security/nss/lib/pk11wrap/secmodt.h

   1 /* ***** BEGIN LICENSE BLOCK *****
   2  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
   3  *
   4  * The contents of this file are subject to the Mozilla Public License Version
   5  * 1.1 (the "License"); you may not use this file except in compliance with
   6  * the License. You may obtain a copy of the License at
   7  * http://www.mozilla.org/MPL/
   8  *
   9  * Software distributed under the License is distributed on an "AS IS" basis,
  10  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11  * for the specific language governing rights and limitations under the
  12  * License.
  13  *
  14  * The Original Code is the Netscape security libraries.
  15  *
  16  * The Initial Developer of the Original Code is
  17  * Netscape Communications Corporation.
  18  * Portions created by the Initial Developer are Copyright (C) 1994-2000
  19  * the Initial Developer. All Rights Reserved.
  20  *
  21  * Contributor(s):
  22  *
  23  * Alternatively, the contents of this file may be used under the terms of
  24  * either the GNU General Public License Version 2 or later (the "GPL"), or
  25  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  26  * in which case the provisions of the GPL or the LGPL are applicable instead
  27  * of those above. If you wish to allow use of your version of this file only
  28  * under the terms of either the GPL or the LGPL, and not to allow others to
  29  * use your version of this file under the terms of the MPL, indicate your
  30  * decision by deleting the provisions above and replace them with the notice
  31  * and other provisions required by the GPL or the LGPL. If you do not delete
  32  * the provisions above, a recipient may use your version of this file under
  33  * the terms of any one of the MPL, the GPL or the LGPL.
  34  *
  35  * ***** END LICENSE BLOCK ***** */
  36 #ifndef _SECMODT_H_
  37 #define _SECMODT_H_ 1
  38
  39 #include "nssrwlkt.h"
  40 #include "nssilckt.h"
  41 #include "secoid.h"
  42 #include "secasn1.h"
  43 #include "pkcs11t.h"
  44
  45 /* find a better home for these... */
  46 extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
  47 extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
  48 extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
  49 extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
  50 extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
  51 extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
  52 extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
  53 extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
  54
  55 /* PKCS11 needs to be included */
  56 typedef struct SECMODModuleStr SECMODModule;
  57 typedef struct SECMODModuleListStr SECMODModuleList;
  58 typedef NSSRWLock SECMODListLock;
  59 typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
  60 typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
  61 typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
  62 typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
  63 typedef struct PK11SlotListStr PK11SlotList;
  64 typedef struct PK11SlotListElementStr PK11SlotListElement;
  65 typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
  66 typedef unsigned long SECMODModuleID;
  67 typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
  68 typedef struct PK11GenericObjectStr PK11GenericObject;
  69 typedef void (*PK11FreeDataFunc)(void *);
  70
  71 struct SECMODModuleStr {
  72     PLArenaPool *arena;
  73     PRBool      internal;       /* true of internally linked modules, false
  74                                  * for the loaded modules */
  75     PRBool      loaded;         /* Set to true if module has been loaded */
  76     PRBool      isFIPS;         /* Set to true if module is finst internal */
  77     char        *dllName;       /* name of the shared library which implements
  78                                  * this module */
  79     char        *commonName;    /* name of the module to display to the user */
  80     void        *library;       /* pointer to the library. opaque. used only by
  81                                  * pk11load.c */
  82     void        *functionList; /* The PKCS #11 function table */
  83     PZLock      *refLock;       /* only used pk11db.c */
  84     int         refCount;       /* Module reference count */
  85     PK11SlotInfo **slots;       /* array of slot points attached to this mod*/
  86     int         slotCount;      /* count of slot in above array */
  87     PK11PreSlotInfo *slotInfo;  /* special info about slots default settings */
  88     int         slotInfoCount;  /* count */
  89     SECMODModuleID moduleID;    /* ID so we can find this module again */
  90     PRBool      isThreadSafe;
  91     unsigned long ssl[2];       /* SSL cipher enable flags */
  92     char        *libraryParams;  /* Module specific parameters */
  93     void *moduleDBFunc; /* function to return module configuration data*/
  94     SECMODModule *parent;       /* module that loaded us */
  95     PRBool      isCritical;     /* This module must load successfully */
  96     PRBool      isModuleDB;     /* this module has lists of PKCS #11 modules */
  97     PRBool      moduleDBOnly;   /* this module only has lists of PKCS #11 modules */
  98     int         trustOrder;     /* order for this module's certificate trust rollup */
  99     int         cipherOrder;    /* order for cipher operations */
 100     unsigned long evControlMask; /* control the running and shutdown of slot
 101                                   * events (SECMOD_WaitForAnyTokenEvent) */
 102     CK_VERSION  cryptokiVersion; /* version of this library */
 103 };
 104
 105 /* evControlMask flags */
 106 /*
 107  * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
 108  *
 109  * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
 110  *  C_WaitForSlotEvent().
 111  * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
 112  *  which polls for token insertion and removal events.
 113  * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
 114  *  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
 115  *  should return immediately to it's caller.
 116  */
 117 #define SECMOD_END_WAIT             0x01
 118 #define SECMOD_WAIT_SIMULATED_EVENT 0x02
 119 #define SECMOD_WAIT_PKCS11_EVENT    0x04
 120
 121 struct SECMODModuleListStr {
 122     SECMODModuleList    *next;
 123     SECMODModule        *module;
 124 };
 125
 126 struct PK11SlotListStr {
 127     PK11SlotListElement *head;
 128     PK11SlotListElement *tail;
 129     PZLock *lock;
 130 };
 131
 132 struct PK11SlotListElementStr {
 133     PK11SlotListElement *next;
 134     PK11SlotListElement *prev;
 135     PK11SlotInfo *slot;
 136     int refCount;
 137 };
 138
 139 struct PK11RSAGenParamsStr {
 140     int keySizeInBits;
 141     unsigned long pe;
 142 };
 143
 144 typedef enum {
 145      PK11CertListUnique = 0,     /* get one instance of all certs */
 146      PK11CertListUser = 1,       /* get all instances of user certs */
 147      PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
 148                                   * deprecated. Use PK11CertListCAUnique
 149                                   */
 150      PK11CertListCA = 3,         /* get all instances of CA certs */
 151      PK11CertListCAUnique = 4,   /* get one instance of CA certs */
 152      PK11CertListUserUnique = 5, /* get one instance of user certs */
 153      PK11CertListAll = 6         /* get all instances of all certs */
 154 } PK11CertListType;
 155
 156 /*
 157  * Entry into the Array which lists all the legal bits for the default flags
 158  * in the slot, their definition, and the PKCS #11 mechanism the represent
 159  * Always Statically allocated.
 160  */
 161 struct PK11DefaultArrayEntryStr {
 162     char *name;
 163     unsigned long flag;
 164     unsigned long mechanism; /* this is a long so we don't include the
 165                               * whole pkcs 11 world to use this header */
 166 };
 167
 168
 169 #define SECMOD_RSA_FLAG         0x00000001L
 170 #define SECMOD_DSA_FLAG         0x00000002L
 171 #define SECMOD_RC2_FLAG         0x00000004L
 172 #define SECMOD_RC4_FLAG         0x00000008L
 173 #define SECMOD_DES_FLAG         0x00000010L
 174 #define SECMOD_DH_FLAG          0x00000020L
 175 #define SECMOD_FORTEZZA_FLAG    0x00000040L
 176 #define SECMOD_RC5_FLAG         0x00000080L
 177 #define SECMOD_SHA1_FLAG        0x00000100L
 178 #define SECMOD_MD5_FLAG         0x00000200L
 179 #define SECMOD_MD2_FLAG         0x00000400L
 180 #define SECMOD_SSL_FLAG         0x00000800L
 181 #define SECMOD_TLS_FLAG         0x00001000L
 182 #define SECMOD_AES_FLAG         0x00002000L
 183 #define SECMOD_SHA256_FLAG      0x00004000L
 184 #define SECMOD_SHA512_FLAG      0x00008000L     /* also for SHA384 */
 185 #define SECMOD_CAMELLIA_FLAG    0x00010000L /* = PUBLIC_MECH_CAMELLIA_FLAG */
 186 /* reserved bit for future, do not use */
 187 #define SECMOD_RESERVED_FLAG    0X08000000L
 188 #define SECMOD_FRIENDLY_FLAG    0x10000000L
 189 #define SECMOD_RANDOM_FLAG      0x80000000L
 190
 191 /* need to make SECMOD and PK11 prefixes consistant. */
 192 #define PK11_OWN_PW_DEFAULTS 0x20000000L
 193 #define PK11_DISABLE_FLAG    0x40000000L
 194
 195 /*
 196  * PK11AttrFlags
 197  *
 198  * A 32-bit bitmask of PK11_ATTR_XXX flags
 199  */
 200 typedef PRUint32 PK11AttrFlags;
 201
 202 /*
 203  * PK11_ATTR_XXX
 204  *
 205  * The following PK11_ATTR_XXX bitflags are used to specify
 206  * PKCS #11 object attributes that have Boolean values.  Some NSS
 207  * functions have a "PK11AttrFlags attrFlags" parameter whose value
 208  * is the logical OR of these bitflags.  NSS use these bitflags on
 209  * private keys or secret keys.  Some of these bitflags also apply
 210  * to the public keys associated with the private keys.
 211  *
 212  * For each PKCS #11 object attribute, we need two bitflags to
 213  * specify not only "true" and "false" but also "default".  For
 214  * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
 215  * CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
 216  *     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
 217  * to the template.  If PK11_ATTR_PUBLIC is set, we add
 218  *     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
 219  * to the template.  If neither flag is set, we don't add any
 220  * CKA_PRIVATE entry to the template.
 221  */
 222
 223 /*
 224  * Attributes for PKCS #11 storage objects, which include not only
 225  * keys but also certificates and domain parameters.
 226  */
 227
 228 /*
 229  * PK11_ATTR_TOKEN
 230  * PK11_ATTR_SESSION
 231  *
 232  * These two flags determine whether the object is a token or
 233  * session object.
 234  *
 235  * These two flags are related and cannot both be set.
 236  * If the PK11_ATTR_TOKEN flag is set, the object is a token
 237  * object.  If the PK11_ATTR_SESSION flag is set, the object is
 238  * a session object.  If neither flag is set, the object is *by
 239  * default* a session object.
 240  *
 241  * These two flags specify the value of the PKCS #11 CKA_TOKEN
 242  * attribute.
 243  */
 244 #define PK11_ATTR_TOKEN         0x00000001L
 245 #define PK11_ATTR_SESSION       0x00000002L
 246
 247 /*
 248  * PK11_ATTR_PRIVATE
 249  * PK11_ATTR_PUBLIC
 250  *
 251  * These two flags determine whether the object is a private or
 252  * public object.  A user may not access a private object until the
 253  * user has authenticated to the token.
 254  *
 255  * These two flags are related and cannot both be set.
 256  * If the PK11_ATTR_PRIVATE flag is set, the object is a private
 257  * object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
 258  * public object.  If neither flag is set, it is token-specific
 259  * whether the object is private or public.
 260  *
 261  * These two flags specify the value of the PKCS #11 CKA_PRIVATE
 262  * attribute.  NSS only uses this attribute on private and secret
 263  * keys, so public keys created by NSS get the token-specific
 264  * default value of the CKA_PRIVATE attribute.
 265  */
 266 #define PK11_ATTR_PRIVATE       0x00000004L
 267 #define PK11_ATTR_PUBLIC        0x00000008L
 268
 269 /*
 270  * PK11_ATTR_MODIFIABLE
 271  * PK11_ATTR_UNMODIFIABLE
 272  *
 273  * These two flags determine whether the object is modifiable or
 274  * read-only.
 275  *
 276  * These two flags are related and cannot both be set.
 277  * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
 278  * modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
 279  * is read-only.  If neither flag is set, the object is *by default*
 280  * modifiable.
 281  *
 282  * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
 283  * attribute.
 284  */
 285 #define PK11_ATTR_MODIFIABLE    0x00000010L
 286 #define PK11_ATTR_UNMODIFIABLE  0x00000020L
 287
 288 /* Attributes for PKCS #11 key objects. */
 289
 290 /*
 291  * PK11_ATTR_SENSITIVE
 292  * PK11_ATTR_INSENSITIVE
 293  *
 294  * These two flags are related and cannot both be set.
 295  * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
 296  * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
 297  * sensitive.  If neither flag is set, it is token-specific whether
 298  * the key is sensitive or not.
 299  *
 300  * If a key is sensitive, certain attributes of the key cannot be
 301  * revealed in plaintext outside the token.
 302  *
 303  * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
 304  * attribute.  Although the default value of the CKA_SENSITIVE
 305  * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
 306  * tokens set the default value to CK_TRUE because only CK_TRUE
 307  * is allowed.  So in practice the default value of this attribute
 308  * is token-specific, hence the need for two bitflags.
 309  */
 310 #define PK11_ATTR_SENSITIVE     0x00000040L
 311 #define PK11_ATTR_INSENSITIVE   0x00000080L
 312
 313 /*
 314  * PK11_ATTR_EXTRACTABLE
 315  * PK11_ATTR_UNEXTRACTABLE
 316  *
 317  * These two flags are related and cannot both be set.
 318  * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
 319  * and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
 320  * the key is not extractable, and certain attributes of the key
 321  * cannot be revealed in plaintext outside the token (just like a
 322  * sensitive key).  If neither flag is set, it is token-specific
 323  * whether the key is extractable or not.
 324  *
 325  * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
 326  * attribute.
 327  */
 328 #define PK11_ATTR_EXTRACTABLE   0x00000100L
 329 #define PK11_ATTR_UNEXTRACTABLE 0x00000200L
 330
 331 /* Cryptographic module types */
 332 #define SECMOD_EXTERNAL 0       /* external module */
 333 #define SECMOD_INTERNAL 1       /* internal default module */
 334 #define SECMOD_FIPS     2       /* internal fips module */
 335
 336 /* default module configuration strings */
 337 #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SHA256,SHA512]"
 338
 339 #define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
 340 "Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
 341
 342 #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
 343 #define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
 344 #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
 345 #define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
 346
 347 /*
 348  * What is the origin of a given Key. Normally this doesn't matter, but
 349  * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
 350  * hack.
 351  */
 352 typedef enum {
 353     PK11_OriginNULL = 0,        /* There is not key, it's a null SymKey */
 354     PK11_OriginDerive = 1,      /* Key was derived from some other key */
 355     PK11_OriginGenerated = 2,   /* Key was generated (also PBE keys) */
 356     PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
 357     PK11_OriginUnwrap = 4       /* Key was unwrapped or decrypted */
 358 } PK11Origin;
 359
 360 /* PKCS #11 disable reasons */
 361 typedef enum {
 362     PK11_DIS_NONE = 0,
 363     PK11_DIS_USER_SELECTED = 1,
 364     PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
 365     PK11_DIS_TOKEN_VERIFY_FAILED = 3,
 366     PK11_DIS_TOKEN_NOT_PRESENT = 4
 367 } PK11DisableReasons;
 368
 369 /* types of PKCS #11 objects
 370  * used to identify which NSS data structure is
 371  * passed to the PK11_Raw* functions. Types map as follows:
 372  *   PK11_TypeGeneric            PK11GenericObject *
 373  *   PK11_TypePrivKey            SECKEYPrivateKey *
 374  *   PK11_TypePubKey             SECKEYPublicKey *
 375  *   PK11_TypeSymKey             PK11SymKey *
 376  *   PK11_TypeCert               CERTCertificate * (currently not used).
 377  */
 378 typedef enum {
 379    PK11_TypeGeneric = 0,
 380    PK11_TypePrivKey = 1,
 381    PK11_TypePubKey = 2,
 382    PK11_TypeCert = 3,
 383    PK11_TypeSymKey = 4
 384 } PK11ObjectType;
 385
 386
 387
 388 /* function pointer type for password callback function.
 389  * This type is passed in to PK11_SetPasswordFunc()
 390  */
 391 typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
 392 typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
 393 typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
 394
 395 /*
 396  * Special strings the password callback function can return only if
 397  * the slot is an protected auth path slot.
 398  */
 399 #define PK11_PW_RETRY           "RETRY" /* an failed attempt to authenticate
 400                                          * has already been made, just retry
 401                                          * the operation */
 402 #define PK11_PW_AUTHENTICATED   "AUTH"  /* a successful attempt to authenticate
 403                                          * has completed. Continue without
 404                                          * another call to C_Login */
 405 /* All other non-null values mean that that NSS could call C_Login to force
 406  * the authentication. The following define is to aid applications in
 407  * documenting that is what it's trying to do */
 408 #define PK11_PW_TRY             "TRY"   /* Default: a prompt has been presented
 409                                          * to the user, initiate a C_Login
 410                                          * to authenticate the token */
 411
 412 /*
 413  * PKCS #11 key structures
 414  */
 415
 416 /*
 417 ** Attributes
 418 */
 419 struct SECKEYAttributeStr {
 420     SECItem attrType;
 421     SECItem **attrValue;
 422 };
 423 typedef struct SECKEYAttributeStr SECKEYAttribute;
 424
 425 /*
 426 ** A PKCS#8 private key info object
 427 */
 428 struct SECKEYPrivateKeyInfoStr {
 429     PLArenaPool *arena;
 430     SECItem version;
 431     SECAlgorithmID algorithm;
 432     SECItem privateKey;
 433     SECKEYAttribute **attributes;
 434 };
 435 typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
 436
 437 /*
 438 ** A PKCS#8 private key info object
 439 */
 440 struct SECKEYEncryptedPrivateKeyInfoStr {
 441     PLArenaPool *arena;
 442     SECAlgorithmID algorithm;
 443     SECItem encryptedData;
 444 };
 445 typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
 446
 447 /*
 448  * token removal detection
 449  */
 450 typedef enum {
 451    PK11TokenNotRemovable = 0,
 452    PK11TokenPresent = 1,
 453    PK11TokenChanged = 2,
 454    PK11TokenRemoved = 3
 455 } PK11TokenStatus;
 456
 457 typedef enum {
 458    PK11TokenRemovedOrChangedEvent = 0,
 459    PK11TokenPresentEvent = 1
 460 } PK11TokenEvent;
 461
 462 /*
 463  * CRL Import Flags
 464  */
 465 #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
 466 #define CRL_IMPORT_BYPASS_CHECKS   0x00000001
 467
 468
 469 /*
 470  * Merge Error Log
 471  */
 472 typedef struct PK11MergeLogStr PK11MergeLog;
 473 typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
 474
 475 /* These need to be global, leave some open fields so we can 'expand'
 476  * these without breaking binary compatibility */
 477 struct PK11MergeLogNodeStr {
 478     PK11MergeLogNode *next;   /* next entry in the list */
 479     PK11MergeLogNode *prev;   /* last entry in the list */
 480     PK11GenericObject *object; /* object that failed */
 481     int error;                 /* what the error was */
 482     CK_RV reserved1;
 483     unsigned long reserved2; /* future flags */
 484     unsigned long reserved3; /* future scalar */
 485     void *reserved4;          /* future pointer */
 486     void *reserved5;          /* future expansion pointer */
 487 };
 488
 489 struct PK11MergeLogStr {
 490     PK11MergeLogNode *head;
 491     PK11MergeLogNode *tail;
 492     PLArenaPool *arena;
 493     int version;
 494     unsigned long reserved1;
 495     unsigned long reserved2;
 496     unsigned long reserved3;
 497     void *reserverd4;
 498     void *reserverd5;
 499 };
 500
 501
 502 #endif /*_SECMODT_H_ */