this, copied the above line
120 * and added 6 to second to last value (and changed '4' to '2' */
121 #define ANSI_X942_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2
122
123 #define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
124
125 #define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05
126
127 #define PKIX INTERNET_SECURITY_MECH, 0x07
128 #define PKIX_CERT_EXTENSIONS PKIX, 1
129 #define PKIX_POLICY_QUALIFIERS PKIX, 2
130 #define PKIX_KEY_USAGE PKIX, 3
131 #define PKIX_ACCESS_DESCRIPTION PKIX, 0x30
132 #define PKIX_OCSP PKIX_ACCESS_DESCRIPTION, 1
133 #define PKIX_CA_ISSUERS PKIX_ACCESS_DESCRIPTION, 2
134
135 #define PKIX_ID_PKIP PKIX, 5
136 #define PKIX_ID_REGCTRL PKIX_ID_PKIP, 1
137 #define PKIX_ID_REGINFO PKIX_ID_PKIP, 2
138
139 /* Microsoft Object ID space */
140 /* { 1.3.6.1.4.1.311 } */
141 #define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37
142 #define EV_NAME_ATTRIBUTE MICROSOFT_OID, 60, 2, 1
143
144 /* Microsoft Crypto 2.0 ID space */
145 /* { 1.3.6.1.4.1.311.10 } */
146 #define MS_CRYPTO_20 MICROSOFT_OID, 10
147 /* Microsoft Crypto 2.0 Extended Key Usage ID space */
148 /* { 1.3.6.1.4.1.311.10.3 } */
149 #define MS_CRYPTO_EKU MS_CRYPTO_20, 3
150
151 #define CERTICOM_OID 0x2b, 0x81, 0x04
152 #define SECG_OID CERTICOM_OID, 0x00
153
154 #define ANSI_X962_OID 0x2a, 0x86, 0x48, 0xce, 0x3d
155 #define ANSI_X962_CURVE_OID ANSI_X962_OID, 0x03
156 #define ANSI_X962_GF2m_OID ANSI_X962_CURVE_OID, 0x00
157 #define ANSI_X962_GFp_OID ANSI_X962_CURVE_OID, 0x01
158 #define ANSI_X962_SIGNATURE_OID ANSI_X962_OID, 0x04
159 #define ANSI_X962_SPECIFY_OID ANSI_X962_SIGNATURE_OID, 0x03
160
161 /* for Camellia: iso(1) member-body(2) jisc(392)
162 * mitsubishi(200011) isl(61) security(1) algorithm(1)
163 */
164 #define MITSUBISHI_ALG 0x2a, 0x83, 0x08, 0x8c, 0x9a, 0x4b, 0x3d, 0x01, 0x01
165 #define CAMELLIA_ENCRYPT_OID MITSUBISHI_ALG, 1
166 #define CAMELLIA_WRAP_OID MITSUBISHI_ALG, 3
167
168 /* For IDEA: 1.3.6.1.4.1.188.7.1.1
169 */
170 #define ASCOM_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0xbc
171 #define ASCOM_IDEA_ALG ASCOM_OID, 0x7, 0x1, 0x1
172
173 /* for SEED : iso(1) member-body(2) korea(410)
174 * kisa(200004) algorithm(1)
175 */
176 #define SEED_OID 0x2a, 0x83, 0x1a, 0x8c, 0x9a, 0x44, 0x01
177
178 #define CONST_OID static const unsigned char
179
180 CONST_OID md2[] = { DIGEST, 0x02 };
181 CONST_OID md4[] = { DIGEST, 0x04 };
182 CONST_OID md5[] = { DIGEST, 0x05 };
183 CONST_OID hmac_sha1[] = { DIGEST, 7 };
184 CONST_OID hmac_sha224[] = { DIGEST, 8 };
185 CONST_OID hmac_sha256[] = { DIGEST, 9 };
186 CONST_OID hmac_sha384[] = { DIGEST, 10 };
187 CONST_OID hmac_sha512[] = { DIGEST, 11 };
188
189 CONST_OID rc2cbc[] = { CIPHER, 0x02 };
190 CONST_OID rc4[] = { CIPHER, 0x04 };
191 CONST_OID desede3cbc[] = { CIPHER, 0x07 };
192 CONST_OID rc5cbcpad[] = { CIPHER, 0x09 };
193
194 CONST_OID desecb[] = { ALGORITHM, 0x06 };
195 CONST_OID descbc[] = { ALGORITHM, 0x07 };
196 CONST_OID desofb[] = { ALGORITHM, 0x08 };
197 CONST_OID descfb[] = { ALGORITHM, 0x09 };
198 CONST_OID desmac[] = { ALGORITHM, 0x0a };
199 CONST_OID sdn702DSASignature[] = { ALGORITHM, 0x0c };
200 CONST_OID isoSHAWithRSASignature[] = { ALGORITHM, 0x0f };
201 CONST_OID desede[] = { ALGORITHM, 0x11 };
202 CONST_OID sha1[] = { ALGORITHM, 0x1a };
203 CONST_OID bogusDSASignaturewithSHA1Digest[] = { ALGORITHM, 0x1b };
204 CONST_OID isoSHA1WithRSASignature[] = { ALGORITHM, 0x1d };
205
206 CONST_OID pkcs1RSAEncryption[] = { PKCS1, 0x01 };
207 CONST_OID pkcs1MD2WithRSAEncryption[] = { PKCS1, 0x02 };
208 CONST_OID pkcs1MD4WithRSAEncryption[] = { PKCS1, 0x03 };
209 CONST_OID pkcs1MD5WithRSAEncryption[] = { PKCS1, 0x04 };
210 CONST_OID pkcs1SHA1WithRSAEncryption[] = { PKCS1, 0x05 };
211 CONST_OID pkcs1RSAOAEPEncryption[] = { PKCS1, 0x07 };
212 CONST_OID pkcs1MGF1[] = { PKCS1, 0x08 };
213 CONST_OID pkcs1PSpecified[] = { PKCS1, 0x09 };
214 CONST_OID pkcs1RSAPSSSignature[] = { PKCS1, 10 };
215 CONST_OID pkcs1SHA256WithRSAEncryption[] = { PKCS1, 11 };
216 CONST_OID pkcs1SHA384WithRSAEncryption[] = { PKCS1, 12 };
217 CONST_OID pkcs1SHA512WithRSAEncryption[] = { PKCS1, 13 };
218 CONST_OID pkcs1SHA224WithRSAEncryption[] = { PKCS1, 14 };
219
220 CONST_OID pkcs5PbeWithMD2AndDEScbc[] = { PKCS5, 0x01 };
221 CONST_OID pkcs5PbeWithMD5AndDEScbc[] = { PKCS5, 0x03 };
222 CONST_OID pkcs5PbeWithSha1AndDEScbc[] = { PKCS5, 0x0a };
223 CONST_OID pkcs5Pbkdf2[] = { PKCS5, 12 };
224 CONST_OID pkcs5Pbes2[] = { PKCS5, 13 };
225 CONST_OID pkcs5Pbmac1[] = { PKCS5, 14 };
226
227 CONST_OID pkcs7[] = { PKCS7 };
228 CONST_OID pkcs7Data[] = { PKCS7, 0x01 };
229 CONST_OID pkcs7SignedData[] = { PKCS7, 0x02 };
230 CONST_OID pkcs7EnvelopedData[] = { PKCS7, 0x03 };
231 CONST_OID pkcs7SignedEnvelopedData[] = { PKCS7, 0x04 };
232 CONST_OID pkcs7DigestedData[] = { PKCS7, 0x05 };
233 CONST_OID pkcs7EncryptedData[] = { PKCS7, 0x06 };
234
235 CONST_OID pkcs9EmailAddress[] = { PKCS9, 0x01 };
236 CONST_OID pkcs9UnstructuredName[] = { PKCS9, 0x02 };
237 CONST_OID pkcs9ContentType[] = { PKCS9, 0x03 };
238 CONST_OID pkcs9MessageDigest[] = { PKCS9, 0x04 };
239 CONST_OID pkcs9SigningTime[] = { PKCS9, 0x05 };
240 CONST_OID pkcs9CounterSignature[] = { PKCS9, 0x06 };
241 CONST_OID pkcs9ChallengePassword[] = { PKCS9, 0x07 };
242 CONST_OID pkcs9UnstructuredAddress[] = { PKCS9, 0x08 };
243 CONST_OID pkcs9ExtendedCertificateAttributes[] = { PKCS9, 0x09 };
244 CONST_OID pkcs9ExtensionRequest[] = { PKCS9, 14 };
245 CONST_OID pkcs9SMIMECapabilities[] = { PKCS9, 15 };
246 CONST_OID pkcs9FriendlyName[] = { PKCS9, 20 };
247 CONST_OID pkcs9LocalKeyID[] = { PKCS9, 21 };
248
249 CONST_OID pkcs9X509Certificate[] = { PKCS9_CERT_TYPES, 1 };
250 CONST_OID pkcs9SDSICertificate[] = { PKCS9_CERT_TYPES, 2 };
251 CONST_OID pkcs9X509CRL[] = { PKCS9_CRL_TYPES, 1 };
252
253 /* RFC2630 (CMS) OIDs */
254 CONST_OID cmsESDH[] = { PKCS9_SMIME_ALGS, 5 };
255 CONST_OID cms3DESwrap[] = { PKCS9_SMIME_ALGS, 6 };
256 CONST_OID cmsRC2wrap[] = { PKCS9_SMIME_ALGS, 7 };
257
258 /* RFC2633 SMIME message attributes */
259 CONST_OID smimeEncryptionKeyPreference[] = { PKCS9_SMIME_ATTRS, 11 };
260 CONST_OID ms_smimeEncryptionKeyPreference[] = { MICROSOFT_OID, 0x10, 0x4 };
261
262 CONST_OID x520CommonName[] = { X520_ATTRIBUTE_TYPE, 3 };
263 CONST_OID x520SurName[] = { X520_ATTRIBUTE_TYPE, 4 };
264 CONST_OID x520SerialNumber[] = { X520_ATTRIBUTE_TYPE, 5 };
265 CONST_OID x520CountryName[] = { X520_ATTRIBUTE_TYPE, 6 };
266 CONST_OID x520LocalityName[] = { X520_ATTRIBUTE_TYPE, 7 };
267 CONST_OID x520StateOrProvinceName[] = { X520_ATTRIBUTE_TYPE, 8 };
268 CONST_OID x520StreetAddress[] = { X520_ATTRIBUTE_TYPE, 9 };
269 CONST_OID x520OrgName[] = { X520_ATTRIBUTE_TYPE, 10 };
270 CONST_OID x520OrgUnitName[] = { X520_ATTRIBUTE_TYPE, 11 };
271 CONST_OID x520Title[] = { X520_ATTRIBUTE_TYPE, 12 };
272 CONST_OID x520BusinessCategory[] = { X520_ATTRIBUTE_TYPE, 15 };
273 CONST_OID x520PostalAddress[] = { X520_ATTRIBUTE_TYPE, 16 };
274 CONST_OID x520PostalCode[] = { X520_ATTRIBUTE_TYPE, 17 };
275 CONST_OID x520PostOfficeBox[] = { X520_ATTRIBUTE_TYPE, 18 };
276 CONST_OID x520Name[] = { X520_ATTRIBUTE_TYPE, 41 };
277 CONST_OID x520GivenName[] = { X520_ATTRIBUTE_TYPE, 42 };
278 CONST_OID x520Initials[] = { X520_ATTRIBUTE_TYPE, 43 };
279 CONST_OID x520GenerationQualifier[] = { X520_ATTRIBUTE_TYPE, 44 };
280 CONST_OID x520DnQualifier[] = { X520_ATTRIBUTE_TYPE, 46 };
281 CONST_OID x520HouseIdentifier[] = { X520_ATTRIBUTE_TYPE, 51 };
282 CONST_OID x520Pseudonym[] = { X520_ATTRIBUTE_TYPE, 65 };
283
284 CONST_OID nsTypeGIF[] = { NETSCAPE_DATA_TYPE, 0x01 };
285 CONST_OID nsTypeJPEG[] = { NETSCAPE_DATA_TYPE, 0x02 };
286 CONST_OID nsTypeURL[] = { NETSCAPE_DATA_TYPE, 0x03 };
287 CONST_OID nsTypeHTML[] = { NETSCAPE_DATA_TYPE, 0x04 };
288 CONST_OID nsTypeCertSeq[] = { NETSCAPE_DATA_TYPE, 0x05 };
289
290 CONST_OID missiCertKEADSSOld[] = { MISSI_OLD_KEA_DSS };
291 CONST_OID missiCertDSSOld[] = { MISSI_OLD_DSS };
292 CONST_OID missiCertKEADSS[] = { MISSI_KEA_DSS };
293 CONST_OID missiCertDSS[] = { MISSI_DSS };
294 CONST_OID missiCertKEA[] = { MISSI_KEA };
295 CONST_OID missiCertAltKEA[] = { MISSI_ALT_KEA };
296 CONST_OID x500RSAEncryption[] = { X500_ALG_ENCRYPTION, 0x01 };
297
298 /* added for alg 1485 */
299 CONST_OID rfc1274Uid[] = { RFC1274_ATTR_TYPE, 1 };
300 CONST_OID rfc1274Mail[] = { RFC1274_ATTR_TYPE, 3 };
301 CONST_OID rfc2247DomainComponent[] = { RFC1274_ATTR_TYPE, 25 };
302
303 /* Netscape private certificate extensions */
304 CONST_OID nsCertExtNetscapeOK[] = { NS_CERT_EXT, 1 };
305 CONST_OID nsCertExtIssuerLogo[] = { NS_CERT_EXT, 2 };
306 CONST_OID nsCertExtSubjectLogo[] = { NS_CERT_EXT, 3 };
307 CONST_OID nsExtCertType[] = { NETSCAPE_CERT_EXT, 0x01 };
308 CONST_OID nsExtBaseURL[] = { NETSCAPE_CERT_EXT, 0x02 };
309 CONST_OID nsExtRevocationURL[] = { NETSCAPE_CERT_EXT, 0x03 };
310 CONST_OID nsExtCARevocationURL[] = { NETSCAPE_CERT_EXT, 0x04 };
311 CONST_OID nsExtCACRLURL[] = { NETSCAPE_CERT_EXT, 0x05 };
312 CONST_OID nsExtCACertURL[] = { NETSCAPE_CERT_EXT, 0x06 };
313 CONST_OID nsExtCertRenewalURL[] = { NETSCAPE_CERT_EXT, 0x07 };
314 CONST_OID nsExtCAPolicyURL[] = { NETSCAPE_CERT_EXT, 0x08 };
315 CONST_OID nsExtHomepageURL[] = { NETSCAPE_CERT_EXT, 0x09 };
316 CONST_OID nsExtEntityLogo[] = { NETSCAPE_CERT_EXT, 0x0a };
317 CONST_OID nsExtUserPicture[] = { NETSCAPE_CERT_EXT, 0x0b };
318 CONST_OID nsExtSSLServerName[] = { NETSCAPE_CERT_EXT, 0x0c };
319 CONST_OID nsExtComment[] = { NETSCAPE_CERT_EXT, 0x0d };
320
321 /* the following 2 extensions are defined for and used by Cartman(NSM) */
322 CONST_OID nsExtLostPasswordURL[] = { NETSCAPE_CERT_EXT, 0x0e };
323 CONST_OID nsExtCertRenewalTime[] = { NETSCAPE_CERT_EXT, 0x0f };
324
325 CONST_OID nsExtAIACertRenewal[] = { NETSCAPE_CERT_EXT_AIA, 0x01 };
326 CONST_OID nsExtCertScopeOfUse[] = { NETSCAPE_CERT_EXT, 0x11 };
327 /* Reserved Netscape (2 16 840 1 113730 1 18) = { NETSCAPE_CERT_EXT, 0x12 }; */
328
329 /* Netscape policy values */
330 CONST_OID nsKeyUsageGovtApproved[] = { NETSCAPE_POLICY, 0x01 };
331
332 /* Netscape other name types */
333 CONST_OID netscapeNickname[] = { NETSCAPE_NAME_COMPONENTS, 0x01 };
334 CONST_OID netscapeAOLScreenname[] = { NETSCAPE_NAME_COMPONENTS, 0x02 };
335
336 /* OIDs needed for cert server */
337 CONST_OID netscapeRecoveryRequest[] = { NETSCAPE_CERT_SERVER_CRMF, 0x01 };
338
339 /* Standard x.509 v3 Certificate & CRL Extensions */
340 CONST_OID x509SubjectDirectoryAttr[] = { ID_CE_OID, 9 };
341 CONST_OID x509SubjectKeyID[] = { ID_CE_OID, 14 };
342 CONST_OID x509KeyUsage[] = { ID_CE_OID, 15 };
343 CONST_OID x509PrivateKeyUsagePeriod[] = { ID_CE_OID, 16 };
344 CONST_OID x509SubjectAltName[] = { ID_CE_OID, 17 };
345 CONST_OID x509IssuerAltName[] = { ID_CE_OID, 18 };
346 CONST_OID x509BasicConstraints[] = { ID_CE_OID, 19 };
347 CONST_OID x509CRLNumber[] = { ID_CE_OID, 20 };
348 CONST_OID x509ReasonCode[] = { ID_CE_OID, 21 };
349 CONST_OID x509HoldInstructionCode[] = { ID_CE_OID, 23 };
350 CONST_OID x509InvalidDate[] = { ID_CE_OID, 24 };
351 CONST_OID x509DeltaCRLIndicator[] = { ID_CE_OID, 27 };
352 CONST_OID x509IssuingDistributionPoint[] = { ID_CE_OID, 28 };
353 CONST_OID x509CertIssuer[] = { ID_CE_OID, 29 };
354 CONST_OID x509NameConstraints[] = { ID_CE_OID, 30 };
355 CONST_OID x509CRLDistPoints[] = { ID_CE_OID, 31 };
356 CONST_OID x509CertificatePolicies[] = { ID_CE_OID, 32 };
357 CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 };
358 CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 };
359 CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 36 };
360 CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 };
361 CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
362 CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
363
364 CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 };
365 CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 };
366
367 CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
368 CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
369
370 CONST_OID x509SIATimeStamping[] = { PKIX_ACCESS_DESCRIPTION, 0x03 };
371 CONST_OID x509SIACaRepository[] = { PKIX_ACCESS_DESCRIPTION, 0x05 };
372
373 /* pkcs 12 additions */
374 CONST_OID pkcs12[] = { PKCS12 };
375 CONST_OID pkcs12ModeIDs[] = { PKCS12_MODE_IDS };
376 CONST_OID pkcs12ESPVKIDs[] = { PKCS12_ESPVK_IDS };
377 CONST_OID pkcs12BagIDs[] = { PKCS12_BAG_IDS };
378 CONST_OID pkcs12CertBagIDs[] = { PKCS12_CERT_BAG_IDS };
379 CONST_OID pkcs12OIDs[] = { PKCS12_OIDS };
380 CONST_OID pkcs12PBEIDs[] = { PKCS12_PBE_IDS };
381 CONST_OID pkcs12EnvelopingIDs[] = { PKCS12_ENVELOPING_IDS };
382 CONST_OID pkcs12SignatureIDs[] = { PKCS12_SIGNATURE_IDS };
383 CONST_OID pkcs12PKCS8KeyShrouding[] = { PKCS12_ESPVK_IDS, 0x01 };
384 CONST_OID pkcs12KeyBagID[] = { PKCS12_BAG_IDS, 0x01 };
385 CONST_OID pkcs12CertAndCRLBagID[] = { PKCS12_BAG_IDS, 0x02 };
386 CONST_OID pkcs12SecretBagID[] = { PKCS12_BAG_IDS, 0x03 };
387 CONST_OID pkcs12X509CertCRLBag[] = { PKCS12_CERT_BAG_IDS, 0x01 };
388 CONST_OID pkcs12SDSICertBag[] = { PKCS12_CERT_BAG_IDS, 0x02 };
389 CONST_OID pkcs12PBEWithSha1And128BitRC4[] = { PKCS12_PBE_IDS, 0x01 };
390 CONST_OID pkcs12PBEWithSha1And40BitRC4[] = { PKCS12_PBE_IDS, 0x02 };
391 CONST_OID pkcs12PBEWithSha1AndTripleDESCBC[] = { PKCS12_PBE_IDS, 0x03 };
392 CONST_OID pkcs12PBEWithSha1And128BitRC2CBC[] = { PKCS12_PBE_IDS, 0x04 };
393 CONST_OID pkcs12PBEWithSha1And40BitRC2CBC[] = { PKCS12_PBE_IDS, 0x05 };
394 CONST_OID pkcs12RSAEncryptionWith128BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x01 };
395 CONST_OID pkcs12RSAEncryptionWith40BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x02 };
396 CONST_OID pkcs12RSAEncryptionWithTripleDES[] = { PKCS12_ENVELOPING_IDS, 0x03 };
397 CONST_OID pkcs12RSASignatureWithSHA1Digest[] = { PKCS12_SIGNATURE_IDS, 0x01 };
398
399 /* pkcs 12 version 1.0 ids */
400 CONST_OID pkcs12V2PBEWithSha1And128BitRC4[] = { PKCS12_V2_PBE_IDS, 0x01 };
401 CONST_OID pkcs12V2PBEWithSha1And40BitRC4[] = { PKCS12_V2_PBE_IDS, 0x02 };
402 CONST_OID pkcs12V2PBEWithSha1And3KeyTripleDEScbc[] = { PKCS12_V2_PBE_IDS, 0x03 };
403 CONST_OID pkcs12V2PBEWithSha1And2KeyTripleDEScbc[] = { PKCS12_V2_PBE_IDS, 0x04 };
404 CONST_OID pkcs12V2PBEWithSha1And128BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x05 };
405 CONST_OID pkcs12V2PBEWithSha1And40BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x06 };
406
407 CONST_OID pkcs12SafeContentsID[] = { PKCS12_BAG_IDS, 0x04 };
408 CONST_OID pkcs12PKCS8ShroudedKeyBagID[] = { PKCS12_BAG_IDS, 0x05 };
409
410 CONST_OID pkcs12V1KeyBag[] = { PKCS12_V1_BAG_IDS, 0x01 };
411 CONST_OID pkcs12V1PKCS8ShroudedKeyBag[] = { PKCS12_V1_BAG_IDS, 0x02 };
412 CONST_OID pkcs12V1CertBag[] = { PKCS12_V1_BAG_IDS, 0x03 };
413 CONST_OID pkcs12V1CRLBag[] = { PKCS12_V1_BAG_IDS, 0x04 };
414 CONST_OID pkcs12V1SecretBag[] = { PKCS12_V1_BAG_IDS, 0x05 };
415 CONST_OID pkcs12V1SafeContentsBag[] = { PKCS12_V1_BAG_IDS, 0x06 };
416
417 /* The following encoding is INCORRECT, but correcting it would create a
418 * duplicate OID in the table. So, we will leave it alone.
419 */
420 CONST_OID pkcs12KeyUsageAttr[] = { 2, 5, 29, 15 };
421
422 CONST_OID ansix9DSASignature[] = { ANSI_X9_ALGORITHM, 0x01 };
423 CONST_OID ansix9DSASignaturewithSHA1Digest[] = { ANSI_X9_ALGORITHM, 0x03 };
424 CONST_OID nistDSASignaturewithSHA224Digest[] = { DSA2, 0x01 };
425 CONST_OID nistDSASignaturewithSHA256Digest[] = { DSA2, 0x02 };
426
427 /* verisign OIDs */
428 CONST_OID verisignUserNotices[] = { VERISIGN, 1, 7, 1, 1 };
429
430 /* pkix OIDs */
431 CONST_OID pkixCPSPointerQualifier[] = { PKIX_POLICY_QUALIFIERS, 1 };
432 CONST_OID pkixUserNoticeQualifier[] = { PKIX_POLICY_QUALIFIERS, 2 };
433
434 CONST_OID pkixOCSP[] = { PKIX_OCSP };
435 CONST_OID pkixOCSPBasicResponse[] = { PKIX_OCSP, 1 };
436 CONST_OID pkixOCSPNonce[] = { PKIX_OCSP, 2 };
437 CONST_OID pkixOCSPCRL[] = { PKIX_OCSP, 3 };
438 CONST_OID pkixOCSPResponse[] = { PKIX_OCSP, 4 };
439 CONST_OID pkixOCSPNoCheck[] = { PKIX_OCSP, 5 };
440 CONST_OID pkixOCSPArchiveCutoff[] = { PKIX_OCSP, 6 };
441 CONST_OID pkixOCSPServiceLocator[] = { PKIX_OCSP, 7 };
442
443 CONST_OID pkixCAIssuers[] = { PKIX_CA_ISSUERS };
444
445 CONST_OID pkixRegCtrlRegToken[] = { PKIX_ID_REGCTRL, 1 };
446 CONST_OID pkixRegCtrlAuthenticator[] = { PKIX_ID_REGCTRL, 2 };
447 CONST_OID pkixRegCtrlPKIPubInfo[] = { PKIX_ID_REGCTRL, 3 };
448 CONST_OID pkixRegCtrlPKIArchOptions[] = { PKIX_ID_REGCTRL, 4 };
449 CONST_OID pkixRegCtrlOldCertID[] = { PKIX_ID_REGCTRL, 5 };
450 CONST_OID pkixRegCtrlProtEncKey[] = { PKIX_ID_REGCTRL, 6 };
451 CONST_OID pkixRegInfoUTF8Pairs[] = { PKIX_ID_REGINFO, 1 };
452 CONST_OID pkixRegInfoCertReq[] = { PKIX_ID_REGINFO, 2 };
453
454 CONST_OID pkixExtendedKeyUsageServerAuth[] = { PKIX_KEY_USAGE, 1 };
455 CONST_OID pkixExtendedKeyUsageClientAuth[] = { PKIX_KEY_USAGE, 2 };
456 CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 };
457 CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 };
458 /* IPsecEnd, IPsecTunnel, and IPsecUser are deprecated, but still in use
459 * (see RFC4945) */
460 CONST_OID pkixExtendedKeyUsageIPsecEnd[] = { PKIX_KEY_USAGE, 5 };
461 CONST_OID pkixExtendedKeyUsageIPsecTunnel[] = { PKIX_KEY_USAGE, 6 };
462 CONST_OID pkixExtendedKeyUsageIPsecUser[] = { PKIX_KEY_USAGE, 7 };
463 CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 };
464 CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 };
465 /* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */
466 CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 };
467 CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 };
468
469 CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 };
470 CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 };
471
472 /* OIDs for Netscape defined algorithms */
473 CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 };
474
475 /* Fortezza algorithm OIDs */
476 CONST_OID skipjackCBC[] = { MISSI, 0x04 };
477 CONST_OID dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 };
478
479 CONST_OID idea_CBC[] = { ASCOM_IDEA_ALG, 2 };
480 CONST_OID aes128_GCM[] = { AES, 0x6 };
481 CONST_OID aes192_GCM[] = { AES, 0x1a };
482 CONST_OID aes256_GCM[] = { AES, 0x2e };
483 CONST_OID aes128_ECB[] = { AES, 1 };
484 CONST_OID aes128_CBC[] = { AES, 2 };
485 #ifdef DEFINE_ALL_AES_CIPHERS
486 CONST_OID aes128_OFB[] = { AES, 3 };
487 CONST_OID aes128_CFB[] = { AES, 4 };
488 #endif
489 CONST_OID aes128_KEY_WRAP[] = { AES, 5 };
490
491 CONST_OID aes192_ECB[] = { AES, 21 };
492 CONST_OID aes192_CBC[] = { AES, 22 };
493 #ifdef DEFINE_ALL_AES_CIPHERS
494 CONST_OID aes192_OFB[] = { AES, 23 };
495 CONST_OID aes192_CFB[] = { AES, 24 };
496 #endif
497 CONST_OID aes192_KEY_WRAP[] = { AES, 25 };
498
499 CONST_OID aes256_ECB[] = { AES, 41 };
500 CONST_OID aes256_CBC[] = { AES, 42 };
501 #ifdef DEFINE_ALL_AES_CIPHERS
502 CONST_OID aes256_OFB[] = { AES, 43 };
503 CONST_OID aes256_CFB[] = { AES, 44 };
504 #endif
505 CONST_OID aes256_KEY_WRAP[] = { AES, 45 };
506
507 CONST_OID camellia128_CBC[] = { CAMELLIA_ENCRYPT_OID, 2 };
508 CONST_OID camellia192_CBC[] = { CAMELLIA_ENCRYPT_OID, 3 };
509 CONST_OID camellia256_CBC[] = { CAMELLIA_ENCRYPT_OID, 4 };
510
511 CONST_OID sha256[] = { SHAXXX, 1 };
512 CONST_OID sha384[] = { SHAXXX, 2 };
513 CONST_OID sha512[] = { SHAXXX, 3 };
514 CONST_OID sha224[] = { SHAXXX, 4 };
515
516 CONST_OID ansix962ECPublicKey[] = { ANSI_X962_OID, 0x02, 0x01 };
517 CONST_OID ansix962SignaturewithSHA1Digest[] = { ANSI_X962_SIGNATURE_OID, 0x01 };
518 CONST_OID ansix962SignatureRecommended[] = { ANSI_X962_SIGNATURE_OID, 0x02 };
519 CONST_OID ansix962SignatureSpecified[] = { ANSI_X962_SPECIFY_OID };
520 CONST_OID ansix962SignaturewithSHA224Digest[] = { ANSI_X962_SPECIFY_OID, 0x01 };
521 CONST_OID ansix962SignaturewithSHA256Digest[] = { ANSI_X962_SPECIFY_OID, 0x02 };
522 CONST_OID ansix962SignaturewithSHA384Digest[] = { ANSI_X962_SPECIFY_OID, 0x03 };
523 CONST_OID ansix962SignaturewithSHA512Digest[] = { ANSI_X962_SPECIFY_OID, 0x04 };
524
525 /* ANSI X9.62 prime curve OIDs */
526 /* NOTE: prime192v1 is the same as secp192r1, prime256v1 is the
527 * same as secp256r1
528 */
529 CONST_OID ansiX962prime192v1[] = { ANSI_X962_GFp_OID, 0x01 }; /* unsupported by freebl */
530 CONST_OID ansiX962prime192v2[] = { ANSI_X962_GFp_OID, 0x02 }; /* unsupported by freebl */
531 CONST_OID ansiX962prime192v3[] = { ANSI_X962_GFp_OID, 0x03 }; /* unsupported by freebl */
532 CONST_OID ansiX962prime239v1[] = { ANSI_X962_GFp_OID, 0x04 }; /* unsupported by freebl */
533 CONST_OID ansiX962prime239v2[] = { ANSI_X962_GFp_OID, 0x05 }; /* unsupported by freebl */
534 CONST_OID ansiX962prime239v3[] = { ANSI_X962_GFp_OID, 0x06 }; /* unsupported by freebl */
535 CONST_OID ansiX962prime256v1[] = { ANSI_X962_GFp_OID, 0x07 };
536
537 /* SECG prime curve OIDs */
538 CONST_OID secgECsecp112r1[] = { SECG_OID, 0x06 }; /* unsupported by freebl */
539 CONST_OID secgECsecp112r2[] = { SECG_OID, 0x07 }; /* unsupported by freebl */
540 CONST_OID secgECsecp128r1[] = { SECG_OID, 0x1c }; /* unsupported by freebl */
541 CONST_OID secgECsecp128r2[] = { SECG_OID, 0x1d }; /* unsupported by freebl */
542 CONST_OID secgECsecp160k1[] = { SECG_OID, 0x09 }; /* unsupported by freebl */
543 CONST_OID secgECsecp160r1[] = { SECG_OID, 0x08 }; /* unsupported by freebl */
544 CONST_OID secgECsecp160r2[] = { SECG_OID, 0x1e }; /* unsupported by freebl */
545 CONST_OID secgECsecp192k1[] = { SECG_OID, 0x1f }; /* unsupported by freebl */
546 CONST_OID secgECsecp224k1[] = { SECG_OID, 0x20 }; /* unsupported by freebl */
547 CONST_OID secgECsecp224r1[] = { SECG_OID, 0x21 }; /* unsupported by freebl */
548 CONST_OID secgECsecp256k1[] = { SECG_OID, 0x0a }; /* unsupported by freebl */
549 CONST_OID secgECsecp384r1[] = { SECG_OID, 0x22 };
550 CONST_OID secgECsecp521r1[] = { SECG_OID, 0x23 };
551
552 /* ANSI X9.62 characteristic two curve OIDs */
553 CONST_OID ansiX962c2pnb163v1[] = { ANSI_X962_GF2m_OID, 0x01 }; /* unsupported by freebl */
554 CONST_OID ansiX962c2pnb163v2[] = { ANSI_X962_GF2m_OID, 0x02 }; /* unsupported by freebl */
555 CONST_OID ansiX962c2pnb163v3[] = { ANSI_X962_GF2m_OID, 0x03 }; /* unsupported by freebl */
556 CONST_OID ansiX962c2pnb176v1[] = { ANSI_X962_GF2m_OID, 0x04 }; /* unsupported by freebl */
557 CONST_OID ansiX962c2tnb191v1[] = { ANSI_X962_GF2m_OID, 0x05 }; /* unsupported by freebl */
558 CONST_OID ansiX962c2tnb191v2[] = { ANSI_X962_GF2m_OID, 0x06 }; /* unsupported by freebl */
559 CONST_OID ansiX962c2tnb191v3[] = { ANSI_X962_GF2m_OID, 0x07 }; /* unsupported by freebl */
560 CONST_OID ansiX962c2onb191v4[] = { ANSI_X962_GF2m_OID, 0x08 }; /* unsupported by freebl */
561 CONST_OID ansiX962c2onb191v5[] = { ANSI_X962_GF2m_OID, 0x09 }; /* unsupported by freebl */
562 CONST_OID ansiX962c2pnb208w1[] = { ANSI_X962_GF2m_OID, 0x0a }; /* unsupported by freebl */
563 CONST_OID ansiX962c2tnb239v1[] = { ANSI_X962_GF2m_OID, 0x0b }; /* unsupported by freebl */
564 CONST_OID ansiX962c2tnb239v2[] = { ANSI_X962_GF2m_OID, 0x0c }; /* unsupported by freebl */
565 CONST_OID ansiX962c2tnb239v3[] = { ANSI_X962_GF2m_OID, 0x0d }; /* unsupported by freebl */
566 CONST_OID ansiX962c2onb239v4[] = { ANSI_X962_GF2m_OID, 0x0e }; /* unsupported by freebl */
567 CONST_OID ansiX962c2onb239v5[] = { ANSI_X962_GF2m_OID, 0x0f }; /* unsupported by freebl */
568 CONST_OID ansiX962c2pnb272w1[] = { ANSI_X962_GF2m_OID, 0x10 }; /* unsupported by freebl */
569 CONST_OID ansiX962c2pnb304w1[] = { ANSI_X962_GF2m_OID, 0x11 }; /* unsupported by freebl */
570 CONST_OID ansiX962c2tnb359v1[] = { ANSI_X962_GF2m_OID, 0x12 }; /* unsupported by freebl */
571 CONST_OID ansiX962c2pnb368w1[] = { ANSI_X962_GF2m_OID, 0x13 }; /* unsupported by freebl */
572 CONST_OID ansiX962c2tnb431r1[] = { ANSI_X962_GF2m_OID, 0x14 }; /* unsupported by freebl */
573
574 /* SECG characterisitic two curve OIDs */
575 CONST_OID secgECsect113r1[] = { SECG_OID, 0x04 }; /* unsupported by freebl */
576 CONST_OID secgECsect113r2[] = { SECG_OID, 0x05 }; /* unsupported by freebl */
577 CONST_OID secgECsect131r1[] = { SECG_OID, 0x16 }; /* unsupported by freebl */
578 CONST_OID secgECsect131r2[] = { SECG_OID, 0x17 }; /* unsupported by freebl */
579 CONST_OID secgECsect163k1[] = { SECG_OID, 0x01 }; /* unsupported by freebl */
580 CONST_OID secgECsect163r1[] = { SECG_OID, 0x02 }; /* unsupported by freebl */
581 CONST_OID secgECsect163r2[] = { SECG_OID, 0x0f }; /* unsupported by freebl */
582 CONST_OID secgECsect193r1[] = { SECG_OID, 0x18 }; /* unsupported by freebl */
583 CONST_OID secgECsect193r2[] = { SECG_OID, 0x19 }; /* unsupported by freebl */
584 CONST_OID secgECsect233k1[] = { SECG_OID, 0x1a }; /* unsupported by freebl */
585 CONST_OID secgECsect233r1[] = { SECG_OID, 0x1b }; /* unsupported by freebl */
586 CONST_OID secgECsect239k1[] = { SECG_OID, 0x03 }; /* unsupported by freebl */
587 CONST_OID secgECsect283k1[] = { SECG_OID, 0x10 }; /* unsupported by freebl */
588 CONST_OID secgECsect283r1[] = { SECG_OID, 0x11 }; /* unsupported by freebl */
589 CONST_OID secgECsect409k1[] = { SECG_OID, 0x24 }; /* unsupported by freebl */
590 CONST_OID secgECsect409r1[] = { SECG_OID, 0x25 }; /* unsupported by freebl */
591 CONST_OID secgECsect571k1[] = { SECG_OID, 0x26 }; /* unsupported by freebl */
592 CONST_OID secgECsect571r1[] = { SECG_OID, 0x27 }; /* unsupported by freebl */
593
594 CONST_OID seed_CBC[] = { SEED_OID, 4 };
595
596 CONST_OID evIncorporationLocality[] = { EV_NAME_ATTRIBUTE, 1 };
597 CONST_OID evIncorporationState[] = { EV_NAME_ATTRIBUTE, 2 };
598 CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 };
599
600 /* https://tools.ietf.org/html/draft-josefsson-pkix-newcurves-01
601 * 1.3.6.1.4.1.11591.15.1
602 */
603 CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01 };
604
605 #define OI(x) \
606 { \
607 siDEROID, (unsigned char *)x, sizeof x \
608 }
609 #ifndef SECOID_NO_STRINGS
610 #define OD(oid, tag, desc, mech, ext) \
611 { \
612 OI(oid) \
613 , tag, desc, mech, ext \
614 }
615 #define ODE(tag, desc, mech, ext) \
616 { \
617 { siDEROID, NULL, 0 }, tag, desc, mech, ext \
618 }
619 #else
620 #define OD(oid, tag, desc, mech, ext) \
621 { \
622 OI(oid) \
623 , tag, 0, mech, ext \
624 }
625 #define ODE(tag, desc, mech, ext) \
626 { \
627 { siDEROID, NULL, 0 }, tag, 0, mech, ext \
628 }
629 #endif
630
631 #if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
632 #define FAKE_SUPPORTED_CERT_EXTENSION SUPPORTED_CERT_EXTENSION
633 #else
634 #define FAKE_SUPPORTED_CERT_EXTENSION UNSUPPORTED_CERT_EXTENSION
635 #endif
636
637 /*
638 * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
639 */
640 const static SECOidData oids[SEC_OID_TOTAL] = {
641 { { siDEROID, NULL, 0 }, SEC_OID_UNKNOWN, "Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
642 OD(md2, SEC_OID_MD2, "MD2", CKM_MD2, INVALID_CERT_EXTENSION),
643 OD(md4, SEC_OID_MD4,
644 "MD4", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
645 OD(md5, SEC_OID_MD5, "MD5", CKM_MD5, INVALID_CERT_EXTENSION),
646 OD(sha1, SEC_OID_SHA1, "SHA-1", CKM_SHA_1, INVALID_CERT_EXTENSION),
647 OD(rc2cbc, SEC_OID_RC2_CBC,
648 "RC2-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
649 OD(rc4, SEC_OID_RC4, "RC4", CKM_RC4, INVALID_CERT_EXTENSION),
650 OD(desede3cbc, SEC_OID_DES_EDE3_CBC,
651 "DES-EDE3-CBC", CKM_DES3_CBC, INVALID_CERT_EXTENSION),
652 OD(rc5cbcpad, SEC_OID_RC5_CBC_PAD,
653 "RC5-CBCPad", CKM_RC5_CBC, INVALID_CERT_EXTENSION),
654 OD(desecb, SEC_OID_DES_ECB,
655 "DES-ECB", CKM_DES_ECB, INVALID_CERT_EXTENSION),
656 OD(descbc, SEC_OID_DES_CBC,
657 "DES-CBC", CKM_DES_CBC, INVALID_CERT_EXTENSION),
658 OD(desofb, SEC_OID_DES_OFB,
659 "DES-OFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
660 OD(descfb, SEC_OID_DES_CFB,
661 "DES-CFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
662 OD(desmac, SEC_OID_DES_MAC,
663 "DES-MAC", CKM_DES_MAC, INVALID_CERT_EXTENSION),
664 OD(desede, SEC_OID_DES_EDE,
665 "DES-EDE", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
666 OD(isoSHAWithRSASignature, SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE,
667 "ISO SHA with RSA Signature",
668 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
669 OD(pkcs1RSAEncryption, SEC_OID_PKCS1_RSA_ENCRYPTION,
670 "PKCS #1 RSA Encryption", CKM_RSA_PKCS, INVALID_CERT_EXTENSION),
671
672 /* the following Signing mechanisms should get new CKM_ values when
673 * values for CKM_RSA_WITH_MDX and CKM_RSA_WITH_SHA_1 get defined in
674 * PKCS #11.
675 */
676 OD(pkcs1MD2WithRSAEncryption, SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION,
677 "PKCS #1 MD2 With RSA Encryption", CKM_MD2_RSA_PKCS,
678 INVALID_CERT_EXTENSION),
679 OD(pkcs1MD4WithRSAEncryption, SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION,
680 "PKCS #1 MD4 With RSA Encryption",
681 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
682 OD(pkcs1MD5WithRSAEncryption, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
683 "PKCS #1 MD5 With RSA Encryption", CKM_MD5_RSA_PKCS,
684 INVALID_CERT_EXTENSION),
685 OD(pkcs1SHA1WithRSAEncryption, SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
686 "PKCS #1 SHA-1 With RSA Encryption", CKM_SHA1_RSA_PKCS,
687 INVALID_CERT_EXTENSION),
688
689 OD(pkcs5PbeWithMD2AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC,
690 "PKCS #5 Password Based Encryption with MD2 and DES-CBC",
691 CKM_PBE_MD2_DES_CBC, INVALID_CERT_EXTENSION),
692 OD(pkcs5PbeWithMD5AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
693 "PKCS #5 Password Based Encryption with MD5 and DES-CBC",
694 CKM_PBE_MD5_DES_CBC, INVALID_CERT_EXTENSION),
695 OD(pkcs5PbeWithSha1AndDEScbc, SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
696 "PKCS #5 Password Based Encryption with SHA-1 and DES-CBC",
697 CKM_NSS_PBE_SHA1_DES_CBC, INVALID_CERT_EXTENSION),
698 OD(pkcs7, SEC_OID_PKCS7,
699 "PKCS #7", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
700 OD(pkcs7Data, SEC_OID_PKCS7_DATA,
701 "PKCS #7 Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
702 OD(pkcs7SignedData, SEC_OID_PKCS7_SIGNED_DATA,
703 "PKCS #7 Signed Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
704 OD(pkcs7EnvelopedData, SEC_OID_PKCS7_ENVELOPED_DATA,
705 "PKCS #7 Enveloped Data",
706 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
707 OD(pkcs7SignedEnvelopedData, SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA,
708 "PKCS #7 Signed And Enveloped Data",
709 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
710 OD(pkcs7DigestedData, SEC_OID_PKCS7_DIGESTED_DATA,
711 "PKCS #7 Digested Data",
712 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
713 OD(pkcs7EncryptedData, SEC_OID_PKCS7_ENCRYPTED_DATA,
714 "PKCS #7 Encrypted Data",
715 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
716 OD(pkcs9EmailAddress, SEC_OID_PKCS9_EMAIL_ADDRESS,
717 "PKCS #9 Email Address",
718 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
719 OD(pkcs9UnstructuredName, SEC_OID_PKCS9_UNSTRUCTURED_NAME,
720 "PKCS #9 Unstructured Name",
721 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
722 OD(pkcs9ContentType, SEC_OID_PKCS9_CONTENT_TYPE,
723 "PKCS #9 Content Type",
724 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
725 OD(pkcs9MessageDigest, SEC_OID_PKCS9_MESSAGE_DIGEST,
726 "PKCS #9 Message Digest",
727 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
728 OD(pkcs9SigningTime, SEC_OID_PKCS9_SIGNING_TIME,
729 "PKCS #9 Signing Time",
730 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
731 OD(pkcs9CounterSignature, SEC_OID_PKCS9_COUNTER_SIGNATURE,
732 "PKCS #9 Counter Signature",
733 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
734 OD(pkcs9ChallengePassword, SEC_OID_PKCS9_CHALLENGE_PASSWORD,
735 "PKCS #9 Challenge Password",
736 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
737 OD(pkcs9UnstructuredAddress, SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS,
738 "PKCS #9 Unstructured Address",
739 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
740 OD(pkcs9ExtendedCertificateAttributes,
741 SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES,
742 "PKCS #9 Extended Certificate Attributes",
743 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
744 OD(pkcs9SMIMECapabilities, SEC_OID_PKCS9_SMIME_CAPABILITIES,
745 "PKCS #9 S/MIME Capabilities",
746 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
747 OD(x520CommonName, SEC_OID_AVA_COMMON_NAME,
748 "X520 Common Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
749 OD(x520CountryName, SEC_OID_AVA_COUNTRY_NAME,
750 "X520 Country Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
751 OD(x520LocalityName, SEC_OID_AVA_LOCALITY,
752 "X520 Locality Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
753 OD(x520StateOrProvinceName, SEC_OID_AVA_STATE_OR_PROVINCE,
754 "X520 State Or Province Name",
755 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
756 OD(x520OrgName, SEC_OID_AVA_ORGANIZATION_NAME,
757 "X520 Organization Name",
758 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
759 OD(x520OrgUnitName, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
760 "X520 Organizational Unit Name",
761 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
762 OD(x520DnQualifier, SEC_OID_AVA_DN_QUALIFIER,
763 "X520 DN Qualifier", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
764 OD(rfc2247DomainComponent, SEC_OID_AVA_DC,
765 "RFC 2247 Domain Component",
766 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
767
768 OD(nsTypeGIF, SEC_OID_NS_TYPE_GIF,
769 "GIF", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
770 OD(nsTypeJPEG, SEC_OID_NS_TYPE_JPEG,
771 "JPEG", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
772 OD(nsTypeURL, SEC_OID_NS_TYPE_URL,
773 "URL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
774 OD(nsTypeHTML, SEC_OID_NS_TYPE_HTML,
775 "HTML", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
776 OD(nsTypeCertSeq, SEC_OID_NS_TYPE_CERT_SEQUENCE,
777 "Certificate Sequence",
778 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
779 OD(missiCertKEADSSOld, SEC_OID_MISSI_KEA_DSS_OLD,
780 "MISSI KEA and DSS Algorithm (Old)",
781 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
782 OD(missiCertDSSOld, SEC_OID_MISSI_DSS_OLD,
783 "MISSI DSS Algorithm (Old)",
784 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
785 OD(missiCertKEADSS, SEC_OID_MISSI_KEA_DSS,
786 "MISSI KEA and DSS Algorithm",
787 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
788 OD(missiCertDSS, SEC_OID_MISSI_DSS,
789 "MISSI DSS Algorithm",
790 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
791 OD(missiCertKEA, SEC_OID_MISSI_KEA,
792 "MISSI KEA Algorithm",
793 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
794 OD(missiCertAltKEA, SEC_OID_MISSI_ALT_KEA,
795 "MISSI Alternate KEA Algorithm",
796 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
797
798 /* Netscape private extensions */
799 OD(nsCertExtNetscapeOK, SEC_OID_NS_CERT_EXT_NETSCAPE_OK,
800 "Netscape says this cert is OK",
801 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
802 OD(nsCertExtIssuerLogo, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
803 "Certificate Issuer Logo",
804 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
805 OD(nsCertExtSubjectLogo, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
806 "Certificate Subject Logo",
807 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
808 OD(nsExtCertType, SEC_OID_NS_CERT_EXT_CERT_TYPE,
809 "Certificate Type",
810 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
811 OD(nsExtBaseURL, SEC_OID_NS_CERT_EXT_BASE_URL,
812 "Certificate Extension Base URL",
813 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
814 OD(nsExtRevocationURL, SEC_OID_NS_CERT_EXT_REVOCATION_URL,
815 "Certificate Revocation URL",
816 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
817 OD(nsExtCARevocationURL, SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL,
818 "Certificate Authority Revocation URL",
819 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
820 OD(nsExtCACRLURL, SEC_OID_NS_CERT_EXT_CA_CRL_URL,
821 "Certificate Authority CRL Download URL",
822 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
823 OD(nsExtCACertURL, SEC_OID_NS_CERT_EXT_CA_CERT_URL,
824 "Certificate Authority Certificate Download URL",
825 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
826 OD(nsExtCertRenewalURL, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL,
827 "Certificate Renewal URL",
828 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
829 OD(nsExtCAPolicyURL, SEC_OID_NS_CERT_EXT_CA_POLICY_URL,
830 "Certificate Authority Policy URL",
831 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
832 OD(nsExtHomepageURL, SEC_OID_NS_CERT_EXT_HOMEPAGE_URL,
833 "Certificate Homepage URL",
834 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
835 OD(nsExtEntityLogo, SEC_OID_NS_CERT_EXT_ENTITY_LOGO,
836 "Certificate Entity Logo",
837 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
838 OD(nsExtUserPicture, SEC_OID_NS_CERT_EXT_USER_PICTURE,
839 "Certificate User Picture",
840 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
841 OD(nsExtSSLServerName, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME,
842 "Certificate SSL Server Name",
843 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
844 OD(nsExtComment, SEC_OID_NS_CERT_EXT_COMMENT,
845 "Certificate Comment",
846 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
847 OD(nsExtLostPasswordURL, SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL,
848 "Lost Password URL",
849 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
850 OD(nsExtCertRenewalTime, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME,
851 "Certificate Renewal Time",
852 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
853 OD(nsKeyUsageGovtApproved, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED,
854 "Strong Crypto Export Approved",
855 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
856
857 /* x.509 v3 certificate extensions */
858 OD(x509SubjectDirectoryAttr, SEC_OID_X509_SUBJECT_DIRECTORY_ATTR,
859 "Certificate Subject Directory Attributes",
860 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
861 OD(x509SubjectKeyID, SEC_OID_X509_SUBJECT_KEY_ID,
862 "Certificate Subject Key ID",
863 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
864 OD(x509KeyUsage, SEC_OID_X509_KEY_USAGE,
865 "Certificate Key Usage",
866 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
867 OD(x509PrivateKeyUsagePeriod, SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD,
868 "Certificate Private Key Usage Period",
869 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
870 OD(x509SubjectAltName, SEC_OID_X509_SUBJECT_ALT_NAME,
871 "Certificate Subject Alt Name",
872 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
873 OD(x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME,
874 "Certificate Issuer Alt Name",
875 CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION),
876 OD(x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS,
877 "Certificate Basic Constraints",
878 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
879 OD(x509NameConstraints, SEC_OID_X509_NAME_CONSTRAINTS,
880 "Certificate Name Constraints",
881 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
882 OD(x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS,
883 "CRL Distribution Points",
884 CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION),
885 OD(x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES,
886 "Certificate Policies",
887 CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION),
888 OD(x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS,
889 "Certificate Policy Mappings",
890 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
891 OD(x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS,
892 "Certificate Policy Constraints",
893 CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION),
894 OD(x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID,
895 "Certificate Authority Key Identifier",
896 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
897 OD(x509ExtKeyUsage, SEC_OID_X509_EXT_KEY_USAGE,
898 "Extended Key Usage",
899 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
900 OD(x509AuthInfoAccess, SEC_OID_X509_AUTH_INFO_ACCESS,
901 "Authority Information Access",
902 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
903
904 /* x.509 v3 CRL extensions */
905 OD(x509CRLNumber, SEC_OID_X509_CRL_NUMBER,
906 "CRL Number", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
907 OD(x509ReasonCode, SEC_OID_X509_REASON_CODE,
908 "CRL reason code", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
909 OD(x509InvalidDate, SEC_OID_X509_INVALID_DATE,
910 "Invalid Date", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
911
912 OD(x500RSAEncryption, SEC_OID_X500_RSA_ENCRYPTION,
913 "X500 RSA Encryption", CKM_RSA_X_509, INVALID_CERT_EXTENSION),
914
915 /* added for alg 1485 */
916 OD(rfc1274Uid, SEC_OID_RFC1274_UID,
917 "RFC1274 User Id", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
918 OD(rfc1274Mail, SEC_OID_RFC1274_MAIL,
919 "RFC1274 E-mail Address",
920 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
921
922 /* pkcs 12 additions */
923 OD(pkcs12, SEC_OID_PKCS12,
924 "PKCS #12", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
925 OD(pkcs12ModeIDs, SEC_OID_PKCS12_MODE_IDS,
926 "PKCS #12 Mode IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
927 OD(pkcs12ESPVKIDs, SEC_OID_PKCS12_ESPVK_IDS,
928 "PKCS #12 ESPVK IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
929 OD(pkcs12BagIDs, SEC_OID_PKCS12_BAG_IDS,
930 "PKCS #12 Bag IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
931 OD(pkcs12CertBagIDs, SEC_OID_PKCS12_CERT_BAG_IDS,
932 "PKCS #12 Cert Bag IDs",
933 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
934 OD(pkcs12OIDs, SEC_OID_PKCS12_OIDS,
935 "PKCS #12 OIDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
936 OD(pkcs12PBEIDs, SEC_OID_PKCS12_PBE_IDS,
937 "PKCS #12 PBE IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
938 OD(pkcs12SignatureIDs, SEC_OID_PKCS12_SIGNATURE_IDS,
939 "PKCS #12 Signature IDs",
940 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
941 OD(pkcs12EnvelopingIDs, SEC_OID_PKCS12_ENVELOPING_IDS,
942 "PKCS #12 Enveloping IDs",
943 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
944 OD(pkcs12PKCS8KeyShrouding, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING,
945 "PKCS #12 Key Shrouding",
946 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
947 OD(pkcs12KeyBagID, SEC_OID_PKCS12_KEY_BAG_ID,
948 "PKCS #12 Key Bag ID",
949 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
950 OD(pkcs12CertAndCRLBagID, SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
951 "PKCS #12 Cert And CRL Bag ID",
952 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
953 OD(pkcs12SecretBagID, SEC_OID_PKCS12_SECRET_BAG_ID,
954 "PKCS #12 Secret Bag ID",
955 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
956 OD(pkcs12X509CertCRLBag, SEC_OID_PKCS12_X509_CERT_CRL_BAG,
957 "PKCS #12 X509 Cert CRL Bag",
958 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
959 OD(pkcs12SDSICertBag, SEC_OID_PKCS12_SDSI_CERT_BAG,
960 "PKCS #12 SDSI Cert Bag",
961 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
962 OD(pkcs12PBEWithSha1And128BitRC4,
963 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4,
964 "PKCS #12 PBE With SHA-1 and 128 Bit RC4",
965 CKM_NSS_PBE_SHA1_128_BIT_RC4, INVALID_CERT_EXTENSION),
966 OD(pkcs12PBEWithSha1And40BitRC4,
967 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4,
968 "PKCS #12 PBE With SHA-1 and 40 Bit RC4",
969 CKM_NSS_PBE_SHA1_40_BIT_RC4, INVALID_CERT_EXTENSION),
970 OD(pkcs12PBEWithSha1AndTripleDESCBC,
971 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC,
972 "PKCS #12 PBE With SHA-1 and Triple DES-CBC",
973 CKM_NSS_PBE_SHA1_TRIPLE_DES_CBC, INVALID_CERT_EXTENSION),
974 OD(pkcs12PBEWithSha1And128BitRC2CBC,
975 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
976 "PKCS #12 PBE With SHA-1 and 128 Bit RC2 CBC",
977 CKM_NSS_PBE_SHA1_128_BIT_RC2_CBC, INVALID_CERT_EXTENSION),
978 OD(pkcs12PBEWithSha1And40BitRC2CBC,
979 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
980 "PKCS #12 PBE With SHA-1 and 40 Bit RC2 CBC",
981 CKM_NSS_PBE_SHA1_40_BIT_RC2_CBC, INVALID_CERT_EXTENSION),
982 OD(pkcs12RSAEncryptionWith128BitRC4,
983 SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4,
984 "PKCS #12 RSA Encryption with 128 Bit RC4",
985 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
986 OD(pkcs12RSAEncryptionWith40BitRC4,
987 SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4,
988 "PKCS #12 RSA Encryption with 40 Bit RC4",
989 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
990 OD(pkcs12RSAEncryptionWithTripleDES,
991 SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES,
992 "PKCS #12 RSA Encryption with Triple DES",
993 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
994 OD(pkcs12RSASignatureWithSHA1Digest,
995 SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST,
996 "PKCS #12 RSA Encryption with Triple DES",
997 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
998
999 /* DSA signatures */
1000 OD(ansix9DSASignature, SEC_OID_ANSIX9_DSA_SIGNATURE,
1001 "ANSI X9.57 DSA Signature", CKM_DSA, INVALID_CERT_EXTENSION),
1002 OD(ansix9DSASignaturewithSHA1Digest,
1003 SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST,
1004 "ANSI X9.57 DSA Signature with SHA-1 Digest",
1005 CKM_DSA_SHA1, INVALID_CERT_EXTENSION),
1006 OD(bogusDSASignaturewithSHA1Digest,
1007 SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST,
1008 "FORTEZZA DSA Signature with SHA-1 Digest",
1009 CKM_DSA_SHA1, INVALID_CERT_EXTENSION),
1010
1011 /* verisign oids */
1012 OD(verisignUserNotices, SEC_OID_VERISIGN_USER_NOTICES,
1013 "Verisign User Notices",
1014 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1015
1016 /* pkix oids */
1017 OD(pkixCPSPointerQualifier, SEC_OID_PKIX_CPS_POINTER_QUALIFIER,
1018 "PKIX CPS Pointer Qualifier",
1019 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1020 OD(pkixUserNoticeQualifier, SEC_OID_PKIX_USER_NOTICE_QUALIFIER,
1021 "PKIX User Notice Qualifier",
1022 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1023
1024 OD(pkixOCSP, SEC_OID_PKIX_OCSP,
1025 "PKIX Online Certificate Status Protocol",
1026 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1027 OD(pkixOCSPBasicResponse, SEC_OID_PKIX_OCSP_BASIC_RESPONSE,
1028 "OCSP Basic Response", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1029 OD(pkixOCSPNonce, SEC_OID_PKIX_OCSP_NONCE,
1030 "OCSP Nonce Extension", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1031 OD(pkixOCSPCRL, SEC_OID_PKIX_OCSP_CRL,
1032 "OCSP CRL Reference Extension",
1033 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1034 OD(pkixOCSPResponse, SEC_OID_PKIX_OCSP_RESPONSE,
1035 "OCSP Response Types Extension",
1036 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1037 OD(pkixOCSPNoCheck, SEC_OID_PKIX_OCSP_NO_CHECK,
1038 "OCSP No Check Extension",
1039 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION),
1040 OD(pkixOCSPArchiveCutoff, SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF,
1041 "OCSP Archive Cutoff Extension",
1042 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1043 OD(pkixOCSPServiceLocator, SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
1044 "OCSP Service Locator Extension",
1045 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1046
1047 OD(pkixRegCtrlRegToken, SEC_OID_PKIX_REGCTRL_REGTOKEN,
1048 "PKIX CRMF Registration Control, Registration Token",
1049 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1050 OD(pkixRegCtrlAuthenticator, SEC_OID_PKIX_REGCTRL_AUTHENTICATOR,
1051 "PKIX CRMF Registration Control, Registration Authenticator",
1052 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1053 OD(pkixRegCtrlPKIPubInfo, SEC_OID_PKIX_REGCTRL_PKIPUBINFO,
1054 "PKIX CRMF Registration Control, PKI Publication Info",
1055 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1056 OD(pkixRegCtrlPKIArchOptions,
1057 SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
1058 "PKIX CRMF Registration Control, PKI Archive Options",
1059 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1060 OD(pkixRegCtrlOldCertID, SEC_OID_PKIX_REGCTRL_OLD_CERT_ID,
1061 "PKIX CRMF Registration Control, Old Certificate ID",
1062 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1063 OD(pkixRegCtrlProtEncKey, SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY,
1064 "PKIX CRMF Registration Control, Protocol Encryption Key",
1065 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1066 OD(pkixRegInfoUTF8Pairs, SEC_OID_PKIX_REGINFO_UTF8_PAIRS,
1067 "PKIX CRMF Registration Info, UTF8 Pairs",
1068 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1069 OD(pkixRegInfoCertReq, SEC_OID_PKIX_REGINFO_CERT_REQUEST,
1070 "PKIX CRMF Registration Info, Certificate Request",
1071 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1072 OD(pkixExtendedKeyUsageServerAuth,
1073 SEC_OID_EXT_KEY_USAGE_SERVER_AUTH,
1074 "TLS Web Server Authentication Certificate",
1075 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1076 OD(pkixExtendedKeyUsageClientAuth,
1077 SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH,
1078 "TLS Web Client Authentication Certificate",
1079 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1080 OD(pkixExtendedKeyUsageCodeSign, SEC_OID_EXT_KEY_USAGE_CODE_SIGN,
1081 "Code Signing Certificate",
1082 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1083 OD(pkixExtendedKeyUsageEMailProtect,
1084 SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT,
1085 "E-Mail Protection Certificate",
1086 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1087 OD(pkixExtendedKeyUsageTimeStamp,
1088 SEC_OID_EXT_KEY_USAGE_TIME_STAMP,
1089 "Time Stamping Certifcate",
1090 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1091 OD(pkixOCSPResponderExtendedKeyUsage, SEC_OID_OCSP_RESPONDER,
1092 "OCSP Responder Certificate",
1093 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1094
1095 /* Netscape Algorithm OIDs */
1096
1097 OD(netscapeSMimeKEA, SEC_OID_NETSCAPE_SMIME_KEA,
1098 "Netscape S/MIME KEA", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1099
1100 /* Skipjack OID -- ### mwelch temporary */
1101 OD(skipjackCBC, SEC_OID_FORTEZZA_SKIPJACK,
1102 "Skipjack CBC64", CKM_SKIPJACK_CBC64, INVALID_CERT_EXTENSION),
1103
1104 /* pkcs12 v2 oids */
1105 OD(pkcs12V2PBEWithSha1And128BitRC4,
1106 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4,
1107 "PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4",
1108 CKM_PBE_SHA1_RC4_128, INVALID_CERT_EXTENSION),
1109 OD(pkcs12V2PBEWithSha1And40BitRC4,
1110 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4,
1111 "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4",
1112 CKM_PBE_SHA1_RC4_40, INVALID_CERT_EXTENSION),
1113 OD(pkcs12V2PBEWithSha1And3KeyTripleDEScbc,
1114 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
1115 "PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC",
1116 CKM_PBE_SHA1_DES3_EDE_CBC, INVALID_CERT_EXTENSION),
1117 OD(pkcs12V2PBEWithSha1And2KeyTripleDEScbc,
1118 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC,
1119 "PKCS #12 V2 PBE With SHA-1 And 2KEY Triple DES-CBC",
1120 CKM_PBE_SHA1_DES2_EDE_CBC, INVALID_CERT_EXTENSION),
1121 OD(pkcs12V2PBEWithSha1And128BitRC2cbc,
1122 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
1123 "PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC",
1124 CKM_PBE_SHA1_RC2_128_CBC, INVALID_CERT_EXTENSION),
1125 OD(pkcs12V2PBEWithSha1And40BitRC2cbc,
1126 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
1127 "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC",
1128 CKM_PBE_SHA1_RC2_40_CBC, INVALID_CERT_EXTENSION),
1129 OD(pkcs12SafeContentsID, SEC_OID_PKCS12_SAFE_CONTENTS_ID,
1130 "PKCS #12 Safe Contents ID",
1131 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1132 OD(pkcs12PKCS8ShroudedKeyBagID,
1133 SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID,
1134 "PKCS #12 Safe Contents ID",
1135 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1136 OD(pkcs12V1KeyBag, SEC_OID_PKCS12_V1_KEY_BAG_ID,
1137 "PKCS #12 V1 Key Bag",
1138 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1139 OD(pkcs12V1PKCS8ShroudedKeyBag,
1140 SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID,
1141 "PKCS #12 V1 PKCS8 Shrouded Key Bag",
1142 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1143 OD(pkcs12V1CertBag, SEC_OID_PKCS12_V1_CERT_BAG_ID,
1144 "PKCS #12 V1 Cert Bag",
1145 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1146 OD(pkcs12V1CRLBag, SEC_OID_PKCS12_V1_CRL_BAG_ID,
1147 "PKCS #12 V1 CRL Bag",
1148 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1149 OD(pkcs12V1SecretBag, SEC_OID_PKCS12_V1_SECRET_BAG_ID,
1150 "PKCS #12 V1 Secret Bag",
1151 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1152 OD(pkcs12V1SafeContentsBag, SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
1153 "PKCS #12 V1 Safe Contents Bag",
1154 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1155
1156 OD(pkcs9X509Certificate, SEC_OID_PKCS9_X509_CERT,
1157 "PKCS #9 X509 Certificate",
1158 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1159 OD(pkcs9SDSICertificate, SEC_OID_PKCS9_SDSI_CERT,
1160 "PKCS #9 SDSI Certificate",
1161 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1162 OD(pkcs9X509CRL, SEC_OID_PKCS9_X509_CRL,
1163 "PKCS #9 X509 CRL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1164 OD(pkcs9FriendlyName, SEC_OID_PKCS9_FRIENDLY_NAME,
1165 "PKCS #9 Friendly Name",
1166 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1167 OD(pkcs9LocalKeyID, SEC_OID_PKCS9_LOCAL_KEY_ID,
1168 "PKCS #9 Local Key ID",
1169 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1170 OD(pkcs12KeyUsageAttr, SEC_OID_BOGUS_KEY_USAGE,
1171 "Bogus Key Usage", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1172 OD(dhPublicKey, SEC_OID_X942_DIFFIE_HELMAN_KEY,
1173 "Diffie-Helman Public Key", CKM_DH_PKCS_DERIVE,
1174 INVALID_CERT_EXTENSION),
1175 OD(netscapeNickname, SEC_OID_NETSCAPE_NICKNAME,
1176 "Netscape Nickname", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1177
1178 /* Cert Server specific OIDs */
1179 OD(netscapeRecoveryRequest, SEC_OID_NETSCAPE_RECOVERY_REQUEST,
1180 "Recovery Request OID",
1181 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1182
1183 OD(nsExtAIACertRenewal, SEC_OID_CERT_RENEWAL_LOCATOR,
1184 "Certificate Renewal Locator OID", CKM_INVALID_MECHANISM,
1185 INVALID_CERT_EXTENSION),
1186
1187 OD(nsExtCertScopeOfUse, SEC_OID_NS_CERT_EXT_SCOPE_OF_USE,
1188 "Certificate Scope-of-Use Extension", CKM_INVALID_MECHANISM,
1189 SUPPORTED_CERT_EXTENSION),
1190
1191 /* CMS stuff */
1192 OD(cmsESDH, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN,
1193 "Ephemeral-Static Diffie-Hellman", CKM_INVALID_MECHANISM /* XXX */,
1194 INVALID_CERT_EXTENSION),
1195 OD(cms3DESwrap, SEC_OID_CMS_3DES_KEY_WRAP,
1196 "CMS Triple DES Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
1197 INVALID_CERT_EXTENSION),
1198 OD(cmsRC2wrap, SEC_OID_CMS_RC2_KEY_WRAP,
1199 "CMS RC2 Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
1200 INVALID_CERT_EXTENSION),
1201 OD(smimeEncryptionKeyPreference, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE,
1202 "S/MIME Encryption Key Preference",
1203 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1204
1205 /* AES algorithm OIDs */
1206 OD(aes128_ECB, SEC_OID_AES_128_ECB,
1207 "AES-128-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION),
1208 OD(aes128_CBC, SEC_OID_AES_128_CBC,
1209 "AES-128-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION),
1210 OD(aes192_ECB, SEC_OID_AES_192_ECB,
1211 "AES-192-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION),
1212 OD(aes192_CBC, SEC_OID_AES_192_CBC,
1213 "AES-192-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION),
1214 OD(aes256_ECB, SEC_OID_AES_256_ECB,
1215 "AES-256-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION),
1216 OD(aes256_CBC, SEC_OID_AES_256_CBC,
1217 "AES-256-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION),
1218
1219 /* More bogus DSA OIDs */
1220 OD(sdn702DSASignature, SEC_OID_SDN702_DSA_SIGNATURE,
1221 "SDN.702 DSA Signature", CKM_DSA_SHA1, INVALID_CERT_EXTENSION),
1222
1223 OD(ms_smimeEncryptionKeyPreference,
1224 SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE,
1225 "Microsoft S/MIME Encryption Key Preference",
1226 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1227
1228 OD(sha256, SEC_OID_SHA256, "SHA-256", CKM_SHA256, INVALID_CERT_EXTENSION),
1229 OD(sha384, SEC_OID_SHA384, "SHA-384", CKM_SHA384, INVALID_CERT_EXTENSION),
1230 OD(sha512, SEC_OID_SHA512, "SHA-512", CKM_SHA512, INVALID_CERT_EXTENSION),
1231
1232 OD(pkcs1SHA256WithRSAEncryption, SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
1233 "PKCS #1 SHA-256 With RSA Encryption", CKM_SHA256_RSA_PKCS,
1234 INVALID_CERT_EXTENSION),
1235 OD(pkcs1SHA384WithRSAEncryption, SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION,
1236 "PKCS #1 SHA-384 With RSA Encryption", CKM_SHA384_RSA_PKCS,
1237 INVALID_CERT_EXTENSION),
1238 OD(pkcs1SHA512WithRSAEncryption, SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION,
1239 "PKCS #1 SHA-512 With RSA Encryption", CKM_SHA512_RSA_PKCS,
1240 INVALID_CERT_EXTENSION),
1241
1242 OD(aes128_KEY_WRAP, SEC_OID_AES_128_KEY_WRAP,
1243 "AES-128 Key Wrap", CKM_NSS_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1244 OD(aes192_KEY_WRAP, SEC_OID_AES_192_KEY_WRAP,
1245 "AES-192 Key Wrap", CKM_NSS_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1246 OD(aes256_KEY_WRAP, SEC_OID_AES_256_KEY_WRAP,
1247 "AES-256 Key Wrap", CKM_NSS_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1248
1249 /* Elliptic Curve Cryptography (ECC) OIDs */
1250 OD(ansix962ECPublicKey, SEC_OID_ANSIX962_EC_PUBLIC_KEY,
1251 "X9.62 elliptic curve public key", CKM_ECDH1_DERIVE,
1252 INVALID_CERT_EXTENSION),
1253 OD(ansix962SignaturewithSHA1Digest,
1254 SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE,
1255 "X9.62 ECDSA signature with SHA-1", CKM_ECDSA_SHA1,
1256 INVALID_CERT_EXTENSION),
1257
1258 /* Named curves */
1259 /* NOTE: Only P256, P384, P521, and 25519 are supported by softoken.
1260 * Using other curves requires an appropriate token. */
1261
1262 /* ANSI X9.62 named elliptic curves (prime field) */
1263 OD(ansiX962prime192v1, SEC_OID_ANSIX962_EC_PRIME192V1,
1264 "ANSI X9.62 elliptic curve prime192v1 (aka secp192r1, NIST P-192)",
1265 CKM_INVALID_MECHANISM,
1266 INVALID_CERT_EXTENSION),
1267 OD(ansiX962prime192v2, SEC_OID_ANSIX962_EC_PRIME192V2,
1268 "ANSI X9.62 elliptic curve prime192v2",
1269 CKM_INVALID_MECHANISM,
1270 INVALID_CERT_EXTENSION),
1271 OD(ansiX962prime192v3, SEC_OID_ANSIX962_EC_PRIME192V3,
1272 "ANSI X9.62 elliptic curve prime192v3",
1273 CKM_INVALID_MECHANISM,
1274 INVALID_CERT_EXTENSION),
1275 OD(ansiX962prime239v1, SEC_OID_ANSIX962_EC_PRIME239V1,
1276 "ANSI X9.62 elliptic curve prime239v1",
1277 CKM_INVALID_MECHANISM,
1278 INVALID_CERT_EXTENSION),
1279 OD(ansiX962prime239v2, SEC_OID_ANSIX962_EC_PRIME239V2,
1280 "ANSI X9.62 elliptic curve prime239v2",
1281 CKM_INVALID_MECHANISM,
1282 INVALID_CERT_EXTENSION),
1283 OD(ansiX962prime239v3, SEC_OID_ANSIX962_EC_PRIME239V3,
1284 "ANSI X9.62 elliptic curve prime239v3",
1285 CKM_INVALID_MECHANISM,
1286 INVALID_CERT_EXTENSION),
1287 OD(ansiX962prime256v1, SEC_OID_ANSIX962_EC_PRIME256V1,
1288 "ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)",
1289 CKM_INVALID_MECHANISM,
1290 INVALID_CERT_EXTENSION),
1291
1292 /* SECG named elliptic curves (prime field) */
1293 OD(secgECsecp112r1, SEC_OID_SECG_EC_SECP112R1,
1294 "SECG elliptic curve secp112r1",
1295 CKM_INVALID_MECHANISM,
1296 INVALID_CERT_EXTENSION),
1297 OD(secgECsecp112r2, SEC_OID_SECG_EC_SECP112R2,
1298 "SECG elliptic curve secp112r2",
1299 CKM_INVALID_MECHANISM,
1300 INVALID_CERT_EXTENSION),
1301 OD(secgECsecp128r1, SEC_OID_SECG_EC_SECP128R1,
1302 "SECG elliptic curve secp128r1",
1303 CKM_INVALID_MECHANISM,
1304 INVALID_CERT_EXTENSION),
1305 OD(secgECsecp128r2, SEC_OID_SECG_EC_SECP128R2,
1306 "SECG elliptic curve secp128r2",
1307 CKM_INVALID_MECHANISM,
1308 INVALID_CERT_EXTENSION),
1309 OD(secgECsecp160k1, SEC_OID_SECG_EC_SECP160K1,
1310 "SECG elliptic curve secp160k1",
1311 CKM_INVALID_MECHANISM,
1312 INVALID_CERT_EXTENSION),
1313 OD(secgECsecp160r1, SEC_OID_SECG_EC_SECP160R1,
1314 "SECG elliptic curve secp160r1",
1315 CKM_INVALID_MECHANISM,
1316 INVALID_CERT_EXTENSION),
1317 OD(secgECsecp160r2, SEC_OID_SECG_EC_SECP160R2,
1318 "SECG elliptic curve secp160r2",
1319 CKM_INVALID_MECHANISM,
1320 INVALID_CERT_EXTENSION),
1321 OD(secgECsecp192k1, SEC_OID_SECG_EC_SECP192K1,
1322 "SECG elliptic curve secp192k1",
1323 CKM_INVALID_MECHANISM,
1324 INVALID_CERT_EXTENSION),
1325 OD(secgECsecp224k1, SEC_OID_SECG_EC_SECP224K1,
1326 "SECG elliptic curve secp224k1",
1327 CKM_INVALID_MECHANISM,
1328 INVALID_CERT_EXTENSION),
1329 OD(secgECsecp224r1, SEC_OID_SECG_EC_SECP224R1,
1330 "SECG elliptic curve secp224r1 (aka NIST P-224)",
1331 CKM_INVALID_MECHANISM,
1332 INVALID_CERT_EXTENSION),
1333 OD(secgECsecp256k1, SEC_OID_SECG_EC_SECP256K1,
1334 "SECG elliptic curve secp256k1",
1335 CKM_INVALID_MECHANISM,
1336 INVALID_CERT_EXTENSION),
1337 OD(secgECsecp384r1, SEC_OID_SECG_EC_SECP384R1,
1338 "SECG elliptic curve secp384r1 (aka NIST P-384)",
1339 CKM_INVALID_MECHANISM,
1340 INVALID_CERT_EXTENSION),
1341 OD(secgECsecp521r1, SEC_OID_SECG_EC_SECP521R1,
1342 "SECG elliptic curve secp521r1 (aka NIST P-521)",
1343 CKM_INVALID_MECHANISM,
1344 INVALID_CERT_EXTENSION),
1345
1346 /* ANSI X9.62 named elliptic curves (characteristic two field) */
1347 OD(ansiX962c2pnb163v1, SEC_OID_ANSIX962_EC_C2PNB163V1,
1348 "ANSI X9.62 elliptic curve c2pnb163v1",
1349 CKM_INVALID_MECHANISM,
1350 INVALID_CERT_EXTENSION),
1351 OD(ansiX962c2pnb163v2, SEC_OID_ANSIX962_EC_C2PNB163V2,
1352 "ANSI X9.62 elliptic curve c2pnb163v2",
1353 CKM_INVALID_MECHANISM,
1354 INVALID_CERT_EXTENSION),
1355 OD(ansiX962c2pnb163v3, SEC_OID_ANSIX962_EC_C2PNB163V3,
1356 "ANSI X9.62 elliptic curve c2pnb163v3",
1357 CKM_INVALID_MECHANISM,
1358 INVALID_CERT_EXTENSION),
1359 OD(ansiX962c2pnb176v1, SEC_OID_ANSIX962_EC_C2PNB176V1,
1360 "ANSI X9.62 elliptic curve c2pnb176v1",
1361 CKM_INVALID_MECHANISM,
1362 INVALID_CERT_EXTENSION),
1363 OD(ansiX962c2tnb191v1, SEC_OID_ANSIX962_EC_C2TNB191V1,
1364 "ANSI X9.62 elliptic curve c2tnb191v1",
1365 CKM_INVALID_MECHANISM,
1366 INVALID_CERT_EXTENSION),
1367 OD(ansiX962c2tnb191v2, SEC_OID_ANSIX962_EC_C2TNB191V2,
1368 "ANSI X9.62 elliptic curve c2tnb191v2",
1369 CKM_INVALID_MECHANISM,
1370 INVALID_CERT_EXTENSION),
1371 OD(ansiX962c2tnb191v3, SEC_OID_ANSIX962_EC_C2TNB191V3,
1372 "ANSI X9.62 elliptic curve c2tnb191v3",
1373 CKM_INVALID_MECHANISM,
1374 INVALID_CERT_EXTENSION),
1375 OD(ansiX962c2onb191v4, SEC_OID_ANSIX962_EC_C2ONB191V4,
1376 "ANSI X9.62 elliptic curve c2onb191v4",
1377 CKM_INVALID_MECHANISM,
1378 INVALID_CERT_EXTENSION),
1379 OD(ansiX962c2onb191v5, SEC_OID_ANSIX962_EC_C2ONB191V5,
1380 "ANSI X9.62 elliptic curve c2onb191v5",
1381 CKM_INVALID_MECHANISM,
1382 INVALID_CERT_EXTENSION),
1383 OD(ansiX962c2pnb208w1, SEC_OID_ANSIX962_EC_C2PNB208W1,
1384 "ANSI X9.62 elliptic curve c2pnb208w1",
1385 CKM_INVALID_MECHANISM,
1386 INVALID_CERT_EXTENSION),
1387 OD(ansiX962c2tnb239v1, SEC_OID_ANSIX962_EC_C2TNB239V1,
1388 "ANSI X9.62 elliptic curve c2tnb239v1",
1389 CKM_INVALID_MECHANISM,
1390 INVALID_CERT_EXTENSION),
1391 OD(ansiX962c2tnb239v2, SEC_OID_ANSIX962_EC_C2TNB239V2,
1392 "ANSI X9.62 elliptic curve c2tnb239v2",
1393 CKM_INVALID_MECHANISM,
1394 INVALID_CERT_EXTENSION),
1395 OD(ansiX962c2tnb239v3, SEC_OID_ANSIX962_EC_C2TNB239V3,
1396 "ANSI X9.62 elliptic curve c2tnb239v3",
1397 CKM_INVALID_MECHANISM,
1398 INVALID_CERT_EXTENSION),
1399 OD(ansiX962c2onb239v4, SEC_OID_ANSIX962_EC_C2ONB239V4,
1400 "ANSI X9.62 elliptic curve c2onb239v4",
1401 CKM_INVALID_MECHANISM,
1402 INVALID_CERT_EXTENSION),
1403 OD(ansiX962c2onb239v5, SEC_OID_ANSIX962_EC_C2ONB239V5,
1404 "ANSI X9.62 elliptic curve c2onb239v5",
1405 CKM_INVALID_MECHANISM,
1406 INVALID_CERT_EXTENSION),
1407 OD(ansiX962c2pnb272w1, SEC_OID_ANSIX962_EC_C2PNB272W1,
1408 "ANSI X9.62 elliptic curve c2pnb272w1",
1409 CKM_INVALID_MECHANISM,
1410 INVALID_CERT_EXTENSION),
1411 OD(ansiX962c2pnb304w1, SEC_OID_ANSIX962_EC_C2PNB304W1,
1412 "ANSI X9.62 elliptic curve c2pnb304w1",
1413 CKM_INVALID_MECHANISM,
1414 INVALID_CERT_EXTENSION),
1415 OD(ansiX962c2tnb359v1, SEC_OID_ANSIX962_EC_C2TNB359V1,
1416 "ANSI X9.62 elliptic curve c2tnb359v1",
1417 CKM_INVALID_MECHANISM,
1418 INVALID_CERT_EXTENSION),
1419 OD(ansiX962c2pnb368w1, SEC_OID_ANSIX962_EC_C2PNB368W1,
1420 "ANSI X9.62 elliptic curve c2pnb368w1",
1421 CKM_INVALID_MECHANISM,
1422 INVALID_CERT_EXTENSION),
1423 OD(ansiX962c2tnb431r1, SEC_OID_ANSIX962_EC_C2TNB431R1,
1424 "ANSI X9.62 elliptic curve c2tnb431r1",
1425 CKM_INVALID_MECHANISM,
1426 INVALID_CERT_EXTENSION),
1427
1428 /* SECG named elliptic curves (characterisitic two field) */
1429 OD(secgECsect113r1, SEC_OID_SECG_EC_SECT113R1,
1430 "SECG elliptic curve sect113r1",
1431 CKM_INVALID_MECHANISM,
1432 INVALID_CERT_EXTENSION),
1433 OD(secgECsect113r2, SEC_OID_SECG_EC_SECT113R2,
1434 "SECG elliptic curve sect113r2",
1435 CKM_INVALID_MECHANISM,
1436 INVALID_CERT_EXTENSION),
1437 OD(secgECsect131r1, SEC_OID_SECG_EC_SECT131R1,
1438 "SECG elliptic curve sect131r1",
1439 CKM_INVALID_MECHANISM,
1440 INVALID_CERT_EXTENSION),
1441 OD(secgECsect131r2, SEC_OID_SECG_EC_SECT131R2,
1442 "SECG elliptic curve sect131r2",
1443 CKM_INVALID_MECHANISM,
1444 INVALID_CERT_EXTENSION),
1445 OD(secgECsect163k1, SEC_OID_SECG_EC_SECT163K1,
1446 "SECG elliptic curve sect163k1 (aka NIST K-163)",
1447 CKM_INVALID_MECHANISM,
1448 INVALID_CERT_EXTENSION),
1449 OD(secgECsect163r1, SEC_OID_SECG_EC_SECT163R1,
1450 "SECG elliptic curve sect163r1",
1451 CKM_INVALID_MECHANISM,
1452 INVALID_CERT_EXTENSION),
1453 OD(secgECsect163r2, SEC_OID_SECG_EC_SECT163R2,
1454 "SECG elliptic curve sect163r2 (aka NIST B-163)",
1455 CKM_INVALID_MECHANISM,
1456 INVALID_CERT_EXTENSION),
1457 OD(secgECsect193r1, SEC_OID_SECG_EC_SECT193R1,
1458 "SECG elliptic curve sect193r1",
1459 CKM_INVALID_MECHANISM,
1460 INVALID_CERT_EXTENSION),
1461 OD(secgECsect193r2, SEC_OID_SECG_EC_SECT193R2,
1462 "SECG elliptic curve sect193r2",
1463 CKM_INVALID_MECHANISM,
1464 INVALID_CERT_EXTENSION),
1465 OD(secgECsect233k1, SEC_OID_SECG_EC_SECT233K1,
1466 "SECG elliptic curve sect233k1 (aka NIST K-233)",
1467 CKM_INVALID_MECHANISM,
1468 INVALID_CERT_EXTENSION),
1469 OD(secgECsect233r1, SEC_OID_SECG_EC_SECT233R1,
1470 "SECG elliptic curve sect233r1 (aka NIST B-233)",
1471 CKM_INVALID_MECHANISM,
1472 INVALID_CERT_EXTENSION),
1473 OD(secgECsect239k1, SEC_OID_SECG_EC_SECT239K1,
1474 "SECG elliptic curve sect239k1",
1475 CKM_INVALID_MECHANISM,
1476 INVALID_CERT_EXTENSION),
1477 OD(secgECsect283k1, SEC_OID_SECG_EC_SECT283K1,
1478 "SECG elliptic curve sect283k1 (aka NIST K-283)",
1479 CKM_INVALID_MECHANISM,
1480 INVALID_CERT_EXTENSION),
1481 OD(secgECsect283r1, SEC_OID_SECG_EC_SECT283R1,
1482 "SECG elliptic curve sect283r1 (aka NIST B-283)",
1483 CKM_INVALID_MECHANISM,
1484 INVALID_CERT_EXTENSION),
1485 OD(secgECsect409k1, SEC_OID_SECG_EC_SECT409K1,
1486 "SECG elliptic curve sect409k1 (aka NIST K-409)",
1487 CKM_INVALID_MECHANISM,
1488 INVALID_CERT_EXTENSION),
1489 OD(secgECsect409r1, SEC_OID_SECG_EC_SECT409R1,
1490 "SECG elliptic curve sect409r1 (aka NIST B-409)",
1491 CKM_INVALID_MECHANISM,
1492 INVALID_CERT_EXTENSION),
1493 OD(secgECsect571k1, SEC_OID_SECG_EC_SECT571K1,
1494 "SECG elliptic curve sect571k1 (aka NIST K-571)",
1495 CKM_INVALID_MECHANISM,
1496 INVALID_CERT_EXTENSION),
1497 OD(secgECsect571r1, SEC_OID_SECG_EC_SECT571R1,
1498 "SECG elliptic curve sect571r1 (aka NIST B-571)",
1499 CKM_INVALID_MECHANISM,
1500 INVALID_CERT_EXTENSION),
1501
1502 OD(netscapeAOLScreenname, SEC_OID_NETSCAPE_AOLSCREENNAME,
1503 "AOL Screenname", CKM_INVALID_MECHANISM,
1504 INVALID_CERT_EXTENSION),
1505
1506 OD(x520SurName, SEC_OID_AVA_SURNAME,
1507 "X520 Title", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1508 OD(x520SerialNumber, SEC_OID_AVA_SERIAL_NUMBER,
1509 "X520 Serial Number", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1510 OD(x520StreetAddress, SEC_OID_AVA_STREET_ADDRESS,
1511 "X520 Street Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1512 OD(x520Title, SEC_OID_AVA_TITLE,
1513 "X520 Title", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1514 OD(x520PostalAddress, SEC_OID_AVA_POSTAL_ADDRESS,
1515 "X520 Postal Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1516 OD(x520PostalCode, SEC_OID_AVA_POSTAL_CODE,
1517 "X520 Postal Code", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1518 OD(x520PostOfficeBox, SEC_OID_AVA_POST_OFFICE_BOX,
1519 "X520 Post Office Box", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1520 OD(x520GivenName, SEC_OID_AVA_GIVEN_NAME,
1521 "X520 Given Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1522 OD(x520Initials, SEC_OID_AVA_INITIALS,
1523 "X520 Initials", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1524 OD(x520GenerationQualifier, SEC_OID_AVA_GENERATION_QUALIFIER,
1525 "X520 Generation Qualifier",
1526 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1527 OD(x520HouseIdentifier, SEC_OID_AVA_HOUSE_IDENTIFIER,
1528 "X520 House Identifier",
1529 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1530 OD(x520Pseudonym, SEC_OID_AVA_PSEUDONYM,
1531 "X520 Pseudonym", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1532
1533 /* More OIDs */
1534 OD(pkixCAIssuers, SEC_OID_PKIX_CA_ISSUERS,
1535 "PKIX CA issuers access method",
1536 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1537 OD(pkcs9ExtensionRequest, SEC_OID_PKCS9_EXTENSION_REQUEST,
1538 "PKCS #9 Extension Request",
1539 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1540
1541 /* more ECC Signature Oids */
1542 OD(ansix962SignatureRecommended,
1543 SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST,
1544 "X9.62 ECDSA signature with recommended digest", CKM_INVALID_MECHANISM,
1545 INVALID_CERT_EXTENSION),
1546 OD(ansix962SignatureSpecified,
1547 SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST,
1548 "X9.62 ECDSA signature with specified digest", CKM_ECDSA,
1549 INVALID_CERT_EXTENSION),
1550 OD(ansix962SignaturewithSHA224Digest,
1551 SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE,
1552 "X9.62 ECDSA signature with SHA224", CKM_INVALID_MECHANISM,
1553 INVALID_CERT_EXTENSION),
1554 OD(ansix962SignaturewithSHA256Digest,
1555 SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE,
1556 "X9.62 ECDSA signature with SHA256", CKM_INVALID_MECHANISM,
1557 INVALID_CERT_EXTENSION),
1558 OD(ansix962SignaturewithSHA384Digest,
1559 SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE,
1560 "X9.62 ECDSA signature with SHA384", CKM_INVALID_MECHANISM,
1561 INVALID_CERT_EXTENSION),
1562 OD(ansix962SignaturewithSHA512Digest,
1563 SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE,
1564 "X9.62 ECDSA signature with SHA512", CKM_INVALID_MECHANISM,
1565 INVALID_CERT_EXTENSION),
1566
1567 /* More id-ce and id-pe OIDs from RFC 3280 */
1568 OD(x509HoldInstructionCode, SEC_OID_X509_HOLD_INSTRUCTION_CODE,
1569 "CRL Hold Instruction Code", CKM_INVALID_MECHANISM,
1570 UNSUPPORTED_CERT_EXTENSION),
1571 OD(x509DeltaCRLIndicator, SEC_OID_X509_DELTA_CRL_INDICATOR,
1572 "Delta CRL Indicator", CKM_INVALID_MECHANISM,
1573 FAKE_SUPPORTED_CERT_EXTENSION),
1574 OD(x509IssuingDistributionPoint, SEC_OID_X509_ISSUING_DISTRIBUTION_POINT,
1575 "Issuing Distribution Point", CKM_INVALID_MECHANISM,
1576 FAKE_SUPPORTED_CERT_EXTENSION),
1577 OD(x509CertIssuer, SEC_OID_X509_CERT_ISSUER,
1578 "Certificate Issuer Extension", CKM_INVALID_MECHANISM,
1579 FAKE_SUPPORTED_CERT_EXTENSION),
1580 OD(x509FreshestCRL, SEC_OID_X509_FRESHEST_CRL,
1581 "Freshest CRL", CKM_INVALID_MECHANISM,
1582 UNSUPPORTED_CERT_EXTENSION),
1583 OD(x509InhibitAnyPolicy, SEC_OID_X509_INHIBIT_ANY_POLICY,
1584 "Inhibit Any Policy", CKM_INVALID_MECHANISM,
1585 FAKE_SUPPORTED_CERT_EXTENSION),
1586 OD(x509SubjectInfoAccess, SEC_OID_X509_SUBJECT_INFO_ACCESS,
1587 "Subject Info Access", CKM_INVALID_MECHANISM,
1588 UNSUPPORTED_CERT_EXTENSION),
1589
1590 /* Camellia algorithm OIDs */
1591 OD(camellia128_CBC, SEC_OID_CAMELLIA_128_CBC,
1592 "CAMELLIA-128-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION),
1593 OD(camellia192_CBC, SEC_OID_CAMELLIA_192_CBC,
1594 "CAMELLIA-192-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION),
1595 OD(camellia256_CBC, SEC_OID_CAMELLIA_256_CBC,
1596 "CAMELLIA-256-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION),
1597
1598 /* PKCS 5 v2 OIDS */
1599 OD(pkcs5Pbkdf2, SEC_OID_PKCS5_PBKDF2,
1600 "PKCS #5 Password Based Key Dervive Function v2 ",
1601 CKM_PKCS5_PBKD2, INVALID_CERT_EXTENSION),
1602 OD(pkcs5Pbes2, SEC_OID_PKCS5_PBES2,
1603 "PKCS #5 Password Based Encryption v2 ",
1604 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1605 OD(pkcs5Pbmac1, SEC_OID_PKCS5_PBMAC1,
1606 "PKCS #5 Password Based Authentication v1 ",
1607 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1608 OD(hmac_sha1, SEC_OID_HMAC_SHA1, "HMAC SHA-1",
1609 CKM_SHA_1_HMAC, INVALID_CERT_EXTENSION),
1610 OD(hmac_sha224, SEC_OID_HMAC_SHA224, "HMAC SHA-224",
1611 CKM_SHA224_HMAC, INVALID_CERT_EXTENSION),
1612 OD(hmac_sha256, SEC_OID_HMAC_SHA256, "HMAC SHA-256",
1613 CKM_SHA256_HMAC, INVALID_CERT_EXTENSION),
1614 OD(hmac_sha384, SEC_OID_HMAC_SHA384, "HMAC SHA-384",
1615 CKM_SHA384_HMAC, INVALID_CERT_EXTENSION),
1616 OD(hmac_sha512, SEC_OID_HMAC_SHA512, "HMAC SHA-512",
1617 CKM_SHA512_HMAC, INVALID_CERT_EXTENSION),
1618
1619 /* SIA extension OIDs */
1620 OD(x509SIATimeStamping, SEC_OID_PKIX_TIMESTAMPING,
1621 "SIA Time Stamping", CKM_INVALID_MECHANISM,
1622 INVALID_CERT_EXTENSION),
1623 OD(x509SIACaRepository, SEC_OID_PKIX_CA_REPOSITORY,
1624 "SIA CA Repository", CKM_INVALID_MECHANISM,
1625 INVALID_CERT_EXTENSION),
1626
1627 OD(isoSHA1WithRSASignature, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE,
1628 "ISO SHA-1 with RSA Signature",
1629 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1630
1631 /* SEED algorithm OIDs */
1632 OD(seed_CBC, SEC_OID_SEED_CBC,
1633 "SEED-CBC", CKM_SEED_CBC, INVALID_CERT_EXTENSION),
1634
1635 OD(x509CertificatePoliciesAnyPolicy, SEC_OID_X509_ANY_POLICY,
1636 "Certificate Policies AnyPolicy",
1637 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1638
1639 OD(pkcs1RSAOAEPEncryption, SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION,
1640 "PKCS #1 RSA-OAEP Encryption", CKM_RSA_PKCS_OAEP,
1641 INVALID_CERT_EXTENSION),
1642
1643 OD(pkcs1MGF1, SEC_OID_PKCS1_MGF1,
1644 "PKCS #1 MGF1 Mask Generation Function", CKM_INVALID_MECHANISM,
1645 INVALID_CERT_EXTENSION),
1646
1647 OD(pkcs1PSpecified, SEC_OID_PKCS1_PSPECIFIED,
1648 "PKCS #1 RSA-OAEP Explicitly Specified Encoding Parameters",
1649 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1650
1651 OD(pkcs1RSAPSSSignature, SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
1652 "PKCS #1 RSA-PSS Signature", CKM_RSA_PKCS_PSS,
1653 INVALID_CERT_EXTENSION),
1654
1655 OD(pkcs1SHA224WithRSAEncryption, SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION,
1656 "PKCS #1 SHA-224 With RSA Encryption", CKM_SHA224_RSA_PKCS,
1657 INVALID_CERT_EXTENSION),
1658
1659 OD(sha224, SEC_OID_SHA224, "SHA-224", CKM_SHA224, INVALID_CERT_EXTENSION),
1660
1661 OD(evIncorporationLocality, SEC_OID_EV_INCORPORATION_LOCALITY,
1662 "Jurisdiction of Incorporation Locality Name",
1663 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1664 OD(evIncorporationState, SEC_OID_EV_INCORPORATION_STATE,
1665 "Jurisdiction of Incorporation State Name",
1666 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1667 OD(evIncorporationCountry, SEC_OID_EV_INCORPORATION_COUNTRY,
1668 "Jurisdiction of Incorporation Country Name",
1669 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1670 OD(x520BusinessCategory, SEC_OID_BUSINESS_CATEGORY,
1671 "Business Category",
1672 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1673
1674 OD(nistDSASignaturewithSHA224Digest,
1675 SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST,
1676 "DSA with SHA-224 Signature",
1677 CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION),
1678 OD(nistDSASignaturewithSHA256Digest,
1679 SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST,
1680 "DSA with SHA-256 Signature",
1681 CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION),
1682 OD(msExtendedKeyUsageTrustListSigning,
1683 SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING,
1684 "Microsoft Trust List Signing",
1685 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1686 OD(x520Name, SEC_OID_AVA_NAME,
1687 "X520 Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1688
1689 OD(aes128_GCM, SEC_OID_AES_128_GCM,
1690 "AES-128-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION),
1691 OD(aes192_GCM, SEC_OID_AES_192_GCM,
1692 "AES-192-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION),
1693 OD(aes256_GCM, SEC_OID_AES_256_GCM,
1694 "AES-256-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION),
1695 OD(idea_CBC, SEC_OID_IDEA_CBC,
1696 "IDEA_CBC", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1697
1698 ODE(SEC_OID_RC2_40_CBC,
1699 "RC2-40-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
1700 ODE(SEC_OID_DES_40_CBC,
1701 "DES-40-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
1702 ODE(SEC_OID_RC4_40,
1703 "RC4-40", CKM_RC4, INVALID_CERT_EXTENSION),
1704 ODE(SEC_OID_RC4_56,
1705 "RC4-56", CKM_RC4, INVALID_CERT_EXTENSION),
1706 ODE(SEC_OID_NULL_CIPHER,
1707 "NULL cipher", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1708 ODE(SEC_OID_HMAC_MD5,
1709 "HMAC-MD5", CKM_MD5_HMAC, INVALID_CERT_EXTENSION),
1710 ODE(SEC_OID_TLS_RSA,
1711 "TLS RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1712 ODE(SEC_OID_TLS_DHE_RSA,
1713 "TLS DHE-RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1714 ODE(SEC_OID_TLS_DHE_DSS,
1715 "TLS DHE-DSS key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1716 ODE(SEC_OID_TLS_DH_RSA,
1717 "TLS DH-RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1718 ODE(SEC_OID_TLS_DH_DSS,
1719 "TLS DH-DSS key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1720 ODE(SEC_OID_TLS_DH_ANON,
1721 "TLS DH-ANON key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1722 ODE(SEC_OID_TLS_ECDHE_ECDSA,
1723 "TLS ECDHE-ECDSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1724 ODE(SEC_OID_TLS_ECDHE_RSA,
1725 "TLS ECDHE-RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1726 ODE(SEC_OID_TLS_ECDH_ECDSA,
1727 "TLS ECDH-ECDSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1728 ODE(SEC_OID_TLS_ECDH_RSA,
1729 "TLS ECDH-RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1730 ODE(SEC_OID_TLS_ECDH_ANON,
1731 "TLS ECDH-ANON key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1732 ODE(SEC_OID_TLS_RSA_EXPORT,
1733 "TLS RSA-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1734 ODE(SEC_OID_TLS_DHE_RSA_EXPORT,
1735 "TLS DHE-RSA-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1736 ODE(SEC_OID_TLS_DHE_DSS_EXPORT,
1737 "TLS DHE-DSS-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1738 ODE(SEC_OID_TLS_DH_RSA_EXPORT,
1739 "TLS DH-RSA-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1740 ODE(SEC_OID_TLS_DH_DSS_EXPORT,
1741 "TLS DH-DSS-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1742 ODE(SEC_OID_TLS_DH_ANON_EXPORT,
1743 "TLS DH-ANON-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1744 ODE(SEC_OID_APPLY_SSL_POLICY,
1745 "Apply SSL policy (pseudo-OID)", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1746 ODE(SEC_OID_CHACHA20_POLY1305,
1747 "ChaCha20-Poly1305", CKM_NSS_CHACHA20_POLY1305, INVALID_CERT_EXTENSION),
1748
1749 ODE(SEC_OID_TLS_ECDHE_PSK,
1750 "TLS ECHDE-PSK key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1751 ODE(SEC_OID_TLS_DHE_PSK,
1752 "TLS DHE-PSK key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1753
1754 ODE(SEC_OID_TLS_FFDHE_2048,
1755 "TLS FFDHE 2048-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1756 ODE(SEC_OID_TLS_FFDHE_3072,
1757 "TLS FFDHE 3072-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1758 ODE(SEC_OID_TLS_FFDHE_4096,
1759 "TLS FFDHE 4096-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1760 ODE(SEC_OID_TLS_FFDHE_6144,
1761 "TLS FFDHE 6144-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1762 ODE(SEC_OID_TLS_FFDHE_8192,
1763 "TLS FFDHE 8192-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1764 ODE(SEC_OID_TLS_DHE_CUSTOM,
1765 "TLS DHE custom group key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1766 OD(curve25519, SEC_OID_CURVE25519,
1767 "Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1768 ODE(SEC_OID_TLS13_KEA_ANY,
1769 "TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1770
1771 OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE,
1772 "Any Extended Key Usage",
1773 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1774 OD(pkixExtendedKeyUsageIPsecIKE,
1775 SEC_OID_EXT_KEY_USAGE_IPSEC_IKE,
1776 "IPsec IKE Certificate",
1777 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1778 OD(ipsecIKEEnd,
1779 SEC_OID_IPSEC_IKE_END,
1780 "IPsec IKE End",
1781 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1782 OD(ipsecIKEIntermediate,
1783 SEC_OID_IPSEC_IKE_INTERMEDIATE,
1784 "IPsec IKE Intermediate",
1785 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1786 OD(pkixExtendedKeyUsageIPsecEnd,
1787 SEC_OID_EXT_KEY_USAGE_IPSEC_END,
1788 "IPsec Tunnel",
1789 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1790 OD(pkixExtendedKeyUsageIPsecTunnel,
1791 SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL,
1792 "IPsec Tunnel",
1793 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1794 OD(pkixExtendedKeyUsageIPsecUser,
1795 SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
1796 "IPsec User",
1797 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
1798 };
1799
1800 /* PRIVATE EXTENDED SECOID Table
1801 * This table is private. Its structure is opaque to the outside.
1802 * It is indexed by the same SECOidTag as the oids table above.
1803 * Every member of this struct must have accessor functions (set, get)
1804 * and those functions must operate by value, not by reference.
1805 * The addresses of the contents of this table must not be exposed
1806 * by the accessor functions.
1807 */
1808 typedef struct privXOidStr {
1809 PRUint32 notPolicyFlags; /* ones complement of policy flags */
1810 } privXOid;
1811
1812 static privXOid xOids[SEC_OID_TOTAL];
1813
1814 /*
1815 * now the dynamic table. The dynamic table gets build at init time.
1816 * and conceivably gets modified if the user loads new crypto modules.
1817 * All this static data, and the allocated data to which it points,
1818 * is protected by a global reader/writer lock.
1819 * The c language guarantees that global and static data that is not
1820 * explicitly initialized will be initialized with zeros. If we
1821 * initialize it with zeros, the data goes into the initialized data
1822 * secment, and increases the size of the library. By leaving it
1823 * uninitialized, it is allocated in BSS, and does NOT increase the
1824 * library size.
1825 */
1826
1827 typedef struct dynXOidStr {
1828 SECOidData data;
1829 privXOid priv;
1830 } dynXOid;
1831
1832 static NSSRWLock *dynOidLock;
1833 static PLArenaPool *dynOidPool;
1834 static PLHashTable *dynOidHash;
1835 static dynXOid **dynOidTable; /* not in the pool */
1836 static int dynOidEntriesAllocated;
1837 static int dynOidEntriesUsed;
1838
1839 /* Creates NSSRWLock and dynOidPool at initialization time.
1840 */
1841 static SECStatus
secoid_InitDynOidData(void)1842 secoid_InitDynOidData(void)
1843 {
1844 SECStatus rv = SECSuccess;
1845
1846 dynOidLock = NSSRWLock_New(1, "dynamic OID data");
1847 if (!dynOidLock) {
1848 return SECFailure; /* Error code should already be set. */
1849 }
1850 dynOidPool = PORT_NewArena(2048);
1851 if (!dynOidPool) {
1852 rv = SECFailure /* Error code should already be set. */;
1853 }
1854 return rv;
1855 }
1856
1857 /* Add oidData to hash table. Caller holds write lock dynOidLock. */
1858 static SECStatus
secoid_HashDynamicOiddata(const SECOidData * oid)1859 secoid_HashDynamicOiddata(const SECOidData *oid)
1860 {
1861 PLHashEntry *entry;
1862
1863 if (!dynOidHash) {
1864 dynOidHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
1865 PL_CompareValues, NULL, NULL);
1866 if (!dynOidHash) {
1867 return SECFailure;
1868 }
1869 }
1870
1871 entry = PL_HashTableAdd(dynOidHash, &oid->oid, (void *)oid);
1872 return entry ? SECSuccess : SECFailure;
1873 }
1874
1875 /*
1876 * Lookup a Dynamic OID. Dynamic OID's still change slowly, so it's
1877 * cheaper to rehash the table when it changes than it is to do the loop
1878 * each time.
1879 */
1880 static SECOidData *
secoid_FindDynamic(const SECItem * key)1881 secoid_FindDynamic(const SECItem *key)
1882 {
1883 SECOidData *ret = NULL;
1884
1885 NSSRWLock_LockRead(dynOidLock);
1886 if (dynOidHash) {
1887 ret = (SECOidData *)PL_HashTableLookup(dynOidHash, key);
1888 }
1889 NSSRWLock_UnlockRead(dynOidLock);
1890 if (ret == NULL) {
1891 PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
1892 }
1893 return ret;
1894 }
1895
1896 static dynXOid *
secoid_FindDynamicByTag(SECOidTag tagnum)1897 secoid_FindDynamicByTag(SECOidTag tagnum)
1898 {
1899 dynXOid *dxo = NULL;
1900 int tagNumDiff;
1901
1902 if (tagnum < SEC_OID_TOTAL) {
1903 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1904 return NULL;
1905 }
1906 tagNumDiff = tagnum - SEC_OID_TOTAL;
1907
1908 NSSRWLock_LockRead(dynOidLock);
1909 if (dynOidTable != NULL &&
1910 tagNumDiff < dynOidEntriesUsed) {
1911 dxo = dynOidTable[tagNumDiff];
1912 }
1913 NSSRWLock_UnlockRead(dynOidLock);
1914 if (dxo == NULL) {
1915 PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
1916 }
1917 return dxo;
1918 }
1919
1920 /*
1921 * This routine is thread safe now.
1922 */
1923 SECOidTag
SECOID_AddEntry(const SECOidData * src)1924 SECOID_AddEntry(const SECOidData *src)
1925 {
1926 SECOidData *dst;
1927 dynXOid **table;
1928 SECOidTag ret = SEC_OID_UNKNOWN;
1929 SECStatus rv;
1930 int tableEntries;
1931 int used;
1932
1933 if (!src || !src->oid.data || !src->oid.len ||
1934 !src->desc || !strlen(src->desc)) {
1935 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1936 return ret;
1937 }
1938 if (src->supportedExtension != INVALID_CERT_EXTENSION &&
1939 src->supportedExtension != UNSUPPORTED_CERT_EXTENSION &&
1940 src->supportedExtension != SUPPORTED_CERT_EXTENSION) {
1941 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1942 return ret;
1943 }
1944
1945 if (!dynOidPool || !dynOidLock) {
1946 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
1947 return ret;
1948 }
1949
1950 NSSRWLock_LockWrite(dynOidLock);
1951
1952 /* We've just acquired the write lock, and now we call FindOIDTag
1953 ** which will acquire and release the read lock. NSSRWLock has been
1954 ** designed to allow this very case without deadlock. This approach
1955 ** makes the test for the presence of the OID, and the subsequent
1956 ** addition of the OID to the table a single atomic write operation.
1957 */
1958 ret = SECOID_FindOIDTag(&src->oid);
1959 if (ret != SEC_OID_UNKNOWN) {
1960 /* we could return an error here, but I chose not to do that.
1961 ** This way, if we add an OID to the shared library's built in
1962 ** list of OIDs in some future release, and that OID is the same
1963 ** as some OID that a program has been adding, the program will
1964 ** not suddenly stop working.
1965 */
1966 goto done;
1967 }
1968
1969 table = dynOidTable;
1970 tableEntries = dynOidEntriesAllocated;
1971 used = dynOidEntriesUsed;
1972
1973 if (used + 1 > tableEntries) {
1974 dynXOid **newTable;
1975 int newTableEntries = tableEntries + 16;
1976
1977 newTable = (dynXOid **)PORT_Realloc(table,
1978 newTableEntries * sizeof(dynXOid *));
1979 if (newTable == NULL) {
1980 goto done;
1981 }
1982 dynOidTable = table = newTable;
1983 dynOidEntriesAllocated = tableEntries = newTableEntries;
1984 }
1985
1986 /* copy oid structure */
1987 dst = (SECOidData *)PORT_ArenaZNew(dynOidPool, dynXOid);
1988 if (!dst) {
1989 goto done;
1990 }
1991 rv = SECITEM_CopyItem(dynOidPool, &dst->oid, &src->oid);
1992 if (rv != SECSuccess) {
1993 goto done;
1994 }
1995 dst->desc = PORT_ArenaStrdup(dynOidPool, src->desc);
1996 if (!dst->desc) {
1997 goto done;
1998 }
1999 dst->offset = (SECOidTag)(used + SEC_OID_TOTAL);
2000 dst->mechanism = src->mechanism;
2001 dst->supportedExtension = src->supportedExtension;
2002
2003 rv = secoid_HashDynamicOiddata(dst);
2004 if (rv == SECSuccess) {
2005 table[used++] = (dynXOid *)dst;
2006 dynOidEntriesUsed = used;
2007 ret = dst->offset;
2008 }
2009 done:
2010 NSSRWLock_UnlockWrite(dynOidLock);
2011 return ret;
2012 }
2013
2014 /* normal static table processing */
2015 static PLHashTable *oidhash = NULL;
2016 static PLHashTable *oidmechhash = NULL;
2017
2018 static PLHashNumber
secoid_HashNumber(const void * key)2019 secoid_HashNumber(const void *key)
2020 {
2021 return (PLHashNumber)((char *)key - (char *)NULL);
2022 }
2023
2024 #define DEF_FLAGS (NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SSL_KX)
2025 static void
handleHashAlgSupport(char * envVal)2026 handleHashAlgSupport(char *envVal)
2027 {
2028 char *myVal = PORT_Strdup(envVal); /* Get a copy we can alter */
2029 char *arg = myVal;
2030
2031 while (arg && *arg) {
2032 char *nextArg = PL_strpbrk(arg, ";");
2033 PRUint32 notEnable;
2034
2035 if (nextArg) {
2036 while (*nextArg == ';') {
2037 *nextArg++ = '\0';
2038 }
2039 }
2040 notEnable = (*arg == '-') ? (DEF_FLAGS) : 0;
2041 if ((*arg == '+' || *arg == '-') && *++arg) {
2042 int i;
2043
2044 for (i = 1; i < SEC_OID_TOTAL; i++) {
2045 if (oids[i].desc && strstr(arg, oids[i].desc)) {
2046 xOids[i].notPolicyFlags = notEnable |
2047 (xOids[i].notPolicyFlags & ~(DEF_FLAGS));
2048 }
2049 }
2050 }
2051 arg = nextArg;
2052 }
2053 PORT_Free(myVal); /* can handle NULL argument OK */
2054 }
2055
2056 SECStatus
SECOID_Init(void)2057 SECOID_Init(void)
2058 {
2059 PLHashEntry *entry;
2060 const SECOidData *oid;
2061 SECOidTag i;
2062 char *envVal;
2063
2064 #define NSS_VERSION_VARIABLE __nss_util_version
2065 #include "verref.h"
2066
2067 if (oidhash) {
2068 return SECSuccess; /* already initialized */
2069 }
2070
2071 if (!PR_GetEnvSecure("NSS_ALLOW_WEAK_SIGNATURE_ALG")) {
2072 /* initialize any policy flags that are disabled by default */
2073 xOids[SEC_OID_MD2].notPolicyFlags = ~0;
2074 xOids[SEC_OID_MD4].notPolicyFlags = ~0;
2075 xOids[SEC_OID_MD5].notPolicyFlags = ~0;
2076 xOids[SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION].notPolicyFlags = ~0;
2077 xOids[SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION].notPolicyFlags = ~0;
2078 xOids[SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION].notPolicyFlags = ~0;
2079 xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~0;
2080 xOids[SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC].notPolicyFlags = ~0;
2081 }
2082
2083 /* turn off NSS_USE_POLICY_IN_SSL by default */
2084 xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
2085
2086 envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
2087 if (envVal)
2088 handleHashAlgSupport(envVal);
2089
2090 if (secoid_InitDynOidData() != SECSuccess) {
2091 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2092 PORT_Assert(0); /* this function should never fail */
2093 return SECFailure;
2094 }
2095
2096 oidhash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
2097 PL_CompareValues, NULL, NULL);
2098 oidmechhash = PL_NewHashTable(0, secoid_HashNumber, PL_CompareValues,
2099 PL_CompareValues, NULL, NULL);
2100
2101 if (!oidhash || !oidmechhash) {
2102 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2103 PORT_Assert(0); /*This function should never fail. */
2104 return (SECFailure);
2105 }
2106
2107 for (i = 0; i < SEC_OID_TOTAL; i++) {
2108 oid = &oids[i];
2109
2110 PORT_Assert(oid->offset == i);
2111
2112 entry = PL_HashTableAdd(oidhash, &oid->oid, (void *)oid);
2113 if (entry == NULL) {
2114 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2115 PORT_Assert(0); /*This function should never fail. */
2116 return (SECFailure);
2117 }
2118
2119 if (oid->mechanism != CKM_INVALID_MECHANISM) {
2120 entry = PL_HashTableAdd(oidmechhash,
2121 (void *)oid->mechanism, (void *)oid);
2122 if (entry == NULL) {
2123 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2124 PORT_Assert(0); /* This function should never fail. */
2125 return (SECFailure);
2126 }
2127 }
2128 }
2129
2130 PORT_Assert(i == SEC_OID_TOTAL);
2131
2132 return (SECSuccess);
2133 }
2134
2135 SECOidData *
SECOID_FindOIDByMechanism(unsigned long mechanism)2136 SECOID_FindOIDByMechanism(unsigned long mechanism)
2137 {
2138 SECOidData *ret;
2139
2140 PR_ASSERT(oidhash != NULL);
2141
2142 ret = PL_HashTableLookupConst(oidmechhash, (void *)mechanism);
2143 if (ret == NULL) {
2144 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2145 }
2146
2147 return (ret);
2148 }
2149
2150 SECOidData *
SECOID_FindOID(const SECItem * oid)2151 SECOID_FindOID(const SECItem *oid)
2152 {
2153 SECOidData *ret;
2154
2155 PR_ASSERT(oidhash != NULL);
2156
2157 ret = PL_HashTableLookupConst(oidhash, oid);
2158 if (ret == NULL) {
2159 ret = secoid_FindDynamic(oid);
2160 if (ret == NULL) {
2161 PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
2162 }
2163 }
2164
2165 return (ret);
2166 }
2167
2168 SECOidTag
SECOID_FindOIDTag(const SECItem * oid)2169 SECOID_FindOIDTag(const SECItem *oid)
2170 {
2171 SECOidData *oiddata;
2172
2173 oiddata = SECOID_FindOID(oid);
2174 if (oiddata == NULL)
2175 return SEC_OID_UNKNOWN;
2176
2177 return oiddata->offset;
2178 }
2179
2180 /* This really should return const. */
2181 SECOidData *
SECOID_FindOIDByTag(SECOidTag tagnum)2182 SECOID_FindOIDByTag(SECOidTag tagnum)
2183 {
2184 if (tagnum >= SEC_OID_TOTAL) {
2185 return (SECOidData *)secoid_FindDynamicByTag(tagnum);
2186 }
2187
2188 PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
2189 return (SECOidData *)(&oids[tagnum]);
2190 }
2191
2192 PRBool
SECOID_KnownCertExtenOID(SECItem * extenOid)2193 SECOID_KnownCertExtenOID(SECItem *extenOid)
2194 {
2195 SECOidData *oidData;
2196
2197 oidData = SECOID_FindOID(extenOid);
2198 if (oidData == (SECOidData *)NULL)
2199 return (PR_FALSE);
2200 return ((oidData->supportedExtension == SUPPORTED_CERT_EXTENSION) ? PR_TRUE : PR_FALSE);
2201 }
2202
2203 const char *
SECOID_FindOIDTagDescription(SECOidTag tagnum)2204 SECOID_FindOIDTagDescription(SECOidTag tagnum)
2205 {
2206 const SECOidData *oidData = SECOID_FindOIDByTag(tagnum);
2207 return oidData ? oidData->desc : 0;
2208 }
2209
2210 /* --------- opaque extended OID table accessor functions ---------------*/
2211 /*
2212 * Any of these functions may return SECSuccess or SECFailure with the error
2213 * code set to SEC_ERROR_UNKNOWN_OBJECT_TYPE if the SECOidTag is out of range.
2214 */
2215
2216 static privXOid *
secoid_FindXOidByTag(SECOidTag tagnum)2217 secoid_FindXOidByTag(SECOidTag tagnum)
2218 {
2219 if (tagnum >= SEC_OID_TOTAL) {
2220 dynXOid *dxo = secoid_FindDynamicByTag(tagnum);
2221 return (dxo ? &dxo->priv : NULL);
2222 }
2223
2224 PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
2225 return &xOids[tagnum];
2226 }
2227
2228 /* The Get function outputs the 32-bit value associated with the SECOidTag.
2229 * Flags bits are the NSS_USE_ALG_ #defines in "secoidt.h".
2230 * Default value for any algorithm is 0xffffffff (enabled for all purposes).
2231 * No value is output if function returns SECFailure.
2232 */
2233 SECStatus
NSS_GetAlgorithmPolicy(SECOidTag tag,PRUint32 * pValue)2234 NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue)
2235 {
2236 privXOid *pxo = secoid_FindXOidByTag(tag);
2237 if (!pxo)
2238 return SECFailure;
2239 if (!pValue) {
2240 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2241 return SECFailure;
2242 }
2243 *pValue = ~(pxo->notPolicyFlags);
2244 return SECSuccess;
2245 }
2246
2247 static PRBool nss_policy_locked = PR_FALSE;
2248
2249 /* The Set function modifies the stored value according to the following
2250 * algorithm:
2251 * policy[tag] = (policy[tag] & ~clearBits) | setBits;
2252 */
2253 SECStatus
NSS_SetAlgorithmPolicy(SECOidTag tag,PRUint32 setBits,PRUint32 clearBits)2254 NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits)
2255 {
2256 privXOid *pxo = secoid_FindXOidByTag(tag);
2257 PRUint32 policyFlags;
2258 if (!pxo)
2259 return SECFailure;
2260
2261 if (nss_policy_locked) {
2262 PORT_SetError(SEC_ERROR_POLICY_LOCKED);
2263 return SECFailure;
2264 }
2265 /* The stored policy flags are the ones complement of the flags as
2266 * seen by the user. This is not atomic, but these changes should
2267 * be done rarely, e.g. at initialization time.
2268 */
2269 policyFlags = ~(pxo->notPolicyFlags);
2270 policyFlags = (policyFlags & ~clearBits) | setBits;
2271 pxo->notPolicyFlags = ~policyFlags;
2272 return SECSuccess;
2273 }
2274
2275 /* Get the state of nss_policy_locked */
2276 PRBool
NSS_IsPolicyLocked(void)2277 NSS_IsPolicyLocked(void)
2278 {
2279 return nss_policy_locked;
2280 }
2281
2282 /* Once the policy is locked, it can't be unlocked */
2283 void
NSS_LockPolicy(void)2284 NSS_LockPolicy(void)
2285 {
2286 nss_policy_locked = PR_TRUE;
2287 }
2288
2289 /* --------- END OF opaque extended OID table accessor functions ---------*/
2290
2291 /* for now, this is only used in a single place, so it can remain static */
2292 static PRBool parentForkedAfterC_Initialize;
2293
2294 #define SKIP_AFTER_FORK(x) \
2295 if (!parentForkedAfterC_Initialize) \
2296 x
2297
2298 /*
2299 * free up the oid tables.
2300 */
2301 SECStatus
SECOID_Shutdown(void)2302 SECOID_Shutdown(void)
2303 {
2304 if (oidhash) {
2305 PL_HashTableDestroy(oidhash);
2306 oidhash = NULL;
2307 }
2308 if (oidmechhash) {
2309 PL_HashTableDestroy(oidmechhash);
2310 oidmechhash = NULL;
2311 }
2312 /* Have to handle the case where the lock was created, but
2313 ** the pool wasn't.
2314 ** I'm not going to attempt to create the lock, just to protect
2315 ** the destruction of data that probably isn't initialized anyway.
2316 */
2317 if (dynOidLock) {
2318 SKIP_AFTER_FORK(NSSRWLock_LockWrite(dynOidLock));
2319 if (dynOidHash) {
2320 PL_HashTableDestroy(dynOidHash);
2321 dynOidHash = NULL;
2322 }
2323 if (dynOidPool) {
2324 PORT_FreeArena(dynOidPool, PR_FALSE);
2325 dynOidPool = NULL;
2326 }
2327 if (dynOidTable) {
2328 PORT_Free(dynOidTable);
2329 dynOidTable = NULL;
2330 }
2331 dynOidEntriesAllocated = 0;
2332 dynOidEntriesUsed = 0;
2333
2334 SKIP_AFTER_FORK(NSSRWLock_UnlockWrite(dynOidLock));
2335 SKIP_AFTER_FORK(NSSRWLock_Destroy(dynOidLock));
2336 dynOidLock = NULL;
2337 } else {
2338 /* Since dynOidLock doesn't exist, then all the data it protects
2339 ** should be uninitialized. We'll check that (in DEBUG builds),
2340 ** and then make sure it is so, in case NSS is reinitialized.
2341 */
2342 PORT_Assert(!dynOidHash && !dynOidPool && !dynOidTable &&
2343 !dynOidEntriesAllocated && !dynOidEntriesUsed);
2344 dynOidHash = NULL;
2345 dynOidPool = NULL;
2346 dynOidTable = NULL;
2347 dynOidEntriesAllocated = 0;
2348 dynOidEntriesUsed = 0;
2349 }
2350 /* we are trashing the old policy state now, also reenable changing
2351 * the policy as well */
2352 nss_policy_locked = PR_FALSE;
2353 memset(xOids, 0, sizeof xOids);
2354 return SECSuccess;
2355 }
2356
2357 void
UTIL_SetForkState(PRBool forked)2358 UTIL_SetForkState(PRBool forked)
2359 {
2360 parentForkedAfterC_Initialize = forked;
2361 }
2362
2363 const char *
NSSUTIL_GetVersion(void)2364 NSSUTIL_GetVersion(void)
2365 {
2366 return NSSUTIL_VERSION;
2367 }
2368