From beaf291bdaff4db783f17f19e431f848a3e5a9d6 Mon Sep 17 00:00:00 2001 From: "relyea%netscape.com" Date: Mon, 1 Aug 2005 18:23:56 +0000 Subject: [PATCH] Bug 298906 crash when accepting new certificate permanently on taschenonkel.de r=wtc, sr=nelson --- security/nss/lib/softoken/lowcert.c | 50 ++- security/nss/lib/softoken/pcert.h | 3 + security/nss/lib/softoken/pkcs11.c | 166 +++++++- security/nss/lib/softoken/pkcs11f.h | 12 +- security/nss/lib/softoken/pkcs11i.h | 10 +- security/nss/lib/softoken/pkcs11n.h | 4 +- security/nss/lib/softoken/pkcs11t.h | 635 +++++++++++++++++++++------- 7 files changed, 679 insertions(+), 201 deletions(-) diff --git a/security/nss/lib/softoken/lowcert.c b/security/nss/lib/softoken/lowcert.c index f440eb2f691..960dc195082 100644 --- a/security/nss/lib/softoken/lowcert.c +++ b/security/nss/lib/softoken/lowcert.c @@ -38,7 +38,7 @@ /* * Certificate handling code * - * $Id: lowcert.c,v 1.18 2004-04-25 15:03:16 gerv%gerv.net Exp $ + * $Id: lowcert.c,v 1.19 2005-08-01 18:23:55 relyea%netscape.com Exp $ */ #include "seccomon.h" @@ -50,6 +50,7 @@ #include "pcert.h" #include "secasn1.h" #include "secoid.h" +#include "secerr.h" #ifdef NSS_ENABLE_ECC extern SECStatus EC_FillParams(PRArenaPool *arena, @@ -362,21 +363,41 @@ nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb) #define SOFT_DEFAULT_CHUNKSIZE 2048 - static SECStatus -nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn, - SECItem *key) +nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena, + SECItem *issuer, SECItem *sn, SECItem *key) { unsigned int len = sn->len + issuer->len; - - if (arena) { - key->data = (unsigned char*)PORT_ArenaAlloc(arena, len); - } else { - if (len > key->len) { - key->data = (unsigned char*)PORT_ArenaAlloc(arena, len); - } + if (!arena) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; } + key->data = (unsigned char*)PORT_ArenaAlloc(arena, len); + if ( !key->data ) { + goto loser; + } + + key->len = len; + /* copy the serialNumber */ + PORT_Memcpy(key->data, sn->data, sn->len); + + /* copy the issuer */ + PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len); + + return(SECSuccess); + +loser: + return(SECFailure); +} + +static SECStatus +nsslowcert_KeyFromIssuerAndSNStatic(unsigned char *space, + int spaceLen, SECItem *issuer, SECItem *sn, SECItem *key) +{ + unsigned int len = sn->len + issuer->len; + + key->data = pkcs11_allocStaticData(len, space, spaceLen); if ( !key->data ) { goto loser; } @@ -430,10 +451,9 @@ nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname) cert ->trust = NULL; /* generate and save the database key for the cert */ - cert->certKey.data = cert->certKeySpace; - cert->certKey.len = sizeof(cert->certKeySpace); - rv = nsslowcert_KeyFromIssuerAndSN(NULL, &cert->derIssuer, - &cert->serialNumber, &cert->certKey); + rv = nsslowcert_KeyFromIssuerAndSNStatic(cert->certKeySpace, + sizeof(cert->certKeySpace), &cert->derIssuer, + &cert->serialNumber, &cert->certKey); if ( rv ) { goto loser; } diff --git a/security/nss/lib/softoken/pcert.h b/security/nss/lib/softoken/pcert.h index 15b268433bf..a808373d8e0 100644 --- a/security/nss/lib/softoken/pcert.h +++ b/security/nss/lib/softoken/pcert.h @@ -236,6 +236,9 @@ pkcs11_copyNickname(char *nickname, char *space, int spaceLen); void pkcs11_freeStaticData(unsigned char *data, unsigned char *space); +unsigned char * +pkcs11_allocStaticData(int datalen, unsigned char *space, int spaceLen); + unsigned char * pkcs11_copyStaticData(unsigned char *data, int datalen, unsigned char *space, int spaceLen); diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index b034801eba4..6236a2b5e3c 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -2346,7 +2346,7 @@ static PLHashTable *nscSlotHashTable[2] = {NULL, NULL}; static int sftk_GetModuleIndex(CK_SLOT_ID slotID) { - if ((slotID == FIPS_SLOT_ID) || (slotID > 100)) { + if ((slotID == FIPS_SLOT_ID) || (slotID >= MIN_FIPS_USER_SLOT_ID)) { return NSC_FIPS_MODULE; } return NSC_NON_FIPS_MODULE; @@ -2357,9 +2357,13 @@ sftk_GetModuleIndex(CK_SLOT_ID slotID) SFTKSlot * sftk_SlotFromID(CK_SLOT_ID slotID) { + SFTKSlot *slot; int index = sftk_GetModuleIndex(slotID); - return (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index], + slot = (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index], (void *)slotID); + /* cleared slots shouldn't 'show up' */ + if (slot && slot->slotID == 0) slot = NULL; + return slot; } SFTKSlot * @@ -2462,21 +2466,30 @@ sftk_DBVerify(SFTKSlot *slot) return; } -/* forward static declaration. */ -static CK_RV sftk_DestroySlotData(SFTKSlot *slot); - /* * initialize one of the slot structures. figure out which by the ID */ CK_RV -SFTK_SlotInit(char *configdir,sftk_token_parameters *params, int moduleIndex) +SFTK_SlotInit(SFTKSlot *slot, + char *configdir,sftk_token_parameters *params, int moduleIndex) { unsigned int i; CK_SLOT_ID slotID = params->slotID; - SFTKSlot *slot = PORT_ZNew(SFTKSlot); PRBool needLogin = !params->noKeyDB; + PRBool reinit = PR_TRUE; CK_RV crv; + /* if slot as been supplied, we are reinitializing and existing slot. + * this means that we preserve some fields and don't try to register + * the slot again. To applications it looks like a token removal and + * insertion event . If we don't supply a slot (the normal case), we + * are creating a new slot, and thus need to fully initialize everything + * as well as registering the slot. */ + if (slot == NULL) { + slot = PORT_ZNew(SFTKSlot); + reinit = PR_FALSE; + } + if (slot == NULL) { return CKR_HOST_MEMORY; } @@ -2520,11 +2533,17 @@ SFTK_SlotInit(char *configdir,sftk_token_parameters *params, int moduleIndex) slot->password = NULL; slot->hasTokens = PR_FALSE; - slot->sessionIDCount = 0; + /* if we are reinitalizing, don't clear the sessionIDCount + * and tokenIDCount. We don't want the application to think that old + * sessions and tokens from the previous instance are still valid. + */ + if (!reinit) { + slot->sessionIDCount = 0; + slot->tokenIDCount = 1; + } slot->sessionIDConflict = 0; slot->sessionCount = 0; slot->rwSessionCount = 0; - slot->tokenIDCount = 1; slot->needLogin = PR_FALSE; slot->isLoggedIn = PR_FALSE; slot->ssoLoggedIn = PR_FALSE; @@ -2565,16 +2584,20 @@ SFTK_SlotInit(char *configdir,sftk_token_parameters *params, int moduleIndex) slot->minimumPinLen = 1; } } - crv = sftk_RegisterSlot(slot, moduleIndex); - if (crv != CKR_OK) { - goto loser; + if (!reinit) { + crv = sftk_RegisterSlot(slot, moduleIndex); + if (crv != CKR_OK) { + goto loser; + } } return CKR_OK; mem_loser: crv = CKR_HOST_MEMORY; loser: - sftk_DestroySlotData(slot); + /* if we are reinitting the slot, don't free it, it's still on the slot + * list. */ + SFTK_DestroySlotData(slot, !reinit); return crv; } @@ -2590,8 +2613,8 @@ sftk_freeHashItem(PLHashEntry* entry, PRIntn index, void *arg) /* * initialize one of the slot structures. figure out which by the ID */ -static CK_RV -sftk_DestroySlotData(SFTKSlot *slot) +CK_RV +SFTK_DestroySlotData(SFTKSlot *slot, PRBool freeit) { unsigned int i; @@ -2645,7 +2668,17 @@ sftk_DestroySlotData(SFTKSlot *slot) slot->sessHashSize = 0; sftk_DBShutdown(slot->certDB,slot->keyDB); - PORT_Free(slot); + if (freeit) { + PORT_Free(slot); + } else { + /* paranoia, init should reinitialize everything. Note: we need to + * preserve the sessionID and tokenID counts */ + unsigned long sessionIDCount = slot->sessionIDCount; + unsigned long tokenIDCount = slot->tokenIDCount; + PORT_Memset(slot,0,sizeof(*slot)); + slot->sessionIDCount = sessionIDCount; + slot->tokenIDCount = tokenIDCount; + } return CKR_OK; } @@ -2717,7 +2750,7 @@ static void nscFreeAllSlots(int moduleIndex) PL_HashTableLookup(tmpSlotHashTable, (void *)slotID); PORT_Assert(slot); if (!slot) continue; - sftk_DestroySlotData(slot); + SFTK_DestroySlotData(slot, PR_TRUE); PL_HashTableRemove(tmpSlotHashTable, (void *)slotID); } PORT_Free(tmpSlotList); @@ -2827,8 +2860,8 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) } for (i=0; i < paramStrings.token_count; i++) { - crv = - SFTK_SlotInit(paramStrings.configdir, ¶mStrings.tokens[i], + crv = SFTK_SlotInit(NULL, paramStrings.configdir, + ¶mStrings.tokens[i], moduleIndex); if (crv != CKR_OK) { nscFreeAllSlots(moduleIndex); @@ -2927,7 +2960,7 @@ CK_RV NSC_GetInfo(CK_INFO_PTR pInfo) c = __nss_softokn_rcsid[0] + __nss_softokn_sccsid[0]; pInfo->cryptokiVersion.major = 2; - pInfo->cryptokiVersion.minor = 11; + pInfo->cryptokiVersion.minor = 20; PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32); pInfo->libraryVersion.major = NSS_VMAJOR; pInfo->libraryVersion.minor = NSS_VMINOR; @@ -2969,6 +3002,10 @@ CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32); PORT_Memcpy(pInfo->slotDescription,slot->slotDescription,64); pInfo->flags = CKF_TOKEN_PRESENT; + /* all user defined slots are defined as removable */ + if (slotID > MIN_USER_SLOT_ID) { + pInfo->flags |= CKF_REMOVABLE_DEVICE; + } /* ok we really should read it out of the keydb file. */ /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */ pInfo->hardwareVersion.major = NSS_VMAJOR; @@ -3661,6 +3698,81 @@ CK_RV NSC_Logout(CK_SESSION_HANDLE hSession) return CKR_OK; } +/* + * Create a new slot on the fly. The slot that is passed in is the + * slot the request came from. Only the crypto or FIPS slots can + * be used. The resulting slot will live in the same module as + * the slot the request was passed to. object is the creation object + * that specifies the module spec for the new slot. + */ +static CK_RV sftk_CreateNewSlot(SFTKSlot *slot, SFTKObject *object) +{ + CK_SLOT_ID idMin, idMax; + PRBool isFIPS = PR_FALSE; + unsigned long moduleIndex; + SFTKAttribute *attribute; + sftk_parameters paramStrings; + char *paramString; + CK_RV crv = CKR_OK; + int i; + + /* only the crypto or FIPS slots can create new slot objects */ + if (slot->slotID == NETSCAPE_SLOT_ID) { + idMin = MIN_USER_SLOT_ID; + idMax = MAX_USER_SLOT_ID; + moduleIndex = NSC_NON_FIPS_MODULE; + isFIPS = PR_FALSE; + } else if (slot->slotID == FIPS_SLOT_ID) { + idMin = MIN_FIPS_USER_SLOT_ID; + idMax = MAX_FIPS_USER_SLOT_ID; + moduleIndex = NSC_FIPS_MODULE; + isFIPS = PR_TRUE; + } else { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + attribute = sftk_FindAttribute(object,CKA_NETSCAPE_MODULE_SPEC); + if (attribute == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + paramString = (unsigned char *)attribute->attrib.pValue; + crv = secmod_parseParameters(paramString, ¶mStrings, isFIPS); + if (crv != CKR_OK) { + goto loser; + } + + /* The API allows initialization of several tokens at once, + * but there is no way to back out reinitialization should one + * of these functions fail. In general it's probably best to + * only initialize one slot at a time here */ + for (i=0; i < paramStrings.token_count; i++) { + CK_SLOT_ID slotID = paramStrings.tokens[i].slotID; + SFTKSlot *newSlot; + + if ((slotID < idMin) || (slotID > idMax)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto loser; + } + + newSlot = sftk_SlotFromID(slotID); + if (newSlot) { + crv = SFTK_DestroySlotData(newSlot, PR_FALSE); + if (crv != CKR_OK) { + goto loser; + } + } + crv = SFTK_SlotInit(newSlot, paramStrings.configdir, + ¶mStrings.tokens[i], moduleIndex); + if (crv != CKR_OK) { + goto loser; + } + } +loser: + secmod_freeParams(¶mStrings); + sftk_FreeAttribute(attribute); + + return crv; +} + /* NSC_CreateObject creates a new object. */ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession, @@ -3670,6 +3782,7 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession, SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); SFTKSession *session; SFTKObject *object; + CK_OBJECT_CLASS class; CK_RV crv; int i; @@ -3691,6 +3804,9 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession, sftk_FreeObject(object); return crv; } + if ((pTemplate[i].type == CKA_CLASS) && pTemplate[i].pValue) { + class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue; + } } /* get the session */ @@ -3700,11 +3816,20 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession, return CKR_SESSION_HANDLE_INVALID; } + /* + * handle pseudo objects (CKO_NEWSLOT) + */ + if (class == CKO_NETSCAPE_NEWSLOT) { + crv = sftk_CreateNewSlot(slot, object); + goto done; + } + /* * handle the base object stuff */ crv = sftk_handleObject(object,session); *phObject = object->handle; +done: sftk_FreeSession(session); sftk_FreeObject(object); @@ -3712,6 +3837,7 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession, } + /* NSC_CopyObject copies an object, creating a new object for the copy. */ CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, diff --git a/security/nss/lib/softoken/pkcs11f.h b/security/nss/lib/softoken/pkcs11f.h index 4ade31aac36..541032b1f87 100644 --- a/security/nss/lib/softoken/pkcs11f.h +++ b/security/nss/lib/softoken/pkcs11f.h @@ -14,7 +14,7 @@ * The Original Code is the Netscape security libraries. * * The Initial Developer of the Original Code is - * Netscape Communications Corporation. + * RSA Security INC. * Portions created by the Initial Developer are Copyright (C) 1994-2000 * the Initial Developer. All Rights Reserved. * @@ -152,10 +152,10 @@ CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo) /* C_InitToken initializes a token. */ CK_PKCS11_FUNCTION_INFO(C_InitToken) #ifdef CK_NEED_ARG_LIST -( /* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */ +( CK_SLOT_ID slotID, /* ID of the token's slot */ - CK_CHAR_PTR pPin, /* the SO's initial PIN */ + CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */ CK_ULONG ulPinLen, /* length in bytes of the PIN */ CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */ ); @@ -167,7 +167,7 @@ CK_PKCS11_FUNCTION_INFO(C_InitPIN) #ifdef CK_NEED_ARG_LIST ( CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_CHAR_PTR pPin, /* the normal user's PIN */ + CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */ CK_ULONG ulPinLen /* length in bytes of the PIN */ ); #endif @@ -178,9 +178,9 @@ CK_PKCS11_FUNCTION_INFO(C_SetPIN) #ifdef CK_NEED_ARG_LIST ( CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_CHAR_PTR pOldPin, /* the old PIN */ + CK_UTF8CHAR_PTR pOldPin, /* the old PIN */ CK_ULONG ulOldLen, /* length of the old PIN */ - CK_CHAR_PTR pNewPin, /* the new PIN */ + CK_UTF8CHAR_PTR pNewPin, /* the new PIN */ CK_ULONG ulNewLen /* length of the new PIN */ ); #endif diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h index de7f0f80c11..9a48b80818a 100644 --- a/security/nss/lib/softoken/pkcs11i.h +++ b/security/nss/lib/softoken/pkcs11i.h @@ -411,6 +411,10 @@ struct SFTKSSLMACInfoStr { #define NETSCAPE_SLOT_ID 1 #define PRIVATE_KEY_SLOT_ID 2 #define FIPS_SLOT_ID 3 +#define MIN_USER_SLOT_ID 4 +#define MAX_USER_SLOT_ID 100 +#define MIN_FIPS_USER_SLOT_ID 101 +#define MAX_FIPS_USER_SLOT_ID 127 /* slot helper macros */ #define sftk_SlotFromSession(sp) ((sp)->slot) @@ -539,8 +543,10 @@ extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS); extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex); /* shared functions between PKCS11.c and SFTKFIPS.c */ -extern CK_RV SFTK_SlotInit(char *configdir,sftk_token_parameters *params, - int moduleIndex); +extern CK_RV SFTK_SlotInit(SFTKSlot *slot, char *configdir, + sftk_token_parameters *params, int moduleIndex); +extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot, PRBool freeit); + /* internal utility functions used by pkcs11.c */ extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object, diff --git a/security/nss/lib/softoken/pkcs11n.h b/security/nss/lib/softoken/pkcs11n.h index 2cf9c7c5a39..186daaecd7c 100644 --- a/security/nss/lib/softoken/pkcs11n.h +++ b/security/nss/lib/softoken/pkcs11n.h @@ -39,7 +39,7 @@ #define _PKCS11N_H_ #ifdef DEBUG -static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.12 $ $Date: 2005-01-20 02:25:50 $"; +static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.13 $ $Date: 2005-08-01 18:23:56 $"; #endif /* DEBUG */ /* @@ -73,6 +73,7 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.12 $ #define CKO_NETSCAPE_SMIME (CKO_NETSCAPE + 2) #define CKO_NETSCAPE_TRUST (CKO_NETSCAPE + 3) #define CKO_NETSCAPE_BUILTIN_ROOT_LIST (CKO_NETSCAPE + 4) +#define CKO_NETSCAPE_NEWSLOT (CKO_NETSCAPE + 5) /* * Netscape-defined key types @@ -106,6 +107,7 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.12 $ #define CKA_NETSCAPE_PQG_SEED (CKA_NETSCAPE + 21) #define CKA_NETSCAPE_PQG_H (CKA_NETSCAPE + 22) #define CKA_NETSCAPE_PQG_SEED_BITS (CKA_NETSCAPE + 23) +#define CKA_NETSCAPE_MODULE_SPEC (CKA_NETSCAPE + 24) /* * Trust attributes: diff --git a/security/nss/lib/softoken/pkcs11t.h b/security/nss/lib/softoken/pkcs11t.h index f3761f6b5a5..fd75ff16f96 100644 --- a/security/nss/lib/softoken/pkcs11t.h +++ b/security/nss/lib/softoken/pkcs11t.h @@ -14,7 +14,7 @@ * The Original Code is the Netscape security libraries. * * The Initial Developer of the Original Code is - * Netscape Communications Corporation. + * RSA Security, Inc. * Portions created by the Initial Developer are Copyright (C) 1994-2000 * the Initial Developer. All Rights Reserved. * @@ -34,27 +34,27 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* - * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document - * is granted provided that it is identified as "RSA Security In.c Public-Key - * Cryptography Standards (PKCS)" in all material mentioning or referencing - * this document. - */ -/* See top of pkcs11.h for information about the macros that - * must be defined and the structure-packing conventions that - * must be set before including this file. +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface + * (Cryptoki)" in all material mentioning or referencing this software. + + * License is also granted to make and use derivative works provided that + * such works are identified as "derived from the RSA Security Inc. PKCS #11 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or + * referencing the derived work. + + * RSA Security Inc. makes no representations concerning either the + * merchantability of this software or the suitability of this software for + * any particular purpose. It is provided "as is" without express or implied + * warranty of any kind. */ + #ifndef _PKCS11T_H_ #define _PKCS11T_H_ 1 -#ifndef CK_FALSE -#define CK_FALSE 0 -#endif - -#ifndef CK_TRUE -#define CK_TRUE (!CK_FALSE) -#endif +#define CK_TRUE 1 +#define CK_FALSE 0 #include "prtypes.h" @@ -64,7 +64,7 @@ #define CK_DECLARE_FUNCTION(rv,func) PR_EXTERN(rv) func #define CK_DECLARE_FUNCTION_POINTER(rv,func) rv (PR_CALLBACK * func) -#define CK_INVALID_SESSION 0 +#define CK_INVALID_SESSION 0 /* an unsigned 8-bit value */ typedef unsigned char CK_BYTE; @@ -72,7 +72,7 @@ typedef unsigned char CK_BYTE; /* an unsigned 8-bit character */ typedef CK_BYTE CK_CHAR; -/* an unsigned 8-bit character */ +/* an 8-bit UTF-8 character */ typedef CK_BYTE CK_UTF8CHAR; /* a BYTE-sized Boolean flag */ @@ -121,8 +121,8 @@ typedef CK_VERSION CK_PTR CK_VERSION_PTR; typedef struct CK_INFO { - /* manufacturerID and libraryDecription have been changed from - * CK_CHAR to CK_UTF8CHAR for v2.10 */ + /* manufacturerID and libraryDecription have been changed from + * CK_CHAR to CK_UTF8CHAR for v2.10 */ CK_VERSION cryptokiVersion; /* PKCS #11 interface ver */ CK_UTF8CHAR manufacturerID[32]; /* blank padded */ CK_FLAGS flags; /* must be zero */ @@ -150,8 +150,8 @@ typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR; /* CK_SLOT_INFO provides information about a slot */ typedef struct CK_SLOT_INFO { - /* slotDescription and manufacturerID have been changed from - * CK_CHAR to CK_UTF8CHAR for v2.10 */ + /* slotDescription and manufacturerID have been changed from + * CK_CHAR to CK_UTF8CHAR for v2.10 */ CK_UTF8CHAR slotDescription[64]; /* blank padded */ CK_UTF8CHAR manufacturerID[32]; /* blank padded */ CK_FLAGS flags; @@ -173,8 +173,8 @@ typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR; /* CK_TOKEN_INFO provides information about a token */ typedef struct CK_TOKEN_INFO { - /* label, manufacturerID, and model have been changed from - * CK_CHAR to CK_UTF8CHAR for v2.10 */ + /* label, manufacturerID, and model have been changed from + * CK_CHAR to CK_UTF8CHAR for v2.10 */ CK_UTF8CHAR label[32]; /* blank padded */ CK_UTF8CHAR manufacturerID[32]; /* blank padded */ CK_UTF8CHAR model[16]; /* blank padded */ @@ -203,7 +203,7 @@ typedef struct CK_TOKEN_INFO { } CK_TOKEN_INFO; /* The flags parameter is defined as follows: - * Bit Flag Mask Meaning + * Bit Flag Mask Meaning */ #define CKF_RNG 0x00000001 /* has random # * generator */ @@ -239,20 +239,20 @@ typedef struct CK_TOKEN_INFO { #define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200 /* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the - * token has been initialized using C_InitializeToken or an + * token has been initialized using C_InitializeToken or an * equivalent mechanism outside the scope of PKCS #11. - * Calling C_InitializeToken when this flag is set will cause + * Calling C_InitializeToken when this flag is set will cause * the token to be reinitialized. */ #define CKF_TOKEN_INITIALIZED 0x00000400 -/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is - * true, the token supports secondary authentication for - * private key objects. */ -/* DEPRICATED in v2.11 */ +/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is + * true, the token supports secondary authentication for + * private key objects. This flag is deprecated in v2.11 and + onwards. */ #define CKF_SECONDARY_AUTHENTICATION 0x00000800 -/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an - * incorrect user login PIN has been entered at least once +/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an + * incorrect user login PIN has been entered at least once * since the last successful authentication. */ #define CKF_USER_PIN_COUNT_LOW 0x00010000 @@ -260,18 +260,19 @@ typedef struct CK_TOKEN_INFO { * supplying an incorrect user PIN will it to become locked. */ #define CKF_USER_PIN_FINAL_TRY 0x00020000 -/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the - * user PIN has been locked. User login to the token is not +/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the + * user PIN has been locked. User login to the token is not * possible. */ #define CKF_USER_PIN_LOCKED 0x00040000 -/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true, - * the user PIN value is the default value set by token - * initialization or manufacturing. */ +/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true, + * the user PIN value is the default value set by token + * initialization or manufacturing, or the PIN has been + * expired by the card. */ #define CKF_USER_PIN_TO_BE_CHANGED 0x00080000 -/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an - * incorrect SO login PIN has been entered at least once since +/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an + * incorrect SO login PIN has been entered at least once since * the last successful authentication. */ #define CKF_SO_PIN_COUNT_LOW 0x00100000 @@ -279,14 +280,15 @@ typedef struct CK_TOKEN_INFO { * supplying an incorrect SO PIN will it to become locked. */ #define CKF_SO_PIN_FINAL_TRY 0x00200000 -/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO +/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO * PIN has been locked. SO login to the token is not possible. */ #define CKF_SO_PIN_LOCKED 0x00400000 -/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true, - * the SO PIN value is the default value set by token - * initialization or manufacturing. */ +/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true, + * the SO PIN value is the default value set by token + * initialization or manufacturing, or the PIN has been + * expired by the card. */ #define CKF_SO_PIN_TO_BE_CHANGED 0x00800000 typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR; @@ -296,7 +298,7 @@ typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR; * identifies a session */ typedef CK_ULONG CK_SESSION_HANDLE; -typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; +typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; /* CK_USER_TYPE enumerates the types of PKCS #11 users */ @@ -307,7 +309,8 @@ typedef CK_ULONG CK_USER_TYPE; #define CKU_SO 0 /* Normal user */ #define CKU_USER 1 - +/* Context specific (added in v2.20) */ +#define CKU_CONTEXT_SPECIFIC 2 /* CK_STATE enumerates the session states */ /* CK_STATE has been changed from an enum to a CK_ULONG for @@ -357,6 +360,7 @@ typedef CK_ULONG CK_OBJECT_CLASS; /* The following classes of objects are defined: */ /* CKO_HW_FEATURE is new for v2.10 */ /* CKO_DOMAIN_PARAMETERS is new for v2.11 */ +/* CKO_MECHANISM is new for v2.20 */ #define CKO_DATA 0x00000000 #define CKO_CERTIFICATE 0x00000001 #define CKO_PUBLIC_KEY 0x00000002 @@ -365,6 +369,7 @@ typedef CK_ULONG CK_OBJECT_CLASS; #define CKO_HW_FEATURE 0x00000005 #define CKO_DOMAIN_PARAMETERS 0x00000006 #define CKO_KG_PARAMETERS 0x00000006 +#define CKO_MECHANISM 0x00000007 #define CKO_VENDOR_DEFINED 0x80000000 typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; @@ -373,10 +378,12 @@ typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; * value that identifies the hardware feature type of an object * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */ typedef CK_ULONG CK_HW_FEATURE_TYPE; - + /* The following hardware feature types are defined */ +/* CKH_USER_INTERFACE is new for v2.20 */ #define CKH_MONOTONIC_COUNTER 0x00000001 #define CKH_CLOCK 0x00000002 +#define CKH_USER_INTERFACE 0x00000003 #define CKH_VENDOR_DEFINED 0x80000000 /* CK_KEY_TYPE is a value that identifies a key type */ @@ -389,10 +396,10 @@ typedef CK_ULONG CK_KEY_TYPE; #define CKK_DH 0x00000002 /* CKK_ECDSA and CKK_KEA are new for v2.0 */ -/* CKK_X9_42_DH is new for v2.11 */ -#define CKK_ECDSA 0x00000003 /* deprecated in v2.11 */ +/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */ +#define CKK_ECDSA 0x00000003 #define CKK_EC 0x00000003 -#define CKK_X9_42_DH 0x00000004 +#define CKK_X9_42_DH 0x00000004 #define CKK_KEA 0x00000005 #define CKK_GENERIC_SECRET 0x00000010 @@ -405,7 +412,8 @@ typedef CK_ULONG CK_KEY_TYPE; /* all these key types are new for v2.0 */ #define CKK_CAST 0x00000016 #define CKK_CAST3 0x00000017 -#define CKK_CAST5 0x00000018 /* deprecated in v2.11 */ +/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */ +#define CKK_CAST5 0x00000018 #define CKK_CAST128 0x00000018 #define CKK_RC5 0x00000019 #define CKK_IDEA 0x0000001A @@ -413,10 +421,12 @@ typedef CK_ULONG CK_KEY_TYPE; #define CKK_BATON 0x0000001C #define CKK_JUNIPER 0x0000001D #define CKK_CDMF 0x0000001E - -/* all these key types are new for v2.11 */ #define CKK_AES 0x0000001F +/* BlowFish and TwoFish are new for v2.20 */ +#define CKK_BLOWFISH 0x00000020 +#define CKK_TWOFISH 0x00000021 + #define CKK_VENDOR_DEFINED 0x80000000 #define CKK_INVALID_KEY_TYPE 0xffffffff @@ -429,8 +439,10 @@ typedef CK_ULONG CK_CERTIFICATE_TYPE; /* The following certificate types are defined: */ /* CKC_X_509_ATTR_CERT is new for v2.10 */ +/* CKC_WTLS is new for v2.20 */ #define CKC_X_509 0x00000000 #define CKC_X_509_ATTR_CERT 0x00000001 +#define CKC_WTLS 0x00000002 #define CKC_VENDOR_DEFINED 0x80000000 @@ -440,6 +452,10 @@ typedef CK_ULONG CK_CERTIFICATE_TYPE; * v2.0 */ typedef CK_ULONG CK_ATTRIBUTE_TYPE; +/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which + consists of an array of values. */ +#define CKF_ARRAY_ATTRIBUTE 0x40000000 + /* The following attribute types are defined: */ #define CKA_CLASS 0x00000000 #define CKA_TOKEN 0x00000001 @@ -455,14 +471,24 @@ typedef CK_ULONG CK_ATTRIBUTE_TYPE; #define CKA_ISSUER 0x00000081 #define CKA_SERIAL_NUMBER 0x00000082 -/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new +/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new * for v2.10 */ #define CKA_AC_ISSUER 0x00000083 #define CKA_OWNER 0x00000084 #define CKA_ATTR_TYPES 0x00000085 + /* CKA_TRUSTED is new for v2.11 */ #define CKA_TRUSTED 0x00000086 +/* CKA_CERTIFICATE_CATEGORY ... + * CKA_CHECK_VALUE are new for v2.20 */ +#define CKA_CERTIFICATE_CATEGORY 0x00000087 +#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088 +#define CKA_URL 0x00000089 +#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A +#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B +#define CKA_CHECK_VALUE 0x00000090 + #define CKA_KEY_TYPE 0x00000100 #define CKA_SUBJECT 0x00000101 #define CKA_ID 0x00000102 @@ -490,9 +516,13 @@ typedef CK_ULONG CK_ATTRIBUTE_TYPE; #define CKA_PRIME 0x00000130 #define CKA_SUBPRIME 0x00000131 #define CKA_BASE 0x00000132 + /* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */ #define CKA_PRIME_BITS 0x00000133 -#define CKA_SUB_PRIME_BITS 0x00000134 +#define CKA_SUBPRIME_BITS 0x00000134 +#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS +/* (To retain backwards-compatibility) */ + #define CKA_VALUE_BITS 0x00000160 #define CKA_VALUE_LEN 0x00000161 @@ -503,22 +533,55 @@ typedef CK_ULONG CK_ATTRIBUTE_TYPE; #define CKA_LOCAL 0x00000163 #define CKA_NEVER_EXTRACTABLE 0x00000164 #define CKA_ALWAYS_SENSITIVE 0x00000165 + /* CKA_KEY_GEN_MECHANISM is new for v2.11 */ #define CKA_KEY_GEN_MECHANISM 0x00000166 + #define CKA_MODIFIABLE 0x00000170 -#define CKA_ECDSA_PARAMS 0x00000180 /* depricated v2.11 */ + +/* CKA_ECDSA_PARAMS is deprecated in v2.11, + * CKA_EC_PARAMS is preferred. */ +#define CKA_ECDSA_PARAMS 0x00000180 #define CKA_EC_PARAMS 0x00000180 + #define CKA_EC_POINT 0x00000181 -/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, - * CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET +/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, + * are new for v2.10. Deprecated in v2.11 and onwards. */ +#define CKA_SECONDARY_AUTH 0x00000200 +#define CKA_AUTH_PIN_FLAGS 0x00000201 + +/* CKA_ALWAYS_AUTHENTICATE ... + * CKA_UNWRAP_TEMPLATE are new for v2.20 */ +#define CKA_ALWAYS_AUTHENTICATE 0x00000202 + +#define CKA_WRAP_WITH_TRUSTED 0x00000210 +#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211) +#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212) + +/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET * are new for v2.10 */ -#define CKA_SECONDARY_AUTH 0x00000200 /* depricated v2.11 */ -#define CKA_AUTH_PIN_FLAGS 0x00000201 /* depricated v2.11 */ #define CKA_HW_FEATURE_TYPE 0x00000300 #define CKA_RESET_ON_INIT 0x00000301 #define CKA_HAS_RESET 0x00000302 +/* The following attributes are new for v2.20 */ +#define CKA_PIXEL_X 0x00000400 +#define CKA_PIXEL_Y 0x00000401 +#define CKA_RESOLUTION 0x00000402 +#define CKA_CHAR_ROWS 0x00000403 +#define CKA_CHAR_COLUMNS 0x00000404 +#define CKA_COLOR 0x00000405 +#define CKA_BITS_PER_PIXEL 0x00000406 +#define CKA_CHAR_SETS 0x00000480 +#define CKA_ENCODING_METHODS 0x00000481 +#define CKA_MIME_TYPES 0x00000482 +#define CKA_MECHANISM_TYPE 0x00000500 +#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501 +#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502 +#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503 +#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600) + #define CKA_VENDOR_DEFINED 0x80000000 @@ -561,17 +624,19 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_MD5_RSA_PKCS 0x00000005 #define CKM_SHA1_RSA_PKCS 0x00000006 -/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS & CKM_RSA_OAEP - * are new for 2.10 */ +/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and + * CKM_RSA_PKCS_OAEP are new for v2.10 */ #define CKM_RIPEMD128_RSA_PKCS 0x00000007 #define CKM_RIPEMD160_RSA_PKCS 0x00000008 #define CKM_RSA_PKCS_OAEP 0x00000009 -/* CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31 & CKM_RSA_X9_31_KEY_PAIR_GEN - * are new for 2.11 */ +/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31, + * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */ #define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A #define CKM_RSA_X9_31 0x0000000B #define CKM_SHA1_RSA_X9_31 0x0000000C +#define CKM_RSA_PKCS_PSS 0x0000000D +#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E #define CKM_DSA_KEY_PAIR_GEN 0x00000010 #define CKM_DSA 0x00000011 @@ -579,17 +644,21 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020 #define CKM_DH_PKCS_DERIVE 0x00000021 -/* CKM_X9_42_DH_PKCS_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE, - * CKM_X9_42_DH_HYBRID_DERIVE, & CKM_X9_42_MQV_DERIVE - * are new for v2.11 */ -#define CKM_X9_42_DH_PKCS_KEY_PAIR_GEN 0x00000030 +/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE, + * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for + * v2.11 */ +#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030 #define CKM_X9_42_DH_DERIVE 0x00000031 #define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032 #define CKM_X9_42_MQV_DERIVE 0x00000033 -#define CKM_SHA256_RSA_PKCS 0x00000040 /* v2.20 */ -#define CKM_SHA384_RSA_PKCS 0x00000041 /* v2.20 */ -#define CKM_SHA512_RSA_PKCS 0x00000042 /* v2.20 */ +/* CKM_SHA256/384/512 are new for v2.20 */ +#define CKM_SHA256_RSA_PKCS 0x00000040 +#define CKM_SHA384_RSA_PKCS 0x00000041 +#define CKM_SHA512_RSA_PKCS 0x00000042 +#define CKM_SHA256_RSA_PKCS_PSS 0x00000043 +#define CKM_SHA384_RSA_PKCS_PSS 0x00000044 +#define CKM_SHA512_RSA_PKCS_PSS 0x00000045 #define CKM_RC2_KEY_GEN 0x00000100 #define CKM_RC2_ECB 0x00000101 @@ -629,6 +698,12 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_CDMF_MAC_GENERAL 0x00000144 #define CKM_CDMF_CBC_PAD 0x00000145 +/* the following four DES mechanisms are new for v2.20 */ +#define CKM_DES_OFB64 0x00000150 +#define CKM_DES_OFB8 0x00000151 +#define CKM_DES_CFB64 0x00000152 +#define CKM_DES_CFB8 0x00000153 + #define CKM_MD2 0x00000200 /* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */ @@ -647,7 +722,7 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_SHA_1_HMAC 0x00000221 #define CKM_SHA_1_HMAC_GENERAL 0x00000222 -/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC, +/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC, * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC, * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */ #define CKM_RIPEMD128 0x00000230 @@ -657,17 +732,16 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_RIPEMD160_HMAC 0x00000241 #define CKM_RIPEMD160_HMAC_GENERAL 0x00000242 -#define CKM_SHA256 0x00000250 /* v2.20 */ -#define CKM_SHA256_HMAC 0x00000251 /* v2.20 */ -#define CKM_SHA256_HMAC_GENERAL 0x00000252 /* v2.20 */ - -#define CKM_SHA384 0x00000260 /* v2.20 */ -#define CKM_SHA384_HMAC 0x00000261 /* v2.20 */ -#define CKM_SHA384_HMAC_GENERAL 0x00000262 /* v2.20 */ - -#define CKM_SHA512 0x00000270 /* v2.20 */ -#define CKM_SHA512_HMAC 0x00000271 /* v2.20 */ -#define CKM_SHA512_HMAC_GENERAL 0x00000272 /* v2.20 */ +/* CKM_SHA256/384/512 are new for v2.20 */ +#define CKM_SHA256 0x00000250 +#define CKM_SHA256_HMAC 0x00000251 +#define CKM_SHA256_HMAC_GENERAL 0x00000252 +#define CKM_SHA384 0x00000260 +#define CKM_SHA384_HMAC 0x00000261 +#define CKM_SHA384_HMAC_GENERAL 0x00000262 +#define CKM_SHA512 0x00000270 +#define CKM_SHA512_HMAC 0x00000271 +#define CKM_SHA512_HMAC_GENERAL 0x00000272 /* All of the following mechanisms are new for v2.0 */ /* Note that CAST128 and CAST5 are the same algorithm */ @@ -718,23 +792,27 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372 /* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN, - * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, - * CKM_TLS_MASTER_KEY_DERIVE_DH, & CKM_SSL3_MASTER_KEY_DERIVE_DH - * are new for v2.11. */ + * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and + * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */ #define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373 #define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374 #define CKM_TLS_MASTER_KEY_DERIVE 0x00000375 #define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376 #define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377 +/* CKM_TLS_PRF is new for v2.20 */ +#define CKM_TLS_PRF 0x00000378 + #define CKM_SSL3_MD5_MAC 0x00000380 #define CKM_SSL3_SHA1_MAC 0x00000381 #define CKM_MD5_KEY_DERIVATION 0x00000390 #define CKM_MD2_KEY_DERIVATION 0x00000391 #define CKM_SHA1_KEY_DERIVATION 0x00000392 -#define CKM_SHA256_KEY_DERIVATION 0x00000393 /* v2.20 */ -#define CKM_SHA384_KEY_DERIVATION 0x00000394 /* v2.20 */ -#define CKM_SHA512_KEY_DERIVATION 0x00000395 /* v2.20 */ + +/* CKM_SHA256/384/512 are new for v2.20 */ +#define CKM_SHA256_KEY_DERIVATION 0x00000393 +#define CKM_SHA384_KEY_DERIVATION 0x00000394 +#define CKM_SHA512_KEY_DERIVATION 0x00000395 #define CKM_PBE_MD2_DES_CBC 0x000003A0 #define CKM_PBE_MD5_DES_CBC 0x000003A1 @@ -755,9 +833,21 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_PKCS5_PBKD2 0x000003B0 #define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0 + +/* WTLS mechanisms are new for v2.20 */ +#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0 +#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1 +#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2 +#define CKM_WTLS_PRF 0x000003D3 +#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4 +#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5 + #define CKM_KEY_WRAP_LYNKS 0x00000400 #define CKM_KEY_WRAP_SET_OAEP 0x00000401 +/* CKM_CMS_SIG is new for v2.20 */ +#define CKM_CMS_SIG 0x00000500 + /* Fortezza mechanisms */ #define CKM_SKIPJACK_KEY_GEN 0x00001000 #define CKM_SKIPJACK_ECB64 0x00001001 @@ -780,12 +870,17 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_BATON_COUNTER 0x00001034 #define CKM_BATON_SHUFFLE 0x00001035 #define CKM_BATON_WRAP 0x00001036 -#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040 /* depricated in v2.11 */ + +/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, + * CKM_EC_KEY_PAIR_GEN is preferred */ +#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040 #define CKM_EC_KEY_PAIR_GEN 0x00001040 + #define CKM_ECDSA 0x00001041 #define CKM_ECDSA_SHA1 0x00001042 -/* ECDH1 is new for 2.11 */ +/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE + * are new for v2.11 */ #define CKM_ECDH1_DERIVE 0x00001050 #define CKM_ECDH1_COFACTOR_DERIVE 0x00001051 #define CKM_ECMQV_DERIVE 0x00001052 @@ -798,7 +893,10 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_JUNIPER_WRAP 0x00001065 #define CKM_FASTHASH 0x00001070 -/* AES is new for 2.11 */ +/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC, + * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN, + * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are + * new for v2.11 */ #define CKM_AES_KEY_GEN 0x00001080 #define CKM_AES_ECB 0x00001081 #define CKM_AES_CBC 0x00001082 @@ -806,11 +904,24 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_AES_MAC_GENERAL 0x00001084 #define CKM_AES_CBC_PAD 0x00001085 -/* CKM_DSA_PARAMETER_GEN, CKM_DH_PKCS_PARAMETER_GEN, - * and CKM_DH_X9_42_PARAMETER_GEN are new for 2.11 */ +/* BlowFish and TwoFish are new for v2.20 */ +#define CKM_BLOWFISH_KEY_GEN 0x00001090 +#define CKM_BLOWFISH_CBC 0x00001091 +#define CKM_TWOFISH_KEY_GEN 0x00001092 +#define CKM_TWOFISH_CBC 0x00001093 + + +/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */ +#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100 +#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101 +#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102 +#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103 +#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104 +#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105 + #define CKM_DSA_PARAMETER_GEN 0x00002000 #define CKM_DH_PKCS_PARAMETER_GEN 0x00002001 -#define CKM_DH_X9_42_PARAMETER_GEN 0x00002002 +#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002 #define CKM_VENDOR_DEFINED 0x80000000 @@ -848,8 +959,6 @@ typedef struct CK_MECHANISM_INFO { * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP, * and CKF_DERIVE are new for v2.0. They specify whether or not * a mechanism can be used for a particular task */ -/* The flags CKF_EC_FP, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE, - * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11 */ #define CKF_ENCRYPT 0x00000100 #define CKF_DECRYPT 0x00000200 #define CKF_DIGEST 0x00000400 @@ -862,14 +971,20 @@ typedef struct CK_MECHANISM_INFO { #define CKF_WRAP 0x00020000 #define CKF_UNWRAP 0x00040000 #define CKF_DERIVE 0x00080000 + +/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE, + * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They + * describe a token's EC capabilities not available in mechanism + * information. */ #define CKF_EC_FP 0x00100000 +#define CKF_EC_F_P 0x00100000 #define CKF_EC_F_2M 0x00200000 #define CKF_EC_ECPARAMETERS 0x00400000 #define CKF_EC_NAMEDCURVE 0x00800000 #define CKF_EC_UNCOMPRESS 0x01000000 #define CKF_EC_COMPRESS 0x02000000 -#define CKF_EXTENSION 0x80000000 /* FALSE for 2.01 */ +#define CKF_EXTENSION 0x80000000 /* FALSE for this version */ typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR; @@ -932,8 +1047,7 @@ typedef CK_ULONG CK_RV; #define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068 #define CKR_KEY_NOT_WRAPPABLE 0x00000069 #define CKR_KEY_UNEXTRACTABLE 0x0000006A - -/* CKR_KEY_PARAMS_INVALID is new for v2.11 */ +/* new in v2.11 depricated by 2.20 */ #define CKR_KEY_PARAMS_INVALID 0x0000006B #define CKR_MECHANISM_INVALID 0x00000070 @@ -991,10 +1105,10 @@ typedef CK_ULONG CK_RV; #define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115 #define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120 -/* New for v2.0 */ +/* These are new to v2.0 */ #define CKR_RANDOM_NO_RNG 0x00000121 -/* New for v2.11 */ +/* These are new to v2.11 */ #define CKR_DOMAIN_PARAMS_INVALID 0x00000130 /* These are new to v2.0 */ @@ -1009,6 +1123,9 @@ typedef CK_ULONG CK_RV; #define CKR_MUTEX_BAD 0x000001A0 #define CKR_MUTEX_NOT_LOCKED 0x000001A1 +/* This is new to v2.20 */ +#define CKR_FUNCTION_REJECTED 0x00000200 + #define CKR_VENDOR_DEFINED 0x80000000 @@ -1084,21 +1201,26 @@ typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR; /* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ #define CKF_DONT_BLOCK 1 -/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10. - * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message - * Generation Function (MGF) applied to a message block when - * formatting a message block for the PKCS #1 OAEP encryption +/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10. + * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message + * Generation Function (MGF) applied to a message block when + * formatting a message block for the PKCS #1 OAEP encryption * scheme. */ -typedef CK_ULONG CK_RSA_PKCS_OAEP_MGF_TYPE; +typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE; -typedef CK_RSA_PKCS_OAEP_MGF_TYPE CK_PTR CK_RSA_PKCS_OAEP_MGF_TYPE_PTR; +typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR; /* The following MGFs are defined */ +/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512 + * are new for v2.20 */ #define CKG_MGF1_SHA1 0x00000001 +#define CKG_MGF1_SHA256 0x00000002 +#define CKG_MGF1_SHA384 0x00000003 +#define CKG_MGF1_SHA512 0x00000004 -/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10. +/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10. * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source - * of the encoding parameter when formatting a message block + * of the encoding parameter when formatting a message block * for the PKCS #1 OAEP encryption scheme. */ typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE; @@ -1108,18 +1230,141 @@ typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR; #define CKZ_DATA_SPECIFIED 0x00000001 /* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10. - * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the + * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the * CKM_RSA_PKCS_OAEP mechanism. */ typedef struct CK_RSA_PKCS_OAEP_PARAMS { - CK_MECHANISM_TYPE hashAlg; - CK_RSA_PKCS_OAEP_MGF_TYPE mgf; - CK_RSA_PKCS_OAEP_SOURCE_TYPE source; - CK_VOID_PTR pSourceData; - CK_ULONG ulSourceDataLen; + CK_MECHANISM_TYPE hashAlg; + CK_RSA_PKCS_MGF_TYPE mgf; + CK_RSA_PKCS_OAEP_SOURCE_TYPE source; + CK_VOID_PTR pSourceData; + CK_ULONG ulSourceDataLen; } CK_RSA_PKCS_OAEP_PARAMS; typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR; +/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11. + * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the + * CKM_RSA_PKCS_PSS mechanism(s). */ +typedef struct CK_RSA_PKCS_PSS_PARAMS { + CK_MECHANISM_TYPE hashAlg; + CK_RSA_PKCS_MGF_TYPE mgf; + CK_ULONG sLen; +} CK_RSA_PKCS_PSS_PARAMS; + +typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR; + +/* CK_EC_KDF_TYPE is new for v2.11. */ +typedef CK_ULONG CK_EC_KDF_TYPE; + +/* The following EC Key Derivation Functions are defined */ +#define CKD_NULL 0x00000001 +#define CKD_SHA1_KDF 0x00000002 + +/* CK_ECDH1_DERIVE_PARAMS is new for v2.11. + * CK_ECDH1_DERIVE_PARAMS provides the parameters to the + * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms, + * where each party contributes one key pair. + */ +typedef struct CK_ECDH1_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; +} CK_ECDH1_DERIVE_PARAMS; + +typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR; + + +/* CK_ECDH2_DERIVE_PARAMS is new for v2.11. + * CK_ECDH2_DERIVE_PARAMS provides the parameters to the + * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */ +typedef struct CK_ECDH2_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; +} CK_ECDH2_DERIVE_PARAMS; + +typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR; + +typedef struct CK_ECMQV_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; + CK_OBJECT_HANDLE publicKey; +} CK_ECMQV_DERIVE_PARAMS; + +typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR; + +/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the + * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */ +typedef CK_ULONG CK_X9_42_DH_KDF_TYPE; +typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR; + +/* The following X9.42 DH key derivation functions are defined + (besides CKD_NULL already defined : */ +#define CKD_SHA1_KDF_ASN1 0x00000003 +#define CKD_SHA1_KDF_CONCATENATE 0x00000004 + +/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11. + * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the + * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party + * contributes one key pair */ +typedef struct CK_X9_42_DH1_DERIVE_PARAMS { + CK_X9_42_DH_KDF_TYPE kdf; + CK_ULONG ulOtherInfoLen; + CK_BYTE_PTR pOtherInfo; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; +} CK_X9_42_DH1_DERIVE_PARAMS; + +typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR; + +/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11. + * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the + * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation + * mechanisms, where each party contributes two key pairs */ +typedef struct CK_X9_42_DH2_DERIVE_PARAMS { + CK_X9_42_DH_KDF_TYPE kdf; + CK_ULONG ulOtherInfoLen; + CK_BYTE_PTR pOtherInfo; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; +} CK_X9_42_DH2_DERIVE_PARAMS; + +typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR; + +typedef struct CK_X9_42_MQV_DERIVE_PARAMS { + CK_X9_42_DH_KDF_TYPE kdf; + CK_ULONG ulOtherInfoLen; + CK_BYTE_PTR pOtherInfo; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; + CK_OBJECT_HANDLE publicKey; +} CK_X9_42_MQV_DERIVE_PARAMS; + +typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR; + /* CK_KEA_DERIVE_PARAMS provides the parameters to the * CKM_KEA_DERIVE mechanism */ /* CK_KEA_DERIVE_PARAMS is new for v2.0 */ @@ -1213,6 +1458,22 @@ typedef CK_ULONG CK_MAC_GENERAL_PARAMS; typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR; +/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */ +typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[8]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_DES_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR; + +typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[16]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_AES_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR; /* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the * CKM_SKIPJACK_PRIVATE_WRAP mechanism */ @@ -1260,12 +1521,12 @@ typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \ typedef struct CK_PBE_PARAMS { - CK_CHAR_PTR pInitVector; - CK_CHAR_PTR pPassword; - CK_ULONG ulPasswordLen; - CK_CHAR_PTR pSalt; - CK_ULONG ulSaltLen; - CK_ULONG ulIteration; + CK_BYTE_PTR pInitVector; + CK_UTF8CHAR_PTR pPassword; + CK_ULONG ulPasswordLen; + CK_BYTE_PTR pSalt; + CK_ULONG ulSaltLen; + CK_ULONG ulIteration; } CK_PBE_PARAMS; typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR; @@ -1324,6 +1585,83 @@ typedef struct CK_SSL3_KEY_MAT_PARAMS { typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR; +/* CK_TLS_PRF_PARAMS is new for version 2.20 */ +typedef struct CK_TLS_PRF_PARAMS { + CK_BYTE_PTR pSeed; + CK_ULONG ulSeedLen; + CK_BYTE_PTR pLabel; + CK_ULONG ulLabelLen; + CK_BYTE_PTR pOutput; + CK_ULONG_PTR pulOutputLen; +} CK_TLS_PRF_PARAMS; + +typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR; + +/* WTLS is new for version 2.20 */ +typedef struct CK_WTLS_RANDOM_DATA { + CK_BYTE_PTR pClientRandom; + CK_ULONG ulClientRandomLen; + CK_BYTE_PTR pServerRandom; + CK_ULONG ulServerRandomLen; +} CK_WTLS_RANDOM_DATA; + +typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR; + +typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS { + CK_MECHANISM_TYPE DigestMechanism; + CK_WTLS_RANDOM_DATA RandomInfo; + CK_BYTE_PTR pVersion; +} CK_WTLS_MASTER_KEY_DERIVE_PARAMS; + +typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \ + CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR; + +typedef struct CK_WTLS_PRF_PARAMS { + CK_MECHANISM_TYPE DigestMechanism; + CK_BYTE_PTR pSeed; + CK_ULONG ulSeedLen; + CK_BYTE_PTR pLabel; + CK_ULONG ulLabelLen; + CK_BYTE_PTR pOutput; + CK_ULONG_PTR pulOutputLen; +} CK_WTLS_PRF_PARAMS; + +typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR; + +typedef struct CK_WTLS_KEY_MAT_OUT { + CK_OBJECT_HANDLE hMacSecret; + CK_OBJECT_HANDLE hKey; + CK_BYTE_PTR pIV; +} CK_WTLS_KEY_MAT_OUT; + +typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR; + +typedef struct CK_WTLS_KEY_MAT_PARAMS { + CK_MECHANISM_TYPE DigestMechanism; + CK_ULONG ulMacSizeInBits; + CK_ULONG ulKeySizeInBits; + CK_ULONG ulIVSizeInBits; + CK_ULONG ulSequenceNumber; + CK_BBOOL bIsExport; + CK_WTLS_RANDOM_DATA RandomInfo; + CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial; +} CK_WTLS_KEY_MAT_PARAMS; + +typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR; + +/* CMS is new for version 2.20 */ +typedef struct CK_CMS_SIG_PARAMS { + CK_OBJECT_HANDLE certificateHandle; + CK_MECHANISM_PTR pSigningMechanism; + CK_MECHANISM_PTR pDigestMechanism; + CK_UTF8CHAR_PTR pContentType; + CK_BYTE_PTR pRequestedAttributes; + CK_ULONG ulRequestedAttributesLen; + CK_BYTE_PTR pRequiredAttributes; + CK_ULONG ulRequiredAttributesLen; +} CK_CMS_SIG_PARAMS; + +typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR; typedef struct CK_KEY_DERIVATION_STRING_DATA { CK_BYTE_PTR pData; @@ -1344,8 +1682,8 @@ typedef CK_ULONG CK_EXTRACT_PARAMS; typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR; /* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10. - * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to - * indicate the Pseudo-Random Function (PRF) used to generate + * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to + * indicate the Pseudo-Random Function (PRF) used to generate * key bits using PKCS #5 PBKDF2. */ typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE; @@ -1355,9 +1693,9 @@ typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_ #define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001 -/* CK_PKCS5_PBKD2_SALT_SOURCE_TYPE is new for v2.10. - * CK_PKCS5_PBKD2_SALT_SOURCE_TYPE is used to indicate the - * source of the salt value when deriving a key using PKCS #5 +/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10. + * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the + * source of the salt value when deriving a key using PKCS #5 * PBKDF2. */ typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE; @@ -1367,40 +1705,23 @@ typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE #define CKZ_SALT_SPECIFIED 0x00000001 /* CK_PKCS5_PBKD2_PARAMS is new for v2.10. - * CK_PKCS5_PBKD2_PARAMS is a structure that provides the + * CK_PKCS5_PBKD2_PARAMS is a structure that provides the * parameters to the CKM_PKCS5_PBKD2 mechanism. */ typedef struct CK_PKCS5_PBKD2_PARAMS { - CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; - CK_VOID_PTR pSaltSourceData; - CK_ULONG ulSaltSourceDataLen; - CK_ULONG iterations; - CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; - CK_VOID_PTR pPrfData; - CK_ULONG ulPrfDataLen; + CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; + CK_VOID_PTR pSaltSourceData; + CK_ULONG ulSaltSourceDataLen; + CK_ULONG iterations; + CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; + CK_VOID_PTR pPrfData; + CK_ULONG ulPrfDataLen; + CK_UTF8CHAR_PTR pPassword; + CK_ULONG_PTR ulPasswordLen; } CK_PKCS5_PBKD2_PARAMS; - + typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR; -/* CK_ECDH1_DERIVE_PARAMS is defined in Section 12.4.4 of - * PKCS#11v2.11. This structure provides parameters for - * the CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE key - * derivation mechanisms. - */ -typedef CK_ULONG CK_EC_KDF_TYPE; -#define CKD_NULL 0x00000001 -#define CKD_SHA1_KDF 0x00000002 - -typedef struct CK_ECDH1_DERIVE_PARAMS { - CK_EC_KDF_TYPE kdf; - CK_ULONG ulSharedDataLen; - CK_BYTE_PTR pSharedData; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; -} CK_ECDH1_DERIVE_PARAMS; - -typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR; - -/* Netscape Specific defines */ +/* NSS Specific defines */ #include "pkcs11n.h" /* undo packing */