Back to index

lightning-sunbird  0.9+nobinonly
secmodt.h
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 #ifndef _SECMODT_H_
00037 #define _SECMODT_H_ 1
00038 
00039 #include "nssrwlkt.h"
00040 #include "nssilckt.h"
00041 #include "secoid.h"
00042 #include "secasn1.h"
00043 #include "pkcs11t.h"
00044 
00045 /* find a better home for these... */
00046 extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
00047 extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
00048 extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
00049 extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
00050 extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
00051 extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
00052 extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
00053 extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
00054 
00055 /* PKCS11 needs to be included */
00056 typedef struct SECMODModuleStr SECMODModule;
00057 typedef struct SECMODModuleListStr SECMODModuleList;
00058 typedef NSSRWLock SECMODListLock;
00059 typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
00060 typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
00061 typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
00062 typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
00063 typedef struct PK11SlotListStr PK11SlotList;
00064 typedef struct PK11SlotListElementStr PK11SlotListElement;
00065 typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
00066 typedef unsigned long SECMODModuleID;
00067 typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
00068 typedef struct PK11GenericObjectStr PK11GenericObject;
00069 typedef void (*PK11FreeDataFunc)(void *);
00070 
00071 struct SECMODModuleStr {
00072     PRArenaPool      *arena;
00073     PRBool    internal;     /* true of internally linked modules, false
00074                              * for the loaded modules */
00075     PRBool    loaded;              /* Set to true if module has been loaded */
00076     PRBool    isFIPS;              /* Set to true if module is finst internal */
00077     char      *dllName;     /* name of the shared library which implements
00078                              * this module */
00079     char      *commonName;  /* name of the module to display to the user */
00080     void      *library;     /* pointer to the library. opaque. used only by
00081                              * pk11load.c */
00082     void      *functionList; /* The PKCS #11 function table */
00083     PZLock    *refLock;     /* only used pk11db.c */
00084     int              refCount;     /* Module reference count */
00085     PK11SlotInfo **slots;   /* array of slot points attached to this mod*/
00086     int              slotCount;    /* count of slot in above array */
00087     PK11PreSlotInfo *slotInfo;     /* special info about slots default settings */
00088     int              slotInfoCount;  /* count */
00089     SECMODModuleID moduleID;       /* ID so we can find this module again */
00090     PRBool    isThreadSafe;
00091     unsigned long ssl[2];   /* SSL cipher enable flags */
00092     char      *libraryParams;  /* Module specific parameters */
00093     void *moduleDBFunc; /* function to return module configuration data*/
00094     SECMODModule *parent;   /* module that loaded us */
00095     PRBool    isCritical;   /* This module must load successfully */
00096     PRBool    isModuleDB;   /* this module has lists of PKCS #11 modules */
00097     PRBool    moduleDBOnly; /* this module only has lists of PKCS #11 modules */
00098     int              trustOrder;   /* order for this module's certificate trust rollup */
00099     int              cipherOrder;  /* order for cipher operations */
00100     unsigned long evControlMask; /* control the running and shutdown of slot
00101                               * events (SECMOD_WaitForAnyTokenEvent) */
00102     CK_VERSION  cryptokiVersion; /* version of this library */
00103 };
00104 
00105 /* evControlMask flags */
00106 /*
00107  * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
00108  *
00109  * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
00110  *  C_WaitForSlotEvent().
00111  * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
00112  *  which polls for token insertion and removal events.
00113  * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
00114  *  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
00115  *  should return immediately to it's caller.
00116  */ 
00117 #define SECMOD_END_WAIT         0x01
00118 #define SECMOD_WAIT_SIMULATED_EVENT 0x02 
00119 #define SECMOD_WAIT_PKCS11_EVENT    0x04
00120 
00121 struct SECMODModuleListStr {
00122     SECMODModuleList *next;
00123     SECMODModule     *module;
00124 };
00125 
00126 struct PK11SlotListStr {
00127     PK11SlotListElement *head;
00128     PK11SlotListElement *tail;
00129     PZLock *lock;
00130 };
00131 
00132 struct PK11SlotListElementStr {
00133     PK11SlotListElement *next;
00134     PK11SlotListElement *prev;
00135     PK11SlotInfo *slot;
00136     int refCount;
00137 };
00138 
00139 struct PK11RSAGenParamsStr {
00140     int keySizeInBits;
00141     unsigned long pe;
00142 };
00143 
00144 typedef enum {
00145      PK11CertListUnique = 0,     /* get one instance of all certs */
00146      PK11CertListUser = 1,       /* get all instances of user certs */
00147      PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
00148                                   * deprecated. Use PK11CertListCAUnique
00149                                   */
00150      PK11CertListCA = 3,         /* get all instances of CA certs */
00151      PK11CertListCAUnique = 4,   /* get one instance of CA certs */
00152      PK11CertListUserUnique = 5, /* get one instance of user certs */
00153      PK11CertListAll = 6         /* get all instances of all certs */
00154 } PK11CertListType;
00155 
00156 /*
00157  * Entry into the Array which lists all the legal bits for the default flags
00158  * in the slot, their definition, and the PKCS #11 mechanism the represent
00159  * Always Statically allocated. 
00160  */
00161 struct PK11DefaultArrayEntryStr {
00162     char *name;
00163     unsigned long flag;
00164     unsigned long mechanism; /* this is a long so we don't include the 
00165                            * whole pkcs 11 world to use this header */
00166 };
00167 
00168 
00169 #define SECMOD_RSA_FLAG     0x00000001L
00170 #define SECMOD_DSA_FLAG     0x00000002L
00171 #define SECMOD_RC2_FLAG     0x00000004L
00172 #define SECMOD_RC4_FLAG     0x00000008L
00173 #define SECMOD_DES_FLAG     0x00000010L
00174 #define SECMOD_DH_FLAG             0x00000020L
00175 #define SECMOD_FORTEZZA_FLAG       0x00000040L
00176 #define SECMOD_RC5_FLAG            0x00000080L
00177 #define SECMOD_SHA1_FLAG    0x00000100L
00178 #define SECMOD_MD5_FLAG            0x00000200L
00179 #define SECMOD_MD2_FLAG            0x00000400L
00180 #define SECMOD_SSL_FLAG            0x00000800L
00181 #define SECMOD_TLS_FLAG            0x00001000L
00182 #define SECMOD_AES_FLAG     0x00002000L
00183 #define SECMOD_SHA256_FLAG  0x00004000L
00184 #define SECMOD_SHA512_FLAG  0x00008000L   /* also for SHA384 */
00185 /* reserved bit for future, do not use */
00186 #define SECMOD_RESERVED_FLAG    0X08000000L
00187 #define SECMOD_FRIENDLY_FLAG       0x10000000L
00188 #define SECMOD_RANDOM_FLAG  0x80000000L
00189 
00190 /* need to make SECMOD and PK11 prefixes consistant. */
00191 #define PK11_OWN_PW_DEFAULTS 0x20000000L
00192 #define PK11_DISABLE_FLAG    0x40000000L
00193 
00194 /* FAKE PKCS #11 defines */
00195 #define CKM_FAKE_RANDOM       0x80000efeL
00196 #define CKM_INVALID_MECHANISM 0xffffffffL
00197 #define CKA_DIGEST            0x81000000L
00198 #define CKA_FLAGS_ONLY        0 /* CKA_CLASS */
00199 
00200 /*
00201  * PK11AttrFlags
00202  *
00203  * A 32-bit bitmask of PK11_ATTR_XXX flags
00204  */
00205 typedef PRUint32 PK11AttrFlags;
00206 
00207 /*
00208  * PK11_ATTR_XXX
00209  *
00210  * The following PK11_ATTR_XXX bitflags are used to specify
00211  * PKCS #11 object attributes that have Boolean values.  Some NSS
00212  * functions have a "PK11AttrFlags attrFlags" parameter whose value
00213  * is the logical OR of these bitflags.  NSS use these bitflags on
00214  * private keys or secret keys.  Some of these bitflags also apply
00215  * to the public keys associated with the private keys.
00216  *
00217  * For each PKCS #11 object attribute, we need two bitflags to
00218  * specify not only "true" and "false" but also "default".  For
00219  * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
00220  * CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
00221  *     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
00222  * to the template.  If PK11_ATTR_PUBLIC is set, we add
00223  *     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
00224  * to the template.  If neither flag is set, we don't add any
00225  * CKA_PRIVATE entry to the template.
00226  */
00227 
00228 /*
00229  * Attributes for PKCS #11 storage objects, which include not only
00230  * keys but also certificates and domain parameters.
00231  */
00232 
00233 /*
00234  * PK11_ATTR_TOKEN
00235  * PK11_ATTR_SESSION
00236  *
00237  * These two flags determine whether the object is a token or
00238  * session object.
00239  *
00240  * These two flags are related and cannot both be set.
00241  * If the PK11_ATTR_TOKEN flag is set, the object is a token
00242  * object.  If the PK11_ATTR_SESSION flag is set, the object is
00243  * a session object.  If neither flag is set, the object is *by
00244  * default* a session object.
00245  *
00246  * These two flags specify the value of the PKCS #11 CKA_TOKEN
00247  * attribute.
00248  */
00249 #define PK11_ATTR_TOKEN         0x00000001L
00250 #define PK11_ATTR_SESSION       0x00000002L
00251 
00252 /*
00253  * PK11_ATTR_PRIVATE
00254  * PK11_ATTR_PUBLIC
00255  *
00256  * These two flags determine whether the object is a private or
00257  * public object.  A user may not access a private object until the
00258  * user has authenticated to the token.
00259  *
00260  * These two flags are related and cannot both be set.
00261  * If the PK11_ATTR_PRIVATE flag is set, the object is a private
00262  * object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
00263  * public object.  If neither flag is set, it is token-specific
00264  * whether the object is private or public.
00265  *
00266  * These two flags specify the value of the PKCS #11 CKA_PRIVATE
00267  * attribute.  NSS only uses this attribute on private and secret
00268  * keys, so public keys created by NSS get the token-specific
00269  * default value of the CKA_PRIVATE attribute.
00270  */
00271 #define PK11_ATTR_PRIVATE       0x00000004L
00272 #define PK11_ATTR_PUBLIC        0x00000008L
00273 
00274 /*
00275  * PK11_ATTR_MODIFIABLE
00276  * PK11_ATTR_UNMODIFIABLE
00277  *
00278  * These two flags determine whether the object is modifiable or
00279  * read-only.
00280  *
00281  * These two flags are related and cannot both be set.
00282  * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
00283  * modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
00284  * is read-only.  If neither flag is set, the object is *by default*
00285  * modifiable.
00286  *
00287  * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
00288  * attribute.
00289  */
00290 #define PK11_ATTR_MODIFIABLE    0x00000010L
00291 #define PK11_ATTR_UNMODIFIABLE  0x00000020L
00292 
00293 /* Attributes for PKCS #11 key objects. */
00294 
00295 /*
00296  * PK11_ATTR_SENSITIVE
00297  * PK11_ATTR_INSENSITIVE
00298  *
00299  * These two flags are related and cannot both be set.
00300  * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
00301  * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
00302  * sensitive.  If neither flag is set, it is token-specific whether
00303  * the key is sensitive or not.
00304  *
00305  * If a key is sensitive, certain attributes of the key cannot be
00306  * revealed in plaintext outside the token.
00307  *
00308  * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
00309  * attribute.  Although the default value of the CKA_SENSITIVE
00310  * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
00311  * tokens set the default value to CK_TRUE because only CK_TRUE
00312  * is allowed.  So in practice the default value of this attribute
00313  * is token-specific, hence the need for two bitflags.
00314  */
00315 #define PK11_ATTR_SENSITIVE     0x00000040L
00316 #define PK11_ATTR_INSENSITIVE   0x00000080L
00317 
00318 /*
00319  * PK11_ATTR_EXTRACTABLE
00320  * PK11_ATTR_UNEXTRACTABLE
00321  *
00322  * These two flags are related and cannot both be set.
00323  * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
00324  * and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
00325  * the key is not extractable, and certain attributes of the key
00326  * cannot be revealed in plaintext outside the token (just like a
00327  * sensitive key).  If neither flag is set, it is token-specific
00328  * whether the key is extractable or not.
00329  *
00330  * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
00331  * attribute.
00332  */
00333 #define PK11_ATTR_EXTRACTABLE   0x00000100L
00334 #define PK11_ATTR_UNEXTRACTABLE 0x00000200L
00335 
00336 /* Cryptographic module types */
00337 #define SECMOD_EXTERNAL     0      /* external module */
00338 #define SECMOD_INTERNAL 1   /* internal default module */
00339 #define SECMOD_FIPS  2      /* internal fips module */
00340 
00341 /* default module configuration strings */
00342 #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512]"
00343 
00344 #define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
00345 "Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
00346 
00347 #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
00348 #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
00349 #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
00350 #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
00351 
00352 /*
00353  * What is the origin of a given Key. Normally this doesn't matter, but
00354  * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
00355  * hack.
00356  */
00357 typedef enum {
00358     PK11_OriginNULL = 0,    /* There is not key, it's a null SymKey */
00359     PK11_OriginDerive = 1,  /* Key was derived from some other key */
00360     PK11_OriginGenerated = 2,      /* Key was generated (also PBE keys) */
00361     PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
00362     PK11_OriginUnwrap = 4   /* Key was unwrapped or decrypted */
00363 } PK11Origin;
00364 
00365 /* PKCS #11 disable reasons */
00366 typedef enum {
00367     PK11_DIS_NONE = 0,
00368     PK11_DIS_USER_SELECTED = 1,
00369     PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
00370     PK11_DIS_TOKEN_VERIFY_FAILED = 3,
00371     PK11_DIS_TOKEN_NOT_PRESENT = 4
00372 } PK11DisableReasons;
00373 
00374 /* types of PKCS #11 objects */
00375 typedef enum {
00376    PK11_TypeGeneric = 0,
00377    PK11_TypePrivKey = 1,
00378    PK11_TypePubKey = 2,
00379    PK11_TypeCert = 3,
00380    PK11_TypeSymKey = 4
00381 } PK11ObjectType;
00382 
00383 
00384 
00385 /* function pointer type for password callback function.
00386  * This type is passed in to PK11_SetPasswordFunc() 
00387  */
00388 typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
00389 typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
00390 typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
00391 
00392 /*
00393  * Special strings the password callback function can return only if
00394  * the slot is an protected auth path slot.
00395  */ 
00396 #define PK11_PW_RETRY              "RETRY"       /* an failed attempt to authenticate
00397                                     * has already been made, just retry
00398                                     * the operation */
00399 #define PK11_PW_AUTHENTICATED      "AUTH"  /* a successful attempt to authenticate
00400                                     * has completed. Continue without
00401                                     * another call to C_Login */
00402 /* All other non-null values mean that that NSS could call C_Login to force
00403  * the authentication. The following define is to aid applications in 
00404  * documenting that is what it's trying to do */
00405 #define PK11_PW_TRY         "TRY"   /* Default: a prompt has been presented
00406                                     * to the user, initiate a C_Login
00407                                     * to authenticate the token */
00408 
00409 /*
00410  * PKCS #11 key structures
00411  */
00412 
00413 /*
00414 ** Attributes
00415 */
00416 struct SECKEYAttributeStr {
00417     SECItem attrType;
00418     SECItem **attrValue;
00419 };
00420 typedef struct SECKEYAttributeStr SECKEYAttribute;
00421 
00422 /*
00423 ** A PKCS#8 private key info object
00424 */
00425 struct SECKEYPrivateKeyInfoStr {
00426     PLArenaPool *arena;
00427     SECItem version;
00428     SECAlgorithmID algorithm;
00429     SECItem privateKey;
00430     SECKEYAttribute **attributes;
00431 };
00432 typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
00433 
00434 /*
00435 ** A PKCS#8 private key info object
00436 */
00437 struct SECKEYEncryptedPrivateKeyInfoStr {
00438     PLArenaPool *arena;
00439     SECAlgorithmID algorithm;
00440     SECItem encryptedData;
00441 };
00442 typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
00443 
00444 /*
00445  * token removal detection
00446  */
00447 typedef enum {
00448    PK11TokenNotRemovable = 0,
00449    PK11TokenPresent = 1,
00450    PK11TokenChanged = 2,
00451    PK11TokenRemoved = 3
00452 } PK11TokenStatus;
00453 
00454 typedef enum {
00455    PK11TokenRemovedOrChangedEvent = 0,
00456    PK11TokenPresentEvent = 1
00457 } PK11TokenEvent;
00458 
00459 /*
00460  * CRL Import Flags
00461  */
00462 #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
00463 #define CRL_IMPORT_BYPASS_CHECKS   0x00000001
00464 
00465 #endif /*_SECMODT_H_ */