| 1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
|---|---|
| 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 | |
| 5 | #ifndef _PKCS11N_H_ |
| 6 | #define _PKCS11N_H_ |
| 7 | |
| 8 | /* |
| 9 | * pkcs11n.h |
| 10 | * |
| 11 | * This file contains the NSS-specific type definitions for Cryptoki |
| 12 | * (PKCS#11). |
| 13 | */ |
| 14 | |
| 15 | /* |
| 16 | * NSSCK_VENDOR_NSS |
| 17 | * |
| 18 | * Cryptoki reserves the high half of all the number spaces for |
| 19 | * vendor-defined use. I'd like to keep all of our NSS- |
| 20 | * specific values together, but not in the oh-so-obvious |
| 21 | * 0x80000001, 0x80000002, etc. area. So I've picked an offset, |
| 22 | * and constructed values for the beginnings of our spaces. |
| 23 | * |
| 24 | * Note that some "historical" Netscape values don't fall within |
| 25 | * this range. |
| 26 | */ |
| 27 | #define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */ |
| 28 | |
| 29 | /* |
| 30 | * NSS-defined object classes |
| 31 | * |
| 32 | */ |
| 33 | #define CKO_NSS (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
| 34 | |
| 35 | #define CKO_NSS_CRL (CKO_NSS + 1) |
| 36 | #define CKO_NSS_SMIME (CKO_NSS + 2) |
| 37 | #define CKO_NSS_TRUST (CKO_NSS + 3) |
| 38 | #define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4) |
| 39 | #define CKO_NSS_NEWSLOT (CKO_NSS + 5) |
| 40 | #define CKO_NSS_DELSLOT (CKO_NSS + 6) |
| 41 | |
| 42 | |
| 43 | /* |
| 44 | * NSS-defined key types |
| 45 | * |
| 46 | */ |
| 47 | #define CKK_NSS (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
| 48 | |
| 49 | #define CKK_NSS_PKCS8 (CKK_NSS + 1) |
| 50 | |
| 51 | #define CKK_NSS_JPAKE_ROUND1 (CKK_NSS + 2) |
| 52 | #define CKK_NSS_JPAKE_ROUND2 (CKK_NSS + 3) |
| 53 | |
| 54 | /* |
| 55 | * NSS-defined certificate types |
| 56 | * |
| 57 | */ |
| 58 | #define CKC_NSS (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
| 59 | |
| 60 | /* FAKE PKCS #11 defines */ |
| 61 | #define CKA_DIGEST 0x81000000L |
| 62 | #define CKA_FLAGS_ONLY 0 /* CKA_CLASS */ |
| 63 | |
| 64 | /* |
| 65 | * NSS-defined object attributes |
| 66 | * |
| 67 | */ |
| 68 | #define CKA_NSS (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
| 69 | |
| 70 | #define CKA_NSS_URL (CKA_NSS + 1) |
| 71 | #define CKA_NSS_EMAIL (CKA_NSS + 2) |
| 72 | #define CKA_NSS_SMIME_INFO (CKA_NSS + 3) |
| 73 | #define CKA_NSS_SMIME_TIMESTAMP (CKA_NSS + 4) |
| 74 | #define CKA_NSS_PKCS8_SALT (CKA_NSS + 5) |
| 75 | #define CKA_NSS_PASSWORD_CHECK (CKA_NSS + 6) |
| 76 | #define CKA_NSS_EXPIRES (CKA_NSS + 7) |
| 77 | #define CKA_NSS_KRL (CKA_NSS + 8) |
| 78 | |
| 79 | #define CKA_NSS_PQG_COUNTER (CKA_NSS + 20) |
| 80 | #define CKA_NSS_PQG_SEED (CKA_NSS + 21) |
| 81 | #define CKA_NSS_PQG_H (CKA_NSS + 22) |
| 82 | #define CKA_NSS_PQG_SEED_BITS (CKA_NSS + 23) |
| 83 | #define CKA_NSS_MODULE_SPEC (CKA_NSS + 24) |
| 84 | #define CKA_NSS_OVERRIDE_EXTENSIONS (CKA_NSS + 25) |
| 85 | |
| 86 | #define CKA_NSS_JPAKE_SIGNERID (CKA_NSS + 26) |
| 87 | #define CKA_NSS_JPAKE_PEERID (CKA_NSS + 27) |
| 88 | #define CKA_NSS_JPAKE_GX1 (CKA_NSS + 28) |
| 89 | #define CKA_NSS_JPAKE_GX2 (CKA_NSS + 29) |
| 90 | #define CKA_NSS_JPAKE_GX3 (CKA_NSS + 30) |
| 91 | #define CKA_NSS_JPAKE_GX4 (CKA_NSS + 31) |
| 92 | #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32) |
| 93 | #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33) |
| 94 | |
| 95 | /* |
| 96 | * Trust attributes: |
| 97 | * |
| 98 | * If trust goes standard, these probably will too. So I'll |
| 99 | * put them all in one place. |
| 100 | */ |
| 101 | |
| 102 | #define CKA_TRUST (CKA_NSS + 0x2000) |
| 103 | |
| 104 | /* "Usage" key information */ |
| 105 | #define CKA_TRUST_DIGITAL_SIGNATURE (CKA_TRUST + 1) |
| 106 | #define CKA_TRUST_NON_REPUDIATION (CKA_TRUST + 2) |
| 107 | #define CKA_TRUST_KEY_ENCIPHERMENT (CKA_TRUST + 3) |
| 108 | #define CKA_TRUST_DATA_ENCIPHERMENT (CKA_TRUST + 4) |
| 109 | #define CKA_TRUST_KEY_AGREEMENT (CKA_TRUST + 5) |
| 110 | #define CKA_TRUST_KEY_CERT_SIGN (CKA_TRUST + 6) |
| 111 | #define CKA_TRUST_CRL_SIGN (CKA_TRUST + 7) |
| 112 | |
| 113 | /* "Purpose" trust information */ |
| 114 | #define CKA_TRUST_SERVER_AUTH (CKA_TRUST + 8) |
| 115 | #define CKA_TRUST_CLIENT_AUTH (CKA_TRUST + 9) |
| 116 | #define CKA_TRUST_CODE_SIGNING (CKA_TRUST + 10) |
| 117 | #define CKA_TRUST_EMAIL_PROTECTION (CKA_TRUST + 11) |
| 118 | #define CKA_TRUST_IPSEC_END_SYSTEM (CKA_TRUST + 12) |
| 119 | #define CKA_TRUST_IPSEC_TUNNEL (CKA_TRUST + 13) |
| 120 | #define CKA_TRUST_IPSEC_USER (CKA_TRUST + 14) |
| 121 | #define CKA_TRUST_TIME_STAMPING (CKA_TRUST + 15) |
| 122 | #define CKA_TRUST_STEP_UP_APPROVED (CKA_TRUST + 16) |
| 123 | |
| 124 | #define CKA_CERT_SHA1_HASH (CKA_TRUST + 100) |
| 125 | #define CKA_CERT_MD5_HASH (CKA_TRUST + 101) |
| 126 | |
| 127 | /* NSS trust stuff */ |
| 128 | |
| 129 | /* HISTORICAL: define used to pass in the database key for DSA private keys */ |
| 130 | #define CKA_NETSCAPE_DB 0xD5A0DB00L |
| 131 | #define CKA_NETSCAPE_TRUST 0x80000001L |
| 132 | |
| 133 | /* FAKE PKCS #11 defines */ |
| 134 | #define CKM_FAKE_RANDOM 0x80000efeUL |
| 135 | #define CKM_INVALID_MECHANISM 0xffffffffUL |
| 136 | |
| 137 | /* |
| 138 | * NSS-defined crypto mechanisms |
| 139 | * |
| 140 | */ |
| 141 | #define CKM_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
| 142 | |
| 143 | #define CKM_NSS_AES_KEY_WRAP (CKM_NSS + 1) |
| 144 | #define CKM_NSS_AES_KEY_WRAP_PAD (CKM_NSS + 2) |
| 145 | |
| 146 | /* HKDF key derivation mechanisms. See CK_NSS_HKDFParams for documentation. */ |
| 147 | #define CKM_NSS_HKDF_SHA1 (CKM_NSS + 3) |
| 148 | #define CKM_NSS_HKDF_SHA256 (CKM_NSS + 4) |
| 149 | #define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5) |
| 150 | #define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6) |
| 151 | |
| 152 | /* J-PAKE round 1 key generation mechanisms. |
| 153 | * |
| 154 | * Required template attributes: CKA_PRIME, CKA_SUBPRIME, CKA_BASE, |
| 155 | * CKA_NSS_JPAKE_SIGNERID |
| 156 | * Output key type: CKK_NSS_JPAKE_ROUND1 |
| 157 | * Output key class: CKO_PRIVATE_KEY |
| 158 | * Parameter type: CK_NSS_JPAKERound1Params |
| 159 | * |
| 160 | */ |
| 161 | #define CKM_NSS_JPAKE_ROUND1_SHA1 (CKM_NSS + 7) |
| 162 | #define CKM_NSS_JPAKE_ROUND1_SHA256 (CKM_NSS + 8) |
| 163 | #define CKM_NSS_JPAKE_ROUND1_SHA384 (CKM_NSS + 9) |
| 164 | #define CKM_NSS_JPAKE_ROUND1_SHA512 (CKM_NSS + 10) |
| 165 | |
| 166 | /* J-PAKE round 2 key derivation mechanisms. |
| 167 | * |
| 168 | * Required template attributes: CKA_NSS_JPAKE_PEERID |
| 169 | * Input key type: CKK_NSS_JPAKE_ROUND1 |
| 170 | * Output key type: CKK_NSS_JPAKE_ROUND2 |
| 171 | * Output key class: CKO_PRIVATE_KEY |
| 172 | * Parameter type: CK_NSS_JPAKERound2Params |
| 173 | */ |
| 174 | #define CKM_NSS_JPAKE_ROUND2_SHA1 (CKM_NSS + 11) |
| 175 | #define CKM_NSS_JPAKE_ROUND2_SHA256 (CKM_NSS + 12) |
| 176 | #define CKM_NSS_JPAKE_ROUND2_SHA384 (CKM_NSS + 13) |
| 177 | #define CKM_NSS_JPAKE_ROUND2_SHA512 (CKM_NSS + 14) |
| 178 | |
| 179 | /* J-PAKE final key material derivation mechanisms |
| 180 | * |
| 181 | * Input key type: CKK_NSS_JPAKE_ROUND2 |
| 182 | * Output key type: CKK_GENERIC_SECRET |
| 183 | * Output key class: CKO_SECRET_KEY |
| 184 | * Parameter type: CK_NSS_JPAKEFinalParams |
| 185 | * |
| 186 | * You must apply a KDF (e.g. CKM_NSS_HKDF_*) to resultant keying material |
| 187 | * to get a key with uniformly distributed bits. |
| 188 | */ |
| 189 | #define CKM_NSS_JPAKE_FINAL_SHA1 (CKM_NSS + 15) |
| 190 | #define CKM_NSS_JPAKE_FINAL_SHA256 (CKM_NSS + 16) |
| 191 | #define CKM_NSS_JPAKE_FINAL_SHA384 (CKM_NSS + 17) |
| 192 | #define CKM_NSS_JPAKE_FINAL_SHA512 (CKM_NSS + 18) |
| 193 | |
| 194 | /* Constant-time MAC mechanisms: |
| 195 | * |
| 196 | * These operations verify a padded, MAC-then-encrypt block of data in |
| 197 | * constant-time. Because of the order of operations, the padding bytes are not |
| 198 | * protected by the MAC. However, disclosing the value of the padding bytes |
| 199 | * gives an attacker the ability to decrypt ciphertexts. Such disclosure can be |
| 200 | * as subtle as taking slightly less time to perform the MAC when the padding |
| 201 | * is one byte longer. See https://www.isg.rhul.ac.uk/tls/ |
| 202 | * |
| 203 | * CKM_NSS_HMAC_CONSTANT_TIME: performs an HMAC authentication. |
| 204 | * CKM_NSS_SSL3_MAC_CONSTANT_TIME: performs an authentication with SSLv3 MAC. |
| 205 | * |
| 206 | * Parameter type: CK_NSS_MAC_CONSTANT_TIME_PARAMS |
| 207 | */ |
| 208 | #define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19) |
| 209 | #define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20) |
| 210 | |
| 211 | /* TLS 1.2 mechanisms */ |
| 212 | #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) |
| 213 | #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) |
| 214 | #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) |
| 215 | #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
| 216 | |
| 217 | /* |
| 218 | * HISTORICAL: |
| 219 | * Do not attempt to use these. They are only used by NETSCAPE's internal |
| 220 | * PKCS #11 interface. Most of these are place holders for other mechanism |
| 221 | * and will change in the future. |
| 222 | */ |
| 223 | #define CKM_NETSCAPE_PBE_SHA1_DES_CBC 0x80000002UL |
| 224 | #define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC 0x80000003UL |
| 225 | #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC 0x80000004UL |
| 226 | #define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC 0x80000005UL |
| 227 | #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4 0x80000006UL |
| 228 | #define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4 0x80000007UL |
| 229 | #define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC 0x80000008UL |
| 230 | #define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN 0x80000009UL |
| 231 | #define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN 0x8000000aUL |
| 232 | #define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN 0x8000000bUL |
| 233 | |
| 234 | #define CKM_TLS_PRF_GENERAL 0x80000373UL |
| 235 | |
| 236 | typedef struct CK_NSS_JPAKEPublicValue { |
| 237 | CK_BYTE * pGX; |
| 238 | CK_ULONG ulGXLen; |
| 239 | CK_BYTE * pGV; |
| 240 | CK_ULONG ulGVLen; |
| 241 | CK_BYTE * pR; |
| 242 | CK_ULONG ulRLen; |
| 243 | } CK_NSS_JPAKEPublicValue; |
| 244 | |
| 245 | typedef struct CK_NSS_JPAKERound1Params { |
| 246 | CK_NSS_JPAKEPublicValue gx1; /* out */ |
| 247 | CK_NSS_JPAKEPublicValue gx2; /* out */ |
| 248 | } CK_NSS_JPAKERound1Params; |
| 249 | |
| 250 | typedef struct CK_NSS_JPAKERound2Params { |
| 251 | CK_BYTE * pSharedKey; /* in */ |
| 252 | CK_ULONG ulSharedKeyLen; /* in */ |
| 253 | CK_NSS_JPAKEPublicValue gx3; /* in */ |
| 254 | CK_NSS_JPAKEPublicValue gx4; /* in */ |
| 255 | CK_NSS_JPAKEPublicValue A; /* out */ |
| 256 | } CK_NSS_JPAKERound2Params; |
| 257 | |
| 258 | typedef struct CK_NSS_JPAKEFinalParams { |
| 259 | CK_NSS_JPAKEPublicValue B; /* in */ |
| 260 | } CK_NSS_JPAKEFinalParams; |
| 261 | |
| 262 | /* macAlg: the MAC algorithm to use. This determines the hash function used in |
| 263 | * the HMAC/SSLv3 MAC calculations. |
| 264 | * ulBodyTotalLen: the total length of the data, including padding bytes and |
| 265 | * padding length. |
| 266 | * pHeader: points to a block of data that contains additional data to |
| 267 | * authenticate. For TLS this includes the sequence number etc. For SSLv3, |
| 268 | * this also includes the initial padding bytes. |
| 269 | * |
| 270 | * NOTE: the softoken's implementation of CKM_NSS_HMAC_CONSTANT_TIME and |
| 271 | * CKM_NSS_SSL3_MAC_CONSTANT_TIME requires that the sum of ulBodyTotalLen |
| 272 | * and ulHeaderLen be much smaller than 2^32 / 8 bytes because it uses an |
| 273 | * unsigned int variable to represent the length in bits. This should not |
| 274 | * be a problem because the SSL/TLS protocol limits the size of an SSL |
| 275 | * record to something considerably less than 2^32 bytes. |
| 276 | */ |
| 277 | typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS { |
| 278 | CK_MECHANISM_TYPE macAlg; /* in */ |
| 279 | CK_ULONG ulBodyTotalLen; /* in */ |
| 280 | CK_BYTE * pHeader; /* in */ |
| 281 | CK_ULONG ulHeaderLen; /* in */ |
| 282 | } CK_NSS_MAC_CONSTANT_TIME_PARAMS; |
| 283 | |
| 284 | /* |
| 285 | * NSS-defined return values |
| 286 | * |
| 287 | */ |
| 288 | #define CKR_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
| 289 | |
| 290 | #define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1) |
| 291 | #define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2) |
| 292 | |
| 293 | /* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms. |
| 294 | See RFC 5869. |
| 295 | |
| 296 | bExtract: If set, HKDF-Extract will be applied to the input key. If |
| 297 | the optional salt is given, it is used; otherwise, the salt is |
| 298 | set to a sequence of zeros equal in length to the HMAC output. |
| 299 | If bExpand is not set, then the key template given to |
| 300 | C_DeriveKey must indicate an output key size less than or equal |
| 301 | to the output size of the HMAC. |
| 302 | |
| 303 | bExpand: If set, HKDF-Expand will be applied to the input key (if |
| 304 | bExtract is not set) or to the result of HKDF-Extract (if |
| 305 | bExtract is set). Any info given in the optional pInfo field will |
| 306 | be included in the calculation. |
| 307 | |
| 308 | The size of the output key must be specified in the template passed to |
| 309 | C_DeriveKey. |
| 310 | */ |
| 311 | typedef struct CK_NSS_HKDFParams { |
| 312 | CK_BBOOL bExtract; |
| 313 | CK_BYTE_PTR pSalt; |
| 314 | CK_ULONG ulSaltLen; |
| 315 | CK_BBOOL bExpand; |
| 316 | CK_BYTE_PTR pInfo; |
| 317 | CK_ULONG ulInfoLen; |
| 318 | } CK_NSS_HKDFParams; |
| 319 | |
| 320 | /* |
| 321 | * Trust info |
| 322 | * |
| 323 | * This isn't part of the Cryptoki standard (yet), so I'm putting |
| 324 | * all the definitions here. Some of this would move to nssckt.h |
| 325 | * if trust info were made part of the standard. In view of this |
| 326 | * possibility, I'm putting my (NSS) values in the NSS |
| 327 | * vendor space, like everything else. |
| 328 | */ |
| 329 | |
| 330 | typedef CK_ULONG CK_TRUST; |
| 331 | |
| 332 | /* The following trust types are defined: */ |
| 333 | #define CKT_VENDOR_DEFINED 0x80000000 |
| 334 | |
| 335 | #define CKT_NSS (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NSS) |
| 336 | |
| 337 | /* If trust goes standard, these'll probably drop out of vendor space. */ |
| 338 | #define CKT_NSS_TRUSTED (CKT_NSS + 1) |
| 339 | #define CKT_NSS_TRUSTED_DELEGATOR (CKT_NSS + 2) |
| 340 | #define CKT_NSS_MUST_VERIFY_TRUST (CKT_NSS + 3) |
| 341 | #define CKT_NSS_NOT_TRUSTED (CKT_NSS + 10) |
| 342 | #define CKT_NSS_TRUST_UNKNOWN (CKT_NSS + 5) /* default */ |
| 343 | |
| 344 | /* |
| 345 | * These may well remain NSS-specific; I'm only using them |
| 346 | * to cache resolution data. |
| 347 | */ |
| 348 | #define CKT_NSS_VALID_DELEGATOR (CKT_NSS + 11) |
| 349 | |
| 350 | |
| 351 | /* |
| 352 | * old definitions. They still exist, but the plain meaning of the |
| 353 | * labels have never been accurate to what was really implemented. |
| 354 | * The new labels correctly reflect what the values effectively mean. |
| 355 | */ |
| 356 | #if defined(__GNUC__) && (__GNUC__ > 3) |
| 357 | /* make GCC warn when we use these #defines */ |
| 358 | /* |
| 359 | * This is really painful because GCC doesn't allow us to mark random |
| 360 | * #defines as deprecated. We can only mark the following: |
| 361 | * functions, variables, and types. |
| 362 | * const variables will create extra storage for everyone including this |
| 363 | * header file, so it's undesirable. |
| 364 | * functions could be inlined to prevent storage creation, but will fail |
| 365 | * when constant values are expected (like switch statements). |
| 366 | * enum types do not seem to pay attention to the deprecated attribute. |
| 367 | * |
| 368 | * That leaves typedefs. We declare new types that we then deprecate, then |
| 369 | * cast the resulting value to the deprecated type in the #define, thus |
| 370 | * producting the warning when the #define is used. |
| 371 | */ |
| 372 | #if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5) |
| 373 | /* The mac doesn't like the friendlier deprecate messages. I'm assuming this |
| 374 | * is a gcc version issue rather than mac or ppc specific */ |
| 375 | typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated)); |
| 376 | typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated)); |
| 377 | typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated)); |
| 378 | #else |
| 379 | /* when possible, get a full deprecation warning. This works on gcc 4.5 |
| 380 | * it may work on earlier versions of gcc */ |
| 381 | typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated |
| 382 | ("CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST"))); |
| 383 | typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated |
| 384 | ("CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED"))); |
| 385 | typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated |
| 386 | ("CKT_NSS_MUST_VERIFY really functions as CKT_NSS_TRUST_UNKNOWN"))); |
| 387 | #endif |
| 388 | #define CKT_NSS_UNTRUSTED ((__CKT_NSS_UNTRUSTED)CKT_NSS_MUST_VERIFY_TRUST) |
| 389 | #define CKT_NSS_VALID ((__CKT_NSS_VALID) CKT_NSS_NOT_TRUSTED) |
| 390 | /* keep the old value for compatibility reasons*/ |
| 391 | #define CKT_NSS_MUST_VERIFY ((__CKT_NSS_MUST_VERIFY)(CKT_NSS +4)) |
| 392 | #else |
| 393 | #ifdef _WIN32 |
| 394 | /* This magic gets the windows compiler to give us a deprecation |
| 395 | * warning */ |
| 396 | #pragma deprecated(CKT_NSS_UNTRUSTED, CKT_NSS_MUST_VERIFY, CKT_NSS_VALID) |
| 397 | #endif |
| 398 | /* CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST */ |
| 399 | #define CKT_NSS_UNTRUSTED CKT_NSS_MUST_VERIFY_TRUST |
| 400 | /* CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED */ |
| 401 | #define CKT_NSS_VALID CKT_NSS_NOT_TRUSTED |
| 402 | /* CKT_NSS_MUST_VERIFY was always treated as CKT_NSS_TRUST_UNKNOWN */ |
| 403 | #define CKT_NSS_MUST_VERIFY (CKT_NSS + 4) /*really means trust unknown*/ |
| 404 | #endif |
| 405 | |
| 406 | /* don't leave old programs in a lurch just yet, give them the old NETSCAPE |
| 407 | * synonym */ |
| 408 | #define CKO_NETSCAPE_CRL CKO_NSS_CRL |
| 409 | #define CKO_NETSCAPE_SMIME CKO_NSS_SMIME |
| 410 | #define CKO_NETSCAPE_TRUST CKO_NSS_TRUST |
| 411 | #define CKO_NETSCAPE_BUILTIN_ROOT_LIST CKO_NSS_BUILTIN_ROOT_LIST |
| 412 | #define CKO_NETSCAPE_NEWSLOT CKO_NSS_NEWSLOT |
| 413 | #define CKO_NETSCAPE_DELSLOT CKO_NSS_DELSLOT |
| 414 | #define CKK_NETSCAPE_PKCS8 CKK_NSS_PKCS8 |
| 415 | #define CKA_NETSCAPE_URL CKA_NSS_URL |
| 416 | #define CKA_NETSCAPE_EMAIL CKA_NSS_EMAIL |
| 417 | #define CKA_NETSCAPE_SMIME_INFO CKA_NSS_SMIME_INFO |
| 418 | #define CKA_NETSCAPE_SMIME_TIMESTAMP CKA_NSS_SMIME_TIMESTAMP |
| 419 | #define CKA_NETSCAPE_PKCS8_SALT CKA_NSS_PKCS8_SALT |
| 420 | #define CKA_NETSCAPE_PASSWORD_CHECK CKA_NSS_PASSWORD_CHECK |
| 421 | #define CKA_NETSCAPE_EXPIRES CKA_NSS_EXPIRES |
| 422 | #define CKA_NETSCAPE_KRL CKA_NSS_KRL |
| 423 | #define CKA_NETSCAPE_PQG_COUNTER CKA_NSS_PQG_COUNTER |
| 424 | #define CKA_NETSCAPE_PQG_SEED CKA_NSS_PQG_SEED |
| 425 | #define CKA_NETSCAPE_PQG_H CKA_NSS_PQG_H |
| 426 | #define CKA_NETSCAPE_PQG_SEED_BITS CKA_NSS_PQG_SEED_BITS |
| 427 | #define CKA_NETSCAPE_MODULE_SPEC CKA_NSS_MODULE_SPEC |
| 428 | #define CKM_NETSCAPE_AES_KEY_WRAP CKM_NSS_AES_KEY_WRAP |
| 429 | #define CKM_NETSCAPE_AES_KEY_WRAP_PAD CKM_NSS_AES_KEY_WRAP_PAD |
| 430 | #define CKR_NETSCAPE_CERTDB_FAILED CKR_NSS_CERTDB_FAILED |
| 431 | #define CKR_NETSCAPE_KEYDB_FAILED CKR_NSS_KEYDB_FAILED |
| 432 | |
| 433 | #define CKT_NETSCAPE_TRUSTED CKT_NSS_TRUSTED |
| 434 | #define CKT_NETSCAPE_TRUSTED_DELEGATOR CKT_NSS_TRUSTED_DELEGATOR |
| 435 | #define CKT_NETSCAPE_UNTRUSTED CKT_NSS_UNTRUSTED |
| 436 | #define CKT_NETSCAPE_MUST_VERIFY CKT_NSS_MUST_VERIFY |
| 437 | #define CKT_NETSCAPE_TRUST_UNKNOWN CKT_NSS_TRUST_UNKNOWN |
| 438 | #define CKT_NETSCAPE_VALID CKT_NSS_VALID |
| 439 | #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR |
| 440 | |
| 441 | /* |
| 442 | * These are not really PKCS #11 values specifically. They are the 'loadable' |
| 443 | * module spec NSS uses. The are available for others to use as well, but not |
| 444 | * part of the formal PKCS #11 spec. |
| 445 | * |
| 446 | * The function 'FIND' returns an array of PKCS #11 initialization strings |
| 447 | * The function 'ADD' takes a PKCS #11 initialization string and stores it. |
| 448 | * The function 'DEL' takes a 'name= library=' value and deletes the associated |
| 449 | * string. |
| 450 | * The function 'RELEASE' frees the array returned by 'FIND' |
| 451 | */ |
| 452 | #define SECMOD_MODULE_DB_FUNCTION_FIND 0 |
| 453 | #define SECMOD_MODULE_DB_FUNCTION_ADD 1 |
| 454 | #define SECMOD_MODULE_DB_FUNCTION_DEL 2 |
| 455 | #define SECMOD_MODULE_DB_FUNCTION_RELEASE 3 |
| 456 | typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function, |
| 457 | char *parameters, void *moduleSpec); |
| 458 | |
| 459 | /* softoken slot ID's */ |
| 460 | #define SFTK_MIN_USER_SLOT_ID 4 |
| 461 | #define SFTK_MAX_USER_SLOT_ID 100 |
| 462 | #define SFTK_MIN_FIPS_USER_SLOT_ID 101 |
| 463 | #define SFTK_MAX_FIPS_USER_SLOT_ID 127 |
| 464 | |
| 465 | |
| 466 | #endif /* _PKCS11N_H_ */ |
| 467 |
Generated while processing kdesupport/qca/plugins/qca-nss/qca-nss.cpp
Generated on 2014-Aug-04 from project include
Powered by 
Code Browser 1.7