зеркало из https://github.com/mozilla/pjs.git
731 строка
25 KiB
C
731 строка
25 KiB
C
/* ***** BEGIN LICENSE BLOCK *****
|
|
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
*
|
|
* The contents of this file are subject to the Mozilla Public License Version
|
|
* 1.1 (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
* http://www.mozilla.org/MPL/
|
|
*
|
|
* Software distributed under the License is distributed on an "AS IS" basis,
|
|
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
* for the specific language governing rights and limitations under the
|
|
* License.
|
|
*
|
|
* The Original Code is the Netscape security libraries.
|
|
*
|
|
* The Initial Developer of the Original Code is
|
|
* Netscape Communications Corporation.
|
|
* Portions created by the Initial Developer are Copyright (C) 1994-2000
|
|
* the Initial Developer. All Rights Reserved.
|
|
*
|
|
* Contributor(s):
|
|
*
|
|
* Alternatively, the contents of this file may be used under the terms of
|
|
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
|
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
* in which case the provisions of the GPL or the LGPL are applicable instead
|
|
* of those above. If you wish to allow use of your version of this file only
|
|
* under the terms of either the GPL or the LGPL, and not to allow others to
|
|
* use your version of this file under the terms of the MPL, indicate your
|
|
* decision by deleting the provisions above and replace them with the notice
|
|
* and other provisions required by the GPL or the LGPL. If you do not delete
|
|
* the provisions above, a recipient may use your version of this file under
|
|
* the terms of any one of the MPL, the GPL or the LGPL.
|
|
*
|
|
* ***** END LICENSE BLOCK ***** */
|
|
/*
|
|
* Internal data structures and functions used by pkcs11.c
|
|
*/
|
|
#ifndef _PKCS11I_H_
|
|
#define _PKCS11I_H_ 1
|
|
|
|
#include "nssilock.h"
|
|
#include "seccomon.h"
|
|
#include "secoidt.h"
|
|
#include "lowkeyti.h"
|
|
#include "pkcs11t.h"
|
|
#include "pcertt.h"
|
|
|
|
|
|
/*
|
|
* Configuration Defines
|
|
*
|
|
* The following defines affect the space verse speed trade offs of
|
|
* the PKCS #11 module. For the most part the current settings are optimized
|
|
* for web servers, where we want faster speed and lower lock contention at
|
|
* the expense of space.
|
|
*/
|
|
|
|
#define PKCS11_USE_THREADS /* set to true of you are need threads */
|
|
/*
|
|
* Attribute Allocation strategy:
|
|
*
|
|
* 1) static allocation (PKCS11_STATIC_ATTRIBUTES set
|
|
* PKCS11_REF_COUNT_ATTRIBUTES not set)
|
|
* Attributes are pre-allocated as part of the session object and used from
|
|
* the object array.
|
|
*
|
|
* 2) heap allocation with ref counting (PKCS11_STATIC_ATTRIBUTES not set
|
|
* PKCS11_REF_COUNT_ATTRIBUTES set)
|
|
* Attributes are allocated from the heap when needed and freed when their
|
|
* reference count goes to zero.
|
|
*
|
|
* 3) arena allocation (PKCS11_STATIC_ATTRIBUTES not set
|
|
* PKCS11_REF_COUNT_ATTRIBUTE not set)
|
|
* Attributes are allocated from the arena when needed and freed only when
|
|
* the object goes away.
|
|
*/
|
|
#define PKCS11_STATIC_ATTRIBUTES
|
|
/*#define PKCS11_REF_COUNT_ATTRIBUTES */
|
|
/* the next two are only active if PKCS11_STATIC_ATTRIBUTES is set */
|
|
#define MAX_OBJS_ATTRS 45 /* number of attributes to preallocate in
|
|
* the object (must me the absolute max) */
|
|
#define ATTR_SPACE 50 /* Maximum size of attribute data before extra
|
|
* data needs to be allocated. This is set to
|
|
* enough space to hold an SSL MASTER secret */
|
|
|
|
#define NSC_STRICT PR_FALSE /* forces the code to do strict template
|
|
* matching when doing C_FindObject on token
|
|
* objects. This will slow down search in
|
|
* NSS. */
|
|
/* default search block allocations and increments */
|
|
#define NSC_CERT_BLOCK_SIZE 50
|
|
#define NSC_SEARCH_BLOCK_SIZE 5
|
|
#define NSC_SLOT_LIST_BLOCK_SIZE 10
|
|
|
|
#define NSC_FIPS_MODULE 1
|
|
#define NSC_NON_FIPS_MODULE 0
|
|
|
|
/* these are data base storage hashes, not cryptographic hashes.. The define
|
|
* the effective size of the various object hash tables */
|
|
/* clients care more about memory usage than lookup performance on
|
|
* cyrptographic objects. Clients also have less objects around to play with
|
|
*
|
|
* we eventually should make this configurable at runtime! Especially now that
|
|
* NSS is a shared library.
|
|
*/
|
|
#define SPACE_ATTRIBUTE_HASH_SIZE 32
|
|
#define SPACE_TOKEN_OBJECT_HASH_SIZE 32
|
|
#define SPACE_SESSION_HASH_SIZE 32
|
|
#define TIME_ATTRIBUTE_HASH_SIZE 32
|
|
#define TIME_TOKEN_OBJECT_HASH_SIZE 1024
|
|
#define TIME_SESSION_HASH_SIZE 1024
|
|
#define MAX_OBJECT_LIST_SIZE 800
|
|
/* how many objects to keep on the free list
|
|
* before we start freeing them */
|
|
#define MAX_KEY_LEN 256
|
|
|
|
#define MULTIACCESS "multiaccess:"
|
|
|
|
/*
|
|
* LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number.
|
|
* With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0.
|
|
* With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0.
|
|
*
|
|
* HASH_SIZE LOG2_BUCKETS_PER BUCKETS_PER_LOCK NUMBER_OF_BUCKETS
|
|
* 1024 9 512 2
|
|
* 1024 5 32 32
|
|
* 1024 1 2 512
|
|
* 1024 0 1 1024
|
|
* 4096 11 2048 2
|
|
* 4096 9 512 8
|
|
* 4096 5 32 128
|
|
* 4096 1 2 2048
|
|
* 4096 0 1 4096
|
|
*/
|
|
#define LOG2_BUCKETS_PER_SESSION_LOCK 1
|
|
#define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK))
|
|
/* NOSPREAD sessionID to hash table index macro has been slower. */
|
|
|
|
#ifdef PKCS11_USE_THREADS
|
|
#define PK11_USE_THREADS(x) x
|
|
#else
|
|
#define PK11_USE_THREADS(x)
|
|
#endif
|
|
|
|
/* define typedefs, double as forward declarations as well */
|
|
typedef struct PK11AttributeStr PK11Attribute;
|
|
typedef struct PK11ObjectListStr PK11ObjectList;
|
|
typedef struct PK11ObjectFreeListStr PK11ObjectFreeList;
|
|
typedef struct PK11ObjectListElementStr PK11ObjectListElement;
|
|
typedef struct PK11ObjectStr PK11Object;
|
|
typedef struct PK11SessionObjectStr PK11SessionObject;
|
|
typedef struct PK11TokenObjectStr PK11TokenObject;
|
|
typedef struct PK11SessionStr PK11Session;
|
|
typedef struct PK11SlotStr PK11Slot;
|
|
typedef struct PK11SessionContextStr PK11SessionContext;
|
|
typedef struct PK11SearchResultsStr PK11SearchResults;
|
|
typedef struct PK11HashVerifyInfoStr PK11HashVerifyInfo;
|
|
typedef struct PK11HashSignInfoStr PK11HashSignInfo;
|
|
typedef struct PK11SSLMACInfoStr PK11SSLMACInfo;
|
|
|
|
/* define function pointer typdefs for pointer tables */
|
|
typedef void (*PK11Destroy)(void *, PRBool);
|
|
typedef void (*PK11Begin)(void *);
|
|
typedef SECStatus (*PK11Cipher)(void *,void *,unsigned int *,unsigned int,
|
|
void *, unsigned int);
|
|
typedef SECStatus (*PK11Verify)(void *,void *,unsigned int,void *,unsigned int);
|
|
typedef void (*PK11Hash)(void *,void *,unsigned int);
|
|
typedef void (*PK11End)(void *,void *,unsigned int *,unsigned int);
|
|
typedef void (*PK11Free)(void *);
|
|
|
|
/* Value to tell if an attribute is modifiable or not.
|
|
* NEVER: attribute is only set on creation.
|
|
* ONCOPY: attribute is set on creation and can only be changed on copy.
|
|
* SENSITIVE: attribute can only be changed to TRUE.
|
|
* ALWAYS: attribute can always be changed.
|
|
*/
|
|
typedef enum {
|
|
PK11_NEVER = 0,
|
|
PK11_ONCOPY = 1,
|
|
PK11_SENSITIVE = 2,
|
|
PK11_ALWAYS = 3
|
|
} PK11ModifyType;
|
|
|
|
/*
|
|
* Free Status Enum... tell us more information when we think we're
|
|
* deleting an object.
|
|
*/
|
|
typedef enum {
|
|
PK11_DestroyFailure,
|
|
PK11_Destroyed,
|
|
PK11_Busy
|
|
} PK11FreeStatus;
|
|
|
|
/*
|
|
* attribute values of an object.
|
|
*/
|
|
struct PK11AttributeStr {
|
|
PK11Attribute *next;
|
|
PK11Attribute *prev;
|
|
PRBool freeAttr;
|
|
PRBool freeData;
|
|
#ifdef PKCS11_REF_COUNT_ATTRIBUTES
|
|
int refCount;
|
|
PZLock *refLock;
|
|
#endif
|
|
/*must be called handle to make pk11queue_find work */
|
|
CK_ATTRIBUTE_TYPE handle;
|
|
CK_ATTRIBUTE attrib;
|
|
#ifdef PKCS11_STATIC_ATTRIBUTES
|
|
unsigned char space[ATTR_SPACE];
|
|
#endif
|
|
};
|
|
|
|
|
|
/*
|
|
* doubly link list of objects
|
|
*/
|
|
struct PK11ObjectListStr {
|
|
PK11ObjectList *next;
|
|
PK11ObjectList *prev;
|
|
PK11Object *parent;
|
|
};
|
|
|
|
struct PK11ObjectFreeListStr {
|
|
PK11Object *head;
|
|
PZLock *lock;
|
|
int count;
|
|
};
|
|
|
|
/*
|
|
* PKCS 11 crypto object structure
|
|
*/
|
|
struct PK11ObjectStr {
|
|
PK11Object *next;
|
|
PK11Object *prev;
|
|
CK_OBJECT_CLASS objclass;
|
|
CK_OBJECT_HANDLE handle;
|
|
int refCount;
|
|
PZLock *refLock;
|
|
PK11Slot *slot;
|
|
void *objectInfo;
|
|
PK11Free infoFree;
|
|
#ifndef PKCS11_STATIC_ATTRIBUTES
|
|
PLArenaPool *arena;
|
|
#endif
|
|
};
|
|
|
|
struct PK11TokenObjectStr {
|
|
PK11Object obj;
|
|
SECItem dbKey;
|
|
};
|
|
|
|
struct PK11SessionObjectStr {
|
|
PK11Object obj;
|
|
PK11ObjectList sessionList;
|
|
PZLock *attributeLock;
|
|
PK11Session *session;
|
|
PRBool wasDerived;
|
|
#ifdef PKCS11_STATIC_ATTRIBUTES
|
|
int nextAttr;
|
|
PK11Attribute attrList[MAX_OBJS_ATTRS];
|
|
#endif
|
|
PRBool optimizeSpace;
|
|
unsigned int hashSize;
|
|
PK11Attribute *head[1];
|
|
};
|
|
|
|
/*
|
|
* struct to deal with a temparary list of objects
|
|
*/
|
|
struct PK11ObjectListElementStr {
|
|
PK11ObjectListElement *next;
|
|
PK11Object *object;
|
|
};
|
|
|
|
/*
|
|
* Area to hold Search results
|
|
*/
|
|
struct PK11SearchResultsStr {
|
|
CK_OBJECT_HANDLE *handles;
|
|
int size;
|
|
int index;
|
|
int array_size;
|
|
};
|
|
|
|
|
|
/*
|
|
* the universal crypto/hash/sign/verify context structure
|
|
*/
|
|
typedef enum {
|
|
PK11_ENCRYPT,
|
|
PK11_DECRYPT,
|
|
PK11_HASH,
|
|
PK11_SIGN,
|
|
PK11_SIGN_RECOVER,
|
|
PK11_VERIFY,
|
|
PK11_VERIFY_RECOVER
|
|
} PK11ContextType;
|
|
|
|
|
|
#define PK11_MAX_BLOCK_SIZE 16
|
|
/* currently SHA512 is the biggest hash length */
|
|
#define PK11_MAX_MAC_LENGTH 64
|
|
#define PK11_INVALID_MAC_SIZE 0xffffffff
|
|
|
|
struct PK11SessionContextStr {
|
|
PK11ContextType type;
|
|
PRBool multi; /* is multipart */
|
|
PRBool doPad; /* use PKCS padding for block ciphers */
|
|
unsigned int blockSize; /* blocksize for padding */
|
|
unsigned int padDataLength; /* length of the valid data in padbuf */
|
|
unsigned char padBuf[PK11_MAX_BLOCK_SIZE];
|
|
unsigned char macBuf[PK11_MAX_BLOCK_SIZE];
|
|
CK_ULONG macSize; /* size of a general block cipher mac*/
|
|
void *cipherInfo;
|
|
void *hashInfo;
|
|
unsigned int cipherInfoLen;
|
|
CK_MECHANISM_TYPE currentMech;
|
|
PK11Cipher update;
|
|
PK11Hash hashUpdate;
|
|
PK11End end;
|
|
PK11Destroy destroy;
|
|
PK11Destroy hashdestroy;
|
|
PK11Verify verify;
|
|
unsigned int maxLen;
|
|
PK11Object *key;
|
|
};
|
|
|
|
/*
|
|
* Sessions (have objects)
|
|
*/
|
|
struct PK11SessionStr {
|
|
PK11Session *next;
|
|
PK11Session *prev;
|
|
CK_SESSION_HANDLE handle;
|
|
int refCount;
|
|
PZLock *objectLock;
|
|
int objectIDCount;
|
|
CK_SESSION_INFO info;
|
|
CK_NOTIFY notify;
|
|
CK_VOID_PTR appData;
|
|
PK11Slot *slot;
|
|
PK11SearchResults *search;
|
|
PK11SessionContext *enc_context;
|
|
PK11SessionContext *hash_context;
|
|
PK11SessionContext *sign_context;
|
|
PK11ObjectList *objects[1];
|
|
};
|
|
|
|
/*
|
|
* slots (have sessions and objects)
|
|
*
|
|
* The array of sessionLock's protect the session hash table (head[])
|
|
* as well as the reference count of session objects in that bucket
|
|
* (head[]->refCount), objectLock protects all elements of the token
|
|
* object hash table (tokObjects[], tokenIDCount, and tokenHashTable),
|
|
* and slotLock protects the remaining protected elements:
|
|
* password, isLoggedIn, ssoLoggedIn, and sessionCount
|
|
*/
|
|
struct PK11SlotStr {
|
|
CK_SLOT_ID slotID;
|
|
PZLock *slotLock;
|
|
PZLock **sessionLock;
|
|
unsigned int numSessionLocks;
|
|
unsigned long sessionLockMask;
|
|
PZLock *objectLock;
|
|
SECItem *password;
|
|
PRBool hasTokens;
|
|
PRBool isLoggedIn;
|
|
PRBool ssoLoggedIn;
|
|
PRBool needLogin;
|
|
PRBool DB_loaded;
|
|
PRBool readOnly;
|
|
PRBool optimizeSpace;
|
|
NSSLOWCERTCertDBHandle *certDB;
|
|
NSSLOWKEYDBHandle *keyDB;
|
|
int minimumPinLen;
|
|
PRInt32 sessionIDCount; /* atomically incremented */
|
|
int sessionIDConflict; /* not protected by a lock */
|
|
int sessionCount;
|
|
PRInt32 rwSessionCount; /* set by atomic operations */
|
|
int tokenIDCount;
|
|
int index;
|
|
PLHashTable *tokenHashTable;
|
|
PK11Object **tokObjects;
|
|
unsigned int tokObjHashSize;
|
|
PK11Session **head;
|
|
unsigned int sessHashSize;
|
|
char tokDescription[33];
|
|
char slotDescription[64];
|
|
};
|
|
|
|
/*
|
|
* special joint operations Contexts
|
|
*/
|
|
struct PK11HashVerifyInfoStr {
|
|
SECOidTag hashOid;
|
|
NSSLOWKEYPublicKey *key;
|
|
};
|
|
|
|
struct PK11HashSignInfoStr {
|
|
SECOidTag hashOid;
|
|
NSSLOWKEYPrivateKey *key;
|
|
};
|
|
|
|
/* context for the Final SSLMAC message */
|
|
struct PK11SSLMACInfoStr {
|
|
void *hashContext;
|
|
PK11Begin begin;
|
|
PK11Hash update;
|
|
PK11End end;
|
|
CK_ULONG macSize;
|
|
int padSize;
|
|
unsigned char key[MAX_KEY_LEN];
|
|
unsigned int keySize;
|
|
};
|
|
|
|
/*
|
|
* session handle modifiers
|
|
*/
|
|
#define PK11_SESSION_SLOT_MASK 0xff000000L
|
|
|
|
/*
|
|
* object handle modifiers
|
|
*/
|
|
#define PK11_TOKEN_MASK 0x80000000L
|
|
#define PK11_TOKEN_MAGIC 0x80000000L
|
|
#define PK11_TOKEN_TYPE_MASK 0x70000000L
|
|
/* keydb (high bit == 0) */
|
|
#define PK11_TOKEN_TYPE_PRIV 0x10000000L
|
|
#define PK11_TOKEN_TYPE_PUB 0x20000000L
|
|
#define PK11_TOKEN_TYPE_KEY 0x30000000L
|
|
/* certdb (high bit == 1) */
|
|
#define PK11_TOKEN_TYPE_TRUST 0x40000000L
|
|
#define PK11_TOKEN_TYPE_CRL 0x50000000L
|
|
#define PK11_TOKEN_TYPE_SMIME 0x60000000L
|
|
#define PK11_TOKEN_TYPE_CERT 0x70000000L
|
|
|
|
#define PK11_TOKEN_KRL_HANDLE (PK11_TOKEN_MAGIC|PK11_TOKEN_TYPE_CRL|1)
|
|
/* how big a password/pin we can deal with */
|
|
#define PK11_MAX_PIN 255
|
|
|
|
/* slot ID's */
|
|
#define NETSCAPE_SLOT_ID 1
|
|
#define PRIVATE_KEY_SLOT_ID 2
|
|
#define FIPS_SLOT_ID 3
|
|
|
|
/* slot helper macros */
|
|
#define pk11_SlotFromSession(sp) ((sp)->slot)
|
|
#define pk11_isToken(id) (((id) & PK11_TOKEN_MASK) == PK11_TOKEN_MAGIC)
|
|
|
|
/* the session hash multiplier (see bug 201081) */
|
|
#define SHMULTIPLIER 1791398085
|
|
|
|
/* queueing helper macros */
|
|
#define pk11_hash(value,size) \
|
|
((PRUint32)((value) * SHMULTIPLIER) & (size-1))
|
|
#define pk11queue_add(element,id,head,hash_size) \
|
|
{ int tmp = pk11_hash(id,hash_size); \
|
|
(element)->next = (head)[tmp]; \
|
|
(element)->prev = NULL; \
|
|
if ((head)[tmp]) (head)[tmp]->prev = (element); \
|
|
(head)[tmp] = (element); }
|
|
#define pk11queue_find(element,id,head,hash_size) \
|
|
for( (element) = (head)[pk11_hash(id,hash_size)]; (element) != NULL; \
|
|
(element) = (element)->next) { \
|
|
if ((element)->handle == (id)) { break; } }
|
|
#define pk11queue_is_queued(element,id,head,hash_size) \
|
|
( ((element)->next) || ((element)->prev) || \
|
|
((head)[pk11_hash(id,hash_size)] == (element)) )
|
|
#define pk11queue_delete(element,id,head,hash_size) \
|
|
if ((element)->next) (element)->next->prev = (element)->prev; \
|
|
if ((element)->prev) (element)->prev->next = (element)->next; \
|
|
else (head)[pk11_hash(id,hash_size)] = ((element)->next); \
|
|
(element)->next = NULL; \
|
|
(element)->prev = NULL; \
|
|
|
|
#define pk11queue_init_element(element) \
|
|
(element)->prev = NULL;
|
|
|
|
#define pk11queue_add2(element, id, index, head) \
|
|
{ \
|
|
(element)->next = (head)[index]; \
|
|
if ((head)[index]) \
|
|
(head)[index]->prev = (element); \
|
|
(head)[index] = (element); \
|
|
}
|
|
|
|
#define pk11queue_find2(element, id, index, head) \
|
|
for ( (element) = (head)[index]; \
|
|
(element) != NULL; \
|
|
(element) = (element)->next) { \
|
|
if ((element)->handle == (id)) { break; } \
|
|
}
|
|
|
|
#define pk11queue_delete2(element, id, index, head) \
|
|
if ((element)->next) (element)->next->prev = (element)->prev; \
|
|
if ((element)->prev) (element)->prev->next = (element)->next; \
|
|
else (head)[index] = ((element)->next);
|
|
|
|
#define pk11queue_clear_deleted_element(element) \
|
|
(element)->next = NULL; \
|
|
(element)->prev = NULL; \
|
|
|
|
|
|
/* sessionID (handle) is used to determine session lock bucket */
|
|
#ifdef NOSPREAD
|
|
/* NOSPREAD: (ID>>L2LPB) & (perbucket-1) */
|
|
#define PK11_SESSION_LOCK(slot,handle) \
|
|
((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) \
|
|
& (slot)->sessionLockMask])
|
|
#else
|
|
/* SPREAD: ID & (perbucket-1) */
|
|
#define PK11_SESSION_LOCK(slot,handle) \
|
|
((slot)->sessionLock[(handle) & (slot)->sessionLockMask])
|
|
#endif
|
|
|
|
/* expand an attribute & secitem structures out */
|
|
#define pk11_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
|
|
#define pk11_item_expand(ip) (ip)->data,(ip)->len
|
|
|
|
typedef struct pk11_token_parametersStr {
|
|
CK_SLOT_ID slotID;
|
|
char *configdir;
|
|
char *certPrefix;
|
|
char *keyPrefix;
|
|
char *tokdes;
|
|
char *slotdes;
|
|
int minPW;
|
|
PRBool readOnly;
|
|
PRBool noCertDB;
|
|
PRBool noKeyDB;
|
|
PRBool forceOpen;
|
|
PRBool pwRequired;
|
|
PRBool optimizeSpace;
|
|
} pk11_token_parameters;
|
|
|
|
typedef struct pk11_parametersStr {
|
|
char *configdir;
|
|
char *secmodName;
|
|
char *man;
|
|
char *libdes;
|
|
PRBool readOnly;
|
|
PRBool noModDB;
|
|
PRBool noCertDB;
|
|
PRBool forceOpen;
|
|
PRBool pwRequired;
|
|
PRBool optimizeSpace;
|
|
pk11_token_parameters *tokens;
|
|
int token_count;
|
|
} pk11_parameters;
|
|
|
|
|
|
/* machine dependent path stuff used by dbinit.c and pk11db.c */
|
|
#ifdef macintosh
|
|
#define PATH_SEPARATOR ":"
|
|
#define SECMOD_DB "Security Modules"
|
|
#define CERT_DB_FMT "%sCertificates%s"
|
|
#define KEY_DB_FMT "%sKey Database%s"
|
|
#else
|
|
#define PATH_SEPARATOR "/"
|
|
#define SECMOD_DB "secmod.db"
|
|
#define CERT_DB_FMT "%scert%s.db"
|
|
#define KEY_DB_FMT "%skey%s.db"
|
|
#endif
|
|
|
|
SEC_BEGIN_PROTOS
|
|
|
|
extern int nsf_init;
|
|
extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS);
|
|
extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS);
|
|
extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent,
|
|
CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex);
|
|
/* shared functions between PKCS11.c and PK11FIPS.c */
|
|
extern CK_RV PK11_SlotInit(char *configdir,pk11_token_parameters *params,
|
|
int moduleIndex);
|
|
|
|
/* internal utility functions used by pkcs11.c */
|
|
extern PK11Attribute *pk11_FindAttribute(PK11Object *object,
|
|
CK_ATTRIBUTE_TYPE type);
|
|
extern void pk11_FreeAttribute(PK11Attribute *attribute);
|
|
extern CK_RV pk11_AddAttributeType(PK11Object *object, CK_ATTRIBUTE_TYPE type,
|
|
void *valPtr,
|
|
CK_ULONG length);
|
|
extern CK_RV pk11_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
|
|
PK11Object *object, CK_ATTRIBUTE_TYPE type);
|
|
extern unsigned int pk11_GetLengthInBits(unsigned char *buf,
|
|
unsigned int bufLen);
|
|
extern CK_RV pk11_ConstrainAttribute(PK11Object *object,
|
|
CK_ATTRIBUTE_TYPE type, int minLength, int maxLength, int minMultiple);
|
|
extern PRBool pk11_hasAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type);
|
|
extern PRBool pk11_isTrue(PK11Object *object, CK_ATTRIBUTE_TYPE type);
|
|
extern void pk11_DeleteAttributeType(PK11Object *object,
|
|
CK_ATTRIBUTE_TYPE type);
|
|
extern CK_RV pk11_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
|
|
PK11Object *object, CK_ATTRIBUTE_TYPE type);
|
|
extern CK_RV pk11_Attribute2SSecItem(PLArenaPool *arena, SECItem *item,
|
|
PK11Object *object,
|
|
CK_ATTRIBUTE_TYPE type);
|
|
extern PK11ModifyType pk11_modifyType(CK_ATTRIBUTE_TYPE type,
|
|
CK_OBJECT_CLASS inClass);
|
|
extern PRBool pk11_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
|
|
extern char *pk11_getString(PK11Object *object, CK_ATTRIBUTE_TYPE type);
|
|
extern void pk11_nullAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type);
|
|
extern CK_RV pk11_GetULongAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type,
|
|
CK_ULONG *longData);
|
|
extern CK_RV pk11_forceAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type,
|
|
void *value, unsigned int len);
|
|
extern CK_RV pk11_defaultAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type,
|
|
void *value, unsigned int len);
|
|
extern unsigned int pk11_MapTrust(CK_TRUST trust, PRBool clientAuth);
|
|
|
|
extern PK11Object *pk11_NewObject(PK11Slot *slot);
|
|
extern CK_RV pk11_CopyObject(PK11Object *destObject, PK11Object *srcObject);
|
|
extern PK11FreeStatus pk11_FreeObject(PK11Object *object);
|
|
extern CK_RV pk11_DeleteObject(PK11Session *session, PK11Object *object);
|
|
extern void pk11_ReferenceObject(PK11Object *object);
|
|
extern PK11Object *pk11_ObjectFromHandle(CK_OBJECT_HANDLE handle,
|
|
PK11Session *session);
|
|
extern void pk11_AddSlotObject(PK11Slot *slot, PK11Object *object);
|
|
extern void pk11_AddObject(PK11Session *session, PK11Object *object);
|
|
|
|
extern CK_RV pk11_searchObjectList(PK11SearchResults *search,
|
|
PK11Object **head, unsigned int size,
|
|
PZLock *lock, CK_ATTRIBUTE_PTR inTemplate,
|
|
int count, PRBool isLoggedIn);
|
|
extern PK11ObjectListElement *pk11_FreeObjectListElement(
|
|
PK11ObjectListElement *objectList);
|
|
extern void pk11_FreeObjectList(PK11ObjectListElement *objectList);
|
|
extern void pk11_FreeSearch(PK11SearchResults *search);
|
|
extern CK_RV pk11_handleObject(PK11Object *object, PK11Session *session);
|
|
|
|
extern PK11Slot *pk11_SlotFromID(CK_SLOT_ID slotID);
|
|
extern PK11Slot *pk11_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
|
|
extern PK11Session *pk11_SessionFromHandle(CK_SESSION_HANDLE handle);
|
|
extern void pk11_FreeSession(PK11Session *session);
|
|
extern PK11Session *pk11_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
|
|
CK_VOID_PTR pApplication, CK_FLAGS flags);
|
|
extern void pk11_update_state(PK11Slot *slot,PK11Session *session);
|
|
extern void pk11_update_all_states(PK11Slot *slot);
|
|
extern void pk11_FreeContext(PK11SessionContext *context);
|
|
extern void pk11_CleanupFreeLists(void);
|
|
|
|
extern NSSLOWKEYPublicKey *pk11_GetPubKey(PK11Object *object,
|
|
CK_KEY_TYPE key_type, CK_RV *crvp);
|
|
extern NSSLOWKEYPrivateKey *pk11_GetPrivKey(PK11Object *object,
|
|
CK_KEY_TYPE key_type, CK_RV *crvp);
|
|
extern void pk11_FormatDESKey(unsigned char *key, int length);
|
|
extern PRBool pk11_CheckDESKey(unsigned char *key);
|
|
extern PRBool pk11_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type);
|
|
|
|
extern CK_RV secmod_parseParameters(char *param, pk11_parameters *parsed,
|
|
PRBool isFIPS);
|
|
extern void secmod_freeParams(pk11_parameters *params);
|
|
extern char *secmod_getSecmodName(char *params, char **domain,
|
|
char **filename, PRBool *rw);
|
|
extern char ** secmod_ReadPermDB(const char *domain, const char *filename,
|
|
const char *dbname, char *params, PRBool rw);
|
|
extern SECStatus secmod_DeletePermDB(const char *domain, const char *filename,
|
|
const char *dbname, char *args, PRBool rw);
|
|
extern SECStatus secmod_AddPermDB(const char *domain, const char *filename,
|
|
const char *dbname, char *module, PRBool rw);
|
|
extern SECStatus secmod_ReleasePermDBData(const char *domain,
|
|
const char *filename, const char *dbname, char **specList, PRBool rw);
|
|
/* mechanism allows this operation */
|
|
extern CK_RV pk11_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op);
|
|
/*
|
|
* OK there are now lots of options here, lets go through them all:
|
|
*
|
|
* configdir - base directory where all the cert, key, and module datbases live.
|
|
* certPrefix - prefix added to the beginning of the cert database example: "
|
|
* "https-server1-"
|
|
* keyPrefix - prefix added to the beginning of the key database example: "
|
|
* "https-server1-"
|
|
* secmodName - name of the security module database (usually "secmod.db").
|
|
* readOnly - Boolean: true if the databases are to be openned read only.
|
|
* nocertdb - Don't open the cert DB and key DB's, just initialize the
|
|
* Volatile certdb.
|
|
* nomoddb - Don't open the security module DB, just initialize the
|
|
* PKCS #11 module.
|
|
* forceOpen - Continue to force initializations even if the databases cannot
|
|
* be opened.
|
|
*/
|
|
CK_RV pk11_DBInit(const char *configdir, const char *certPrefix,
|
|
const char *keyPrefix, PRBool readOnly, PRBool noCertDB,
|
|
PRBool noKeyDB, PRBool forceOpen,
|
|
NSSLOWCERTCertDBHandle **certDB, NSSLOWKEYDBHandle **keyDB);
|
|
|
|
void pk11_DBShutdown(NSSLOWCERTCertDBHandle *certHandle,
|
|
NSSLOWKEYDBHandle *keyHandle);
|
|
|
|
const char *pk11_EvaluateConfigDir(const char *configdir, char **domain);
|
|
|
|
/*
|
|
* narrow objects
|
|
*/
|
|
PK11SessionObject * pk11_narrowToSessionObject(PK11Object *);
|
|
PK11TokenObject * pk11_narrowToTokenObject(PK11Object *);
|
|
|
|
/*
|
|
* token object utilities
|
|
*/
|
|
void pk11_addHandle(PK11SearchResults *search, CK_OBJECT_HANDLE handle);
|
|
PRBool pk11_poisonHandle(PK11Slot *slot, SECItem *dbkey,
|
|
CK_OBJECT_HANDLE handle);
|
|
PRBool pk11_tokenMatch(PK11Slot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class,
|
|
CK_ATTRIBUTE_PTR theTemplate,int count);
|
|
CK_OBJECT_HANDLE pk11_mkHandle(PK11Slot *slot,
|
|
SECItem *dbKey, CK_OBJECT_HANDLE class);
|
|
PK11Object * pk11_NewTokenObject(PK11Slot *slot, SECItem *dbKey,
|
|
CK_OBJECT_HANDLE handle);
|
|
PK11TokenObject *pk11_convertSessionToToken(PK11Object *so);
|
|
|
|
/****************************************
|
|
* implement TLS Pseudo Random Function (PRF)
|
|
*/
|
|
|
|
extern SECStatus
|
|
pk11_PRF(const SECItem *secret, const char *label, SECItem *seed,
|
|
SECItem *result, PRBool isFIPS);
|
|
|
|
extern CK_RV
|
|
pk11_TLSPRFInit(PK11SessionContext *context,
|
|
PK11Object * key,
|
|
CK_KEY_TYPE key_type);
|
|
|
|
SEC_END_PROTOS
|
|
|
|
#endif /* _PKCS11I_H_ */
|