1 /*
2  * Copyright (c) 1995-2000 Intel Corporation. All rights reserved.
3  */
4 /*
5  * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
6  */
7 
8 #ifndef _KMFTYPES_H
9 #define	_KMFTYPES_H
10 
11 #include <sys/types.h>
12 #include <stdlib.h>
13 #include <strings.h>
14 #include <pthread.h>
15 
16 #include <security/cryptoki.h>
17 
18 #ifdef __cplusplus
19 extern "C" {
20 #endif
21 
22 typedef uint32_t KMF_BOOL;
23 
24 #define	KMF_FALSE (0)
25 #define	KMF_TRUE  (1)
26 
27 /* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */
28 typedef struct _kmf_handle *KMF_HANDLE_T;
29 
30 /*
31  * KMF_DATA
32  * The KMF_DATA structure is used to associate a length, in bytes, with
33  * an arbitrary block of contiguous memory.
34  */
35 typedef struct kmf_data
36 {
37     size_t	Length; /* in bytes */
38     uchar_t	*Data;
39 } KMF_DATA;
40 
41 typedef struct {
42 	uchar_t		*val;
43 	size_t		len;
44 } KMF_BIGINT;
45 
46 /*
47  * KMF_OID
48  * The object identifier (OID) structure is used to hold a unique identifier for
49  * the atomic data fields and the compound substructure that comprise the fields
50  * of a certificate or CRL.
51  */
52 typedef KMF_DATA KMF_OID;
53 
54 typedef struct kmf_x509_private {
55 	int	keystore_type;
56 	int	flags;			/* see below */
57 	char	*label;
58 #define	KMF_FLAG_CERT_VALID	1	/* contains valid certificate */
59 #define	KMF_FLAG_CERT_SIGNED	2	/* this is a signed certificate */
60 } KMF_X509_PRIVATE;
61 
62 /*
63  * KMF_X509_DER_CERT
64  * This structure associates packed DER certificate data.
65  * Also, it contains the private information internal used
66  * by KMF layer.
67  */
68 typedef struct
69 {
70 	KMF_DATA		certificate;
71 	KMF_X509_PRIVATE	kmf_private;
72 } KMF_X509_DER_CERT;
73 
74 typedef int KMF_KEYSTORE_TYPE;
75 #define	KMF_KEYSTORE_NSS	1
76 #define	KMF_KEYSTORE_OPENSSL	2
77 #define	KMF_KEYSTORE_PK11TOKEN	3
78 
79 #define	VALID_DEFAULT_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\
80 	(t <= KMF_KEYSTORE_PK11TOKEN))
81 
82 typedef enum {
83 	KMF_FORMAT_UNDEF =	0,
84 	KMF_FORMAT_ASN1 =	1,	/* DER */
85 	KMF_FORMAT_PEM =	2,
86 	KMF_FORMAT_PKCS12 =	3,
87 	KMF_FORMAT_RAWKEY =	4,	/* For FindKey operation */
88 	KMF_FORMAT_PEM_KEYPAIR = 5
89 } KMF_ENCODE_FORMAT;
90 
91 #define	KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF
92 
93 typedef enum {
94 	KMF_ALL_CERTS =		0,
95 	KMF_NONEXPIRED_CERTS =	1,
96 	KMF_EXPIRED_CERTS =	2
97 } KMF_CERT_VALIDITY;
98 
99 
100 typedef enum {
101 	KMF_ALL_EXTNS =		0,
102 	KMF_CRITICAL_EXTNS = 	1,
103 	KMF_NONCRITICAL_EXTNS =	2
104 } KMF_FLAG_CERT_EXTN;
105 
106 
107 typedef enum {
108 	KMF_KU_SIGN_CERT	= 0,
109 	KMF_KU_SIGN_DATA	= 1,
110 	KMF_KU_ENCRYPT_DATA	= 2
111 } KMF_KU_PURPOSE;
112 
113 /*
114  * Algorithms
115  * This type defines a set of constants used to identify cryptographic
116  * algorithms.
117  *
118  * When adding new ALGID, be careful not to rearrange existing
119  * values, doing so can cause problem in the STC test suite.
120  */
121 typedef enum {
122 	KMF_ALGID_NONE	= 0,
123 	KMF_ALGID_CUSTOM,
124 	KMF_ALGID_SHA1,
125 	KMF_ALGID_RSA,
126 	KMF_ALGID_DSA,
127 	KMF_ALGID_MD5WithRSA,
128 	KMF_ALGID_MD2WithRSA,
129 	KMF_ALGID_SHA1WithRSA,
130 	KMF_ALGID_SHA1WithDSA,
131 
132 	KMF_ALGID_ECDSA,
133 
134 	KMF_ALGID_SHA256WithRSA,
135 	KMF_ALGID_SHA384WithRSA,
136 	KMF_ALGID_SHA512WithRSA,
137 
138 	KMF_ALGID_SHA256WithDSA,
139 
140 	KMF_ALGID_SHA1WithECDSA,
141 	KMF_ALGID_SHA256WithECDSA,
142 	KMF_ALGID_SHA384WithECDSA,
143 	KMF_ALGID_SHA512WithECDSA
144 } KMF_ALGORITHM_INDEX;
145 
146 /*
147  * Generic credential structure used by other structures below
148  * to convey authentication information to the underlying
149  * mechanisms.
150  */
151 typedef struct {
152 	char *cred;
153 	uint32_t credlen;
154 } KMF_CREDENTIAL;
155 
156 typedef enum {
157 	KMF_KEYALG_NONE = 0,
158 	KMF_RSA = 1,
159 	KMF_DSA = 2,
160 	KMF_AES = 3,
161 	KMF_RC4 = 4,
162 	KMF_DES = 5,
163 	KMF_DES3 = 6,
164 	KMF_GENERIC_SECRET = 7,
165 	KMF_ECDSA = 8
166 }KMF_KEY_ALG;
167 
168 typedef enum {
169 	KMF_KEYCLASS_NONE = 0,
170 	KMF_ASYM_PUB = 1,	/* public key of an asymmetric keypair */
171 	KMF_ASYM_PRI = 2,	/* private key of an asymmetric keypair */
172 	KMF_SYMMETRIC = 3	/* symmetric key */
173 }KMF_KEY_CLASS;
174 
175 typedef enum {
176 	KMF_CERT = 0,
177 	KMF_CSR = 1,
178 	KMF_CRL = 2
179 }KMF_OBJECT_TYPE;
180 
181 typedef struct {
182 	KMF_BIGINT	mod;
183 	KMF_BIGINT	pubexp;
184 	KMF_BIGINT	priexp;
185 	KMF_BIGINT	prime1;
186 	KMF_BIGINT	prime2;
187 	KMF_BIGINT	exp1;
188 	KMF_BIGINT	exp2;
189 	KMF_BIGINT	coef;
190 } KMF_RAW_RSA_KEY;
191 
192 typedef struct {
193 	KMF_BIGINT	prime;
194 	KMF_BIGINT	subprime;
195 	KMF_BIGINT	base;
196 	KMF_BIGINT	value;
197 	KMF_BIGINT	pubvalue;
198 } KMF_RAW_DSA_KEY;
199 
200 typedef struct {
201 	KMF_BIGINT	keydata;
202 } KMF_RAW_SYM_KEY;
203 
204 typedef struct {
205 	KMF_BIGINT	value;
206 	KMF_OID		params;
207 } KMF_RAW_EC_KEY;
208 
209 typedef struct {
210 	KMF_KEY_ALG	keytype;
211 	boolean_t	sensitive;
212 	boolean_t	not_extractable;
213 	union {
214 		KMF_RAW_RSA_KEY	rsa;
215 		KMF_RAW_DSA_KEY	dsa;
216 		KMF_RAW_SYM_KEY	sym;
217 		KMF_RAW_EC_KEY  ec;
218 	}rawdata;
219 	char *label;
220 	KMF_DATA id;
221 } KMF_RAW_KEY_DATA;
222 
223 typedef struct {
224 	KMF_KEYSTORE_TYPE	kstype;
225 	KMF_KEY_ALG		keyalg;
226 	KMF_KEY_CLASS		keyclass;
227 	boolean_t		israw;
228 	char			*keylabel;
229 	void			*keyp;
230 } KMF_KEY_HANDLE;
231 
232 typedef struct {
233 	KMF_KEYSTORE_TYPE	kstype;
234 	uint32_t		errcode;
235 } KMF_ERROR;
236 
237 /*
238  * Typenames to use with subjectAltName
239  */
240 typedef enum {
241 	GENNAME_OTHERNAME	= 0x00,
242 	GENNAME_RFC822NAME,
243 	GENNAME_DNSNAME,
244 	GENNAME_X400ADDRESS,
245 	GENNAME_DIRECTORYNAME,
246 	GENNAME_EDIPARTYNAME,
247 	GENNAME_URI,
248 	GENNAME_IPADDRESS,
249 	GENNAME_REGISTEREDID,
250 	GENNAME_KRB5PRINC,
251 	GENNAME_SCLOGON_UPN
252 } KMF_GENERALNAMECHOICES;
253 
254 /*
255  * KMF_FIELD
256  * This structure contains the OID/value pair for any item that can be
257  * identified by an OID.
258  */
259 typedef struct
260 {
261 	KMF_OID		FieldOid;
262 	KMF_DATA	FieldValue;
263 } KMF_FIELD;
264 
265 typedef enum {
266 	KMF_OK			= 0x00,
267 	KMF_ERR_BAD_PARAMETER	= 0x01,
268 	KMF_ERR_BAD_KEY_FORMAT	= 0x02,
269 	KMF_ERR_BAD_ALGORITHM	= 0x03,
270 	KMF_ERR_MEMORY		= 0x04,
271 	KMF_ERR_ENCODING	= 0x05,
272 	KMF_ERR_PLUGIN_INIT	= 0x06,
273 	KMF_ERR_PLUGIN_NOTFOUND	= 0x07,
274 	KMF_ERR_INTERNAL	= 0x0b,
275 	KMF_ERR_BAD_CERT_FORMAT	= 0x0c,
276 	KMF_ERR_KEYGEN_FAILED	= 0x0d,
277 	KMF_ERR_UNINITIALIZED	= 0x10,
278 	KMF_ERR_ISSUER		= 0x11,
279 	KMF_ERR_NOT_REVOKED	= 0x12,
280 	KMF_ERR_CERT_NOT_FOUND	= 0x13,
281 	KMF_ERR_CRL_NOT_FOUND	= 0x14,
282 	KMF_ERR_RDN_PARSER	= 0x15,
283 	KMF_ERR_RDN_ATTR	= 0x16,
284 	KMF_ERR_SLOTNAME	= 0x17,
285 	KMF_ERR_EMPTY_CRL	= 0x18,
286 	KMF_ERR_BUFFER_SIZE	= 0x19,
287 	KMF_ERR_AUTH_FAILED	= 0x1a,
288 	KMF_ERR_TOKEN_SELECTED	= 0x1b,
289 	KMF_ERR_NO_TOKEN_SELECTED	= 0x1c,
290 	KMF_ERR_TOKEN_NOT_PRESENT	= 0x1d,
291 	KMF_ERR_EXTENSION_NOT_FOUND	= 0x1e,
292 	KMF_ERR_POLICY_ENGINE		= 0x1f,
293 	KMF_ERR_POLICY_DB_FORMAT	= 0x20,
294 	KMF_ERR_POLICY_NOT_FOUND	= 0x21,
295 	KMF_ERR_POLICY_DB_FILE		= 0x22,
296 	KMF_ERR_POLICY_NAME		= 0x23,
297 	KMF_ERR_OCSP_POLICY		= 0x24,
298 	KMF_ERR_TA_POLICY		= 0x25,
299 	KMF_ERR_KEY_NOT_FOUND		= 0x26,
300 	KMF_ERR_OPEN_FILE		= 0x27,
301 	KMF_ERR_OCSP_BAD_ISSUER		= 0x28,
302 	KMF_ERR_OCSP_BAD_CERT		= 0x29,
303 	KMF_ERR_OCSP_CREATE_REQUEST	= 0x2a,
304 	KMF_ERR_CONNECT_SERVER		= 0x2b,
305 	KMF_ERR_SEND_REQUEST		= 0x2c,
306 	KMF_ERR_OCSP_CERTID		= 0x2d,
307 	KMF_ERR_OCSP_MALFORMED_RESPONSE	= 0x2e,
308 	KMF_ERR_OCSP_RESPONSE_STATUS	= 0x2f,
309 	KMF_ERR_OCSP_NO_BASIC_RESPONSE	= 0x30,
310 	KMF_ERR_OCSP_BAD_SIGNER		= 0x31,
311 
312 	KMF_ERR_OCSP_RESPONSE_SIGNATURE	= 0x32,
313 	KMF_ERR_OCSP_UNKNOWN_CERT	= 0x33,
314 	KMF_ERR_OCSP_STATUS_TIME_INVALID	= 0x34,
315 	KMF_ERR_BAD_HTTP_RESPONSE	= 0x35,
316 	KMF_ERR_RECV_RESPONSE		= 0x36,
317 	KMF_ERR_RECV_TIMEOUT		= 0x37,
318 	KMF_ERR_DUPLICATE_KEYFILE	= 0x38,
319 	KMF_ERR_AMBIGUOUS_PATHNAME	= 0x39,
320 	KMF_ERR_FUNCTION_NOT_FOUND	= 0x3a,
321 	KMF_ERR_PKCS12_FORMAT		= 0x3b,
322 	KMF_ERR_BAD_KEY_TYPE		= 0x3c,
323 	KMF_ERR_BAD_KEY_CLASS		= 0x3d,
324 	KMF_ERR_BAD_KEY_SIZE		= 0x3e,
325 	KMF_ERR_BAD_HEX_STRING		= 0x3f,
326 	KMF_ERR_KEYUSAGE		= 0x40,
327 	KMF_ERR_VALIDITY_PERIOD		= 0x41,
328 	KMF_ERR_OCSP_REVOKED		= 0x42,
329 	KMF_ERR_CERT_MULTIPLE_FOUND	= 0x43,
330 	KMF_ERR_WRITE_FILE		= 0x44,
331 	KMF_ERR_BAD_URI			= 0x45,
332 	KMF_ERR_BAD_CRLFILE		= 0x46,
333 	KMF_ERR_BAD_CERTFILE		= 0x47,
334 	KMF_ERR_GETKEYVALUE_FAILED	= 0x48,
335 	KMF_ERR_BAD_KEYHANDLE		= 0x49,
336 	KMF_ERR_BAD_OBJECT_TYPE		= 0x4a,
337 	KMF_ERR_OCSP_RESPONSE_LIFETIME	= 0x4b,
338 	KMF_ERR_UNKNOWN_CSR_ATTRIBUTE	= 0x4c,
339 	KMF_ERR_UNINITIALIZED_TOKEN	= 0x4d,
340 	KMF_ERR_INCOMPLETE_TBS_CERT	= 0x4e,
341 	KMF_ERR_MISSING_ERRCODE		= 0x4f,
342 	KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50,
343 	KMF_ERR_SENSITIVE_KEY		= 0x51,
344 	KMF_ERR_UNEXTRACTABLE_KEY	= 0x52,
345 	KMF_ERR_KEY_MISMATCH		= 0x53,
346 	KMF_ERR_ATTR_NOT_FOUND		= 0x54,
347 	KMF_ERR_KMF_CONF		= 0x55,
348 	KMF_ERR_NAME_NOT_MATCHED	= 0x56,
349 	KMF_ERR_MAPPER_OPEN		= 0x57,
350 	KMF_ERR_MAPPER_NOT_FOUND	= 0x58,
351 	KMF_ERR_MAPPING_FAILED		= 0x59,
352 	KMF_ERR_CERT_VALIDATION		= 0x60
353 } KMF_RETURN;
354 
355 /* Data structures for OCSP support */
356 typedef enum {
357 	OCSP_GOOD	= 0,
358 	OCSP_REVOKED	= 1,
359 	OCSP_UNKNOWN	= 2
360 } KMF_OCSP_CERT_STATUS;
361 
362 typedef enum {
363 	OCSP_SUCCESS 		= 0,
364 	OCSP_MALFORMED_REQUEST	= 1,
365 	OCSP_INTERNAL_ERROR	= 2,
366 	OCSP_TRYLATER		= 3,
367 	OCSP_SIGREQUIRED	= 4,
368 	OCSP_UNAUTHORIZED	= 5
369 } KMF_OCSP_RESPONSE_STATUS;
370 
371 typedef enum {
372 	OCSP_NOSTATUS		= -1,
373 	OCSP_UNSPECIFIED	= 0,
374 	OCSP_KEYCOMPROMISE	= 1,
375 	OCSP_CACOMPROMISE	= 2,
376 	OCSP_AFFILIATIONCHANGE	= 3,
377 	OCSP_SUPERCEDED		= 4,
378 	OCSP_CESSATIONOFOPERATION = 5,
379 	OCSP_CERTIFICATEHOLD	= 6,
380 	OCSP_REMOVEFROMCRL	= 7
381 } KMF_OCSP_REVOKED_STATUS;
382 
383 typedef enum {
384 	KMF_CERT_ISSUER		= 1,
385 	KMF_CERT_SUBJECT,
386 	KMF_CERT_VERSION,
387 	KMF_CERT_SERIALNUM,
388 	KMF_CERT_NOTBEFORE,
389 	KMF_CERT_NOTAFTER,
390 	KMF_CERT_PUBKEY_ALG,
391 	KMF_CERT_SIGNATURE_ALG,
392 	KMF_CERT_EMAIL,
393 	KMF_CERT_PUBKEY_DATA,
394 	KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD,
395 	KMF_X509_EXT_CERT_POLICIES,
396 	KMF_X509_EXT_SUBJ_ALTNAME,
397 	KMF_X509_EXT_ISSUER_ALTNAME,
398 	KMF_X509_EXT_BASIC_CONSTRAINTS,
399 	KMF_X509_EXT_NAME_CONSTRAINTS,
400 	KMF_X509_EXT_POLICY_CONSTRAINTS,
401 	KMF_X509_EXT_EXT_KEY_USAGE,
402 	KMF_X509_EXT_INHIBIT_ANY_POLICY,
403 	KMF_X509_EXT_AUTH_KEY_ID,
404 	KMF_X509_EXT_SUBJ_KEY_ID,
405 	KMF_X509_EXT_POLICY_MAPPINGS,
406 	KMF_X509_EXT_CRL_DIST_POINTS,
407 	KMF_X509_EXT_FRESHEST_CRL,
408 	KMF_X509_EXT_KEY_USAGE
409 } KMF_PRINTABLE_ITEM;
410 
411 /*
412  * KMF_X509_ALGORITHM_IDENTIFIER
413  * This structure holds an object identifier naming a
414  * cryptographic algorithm and an optional set of
415  * parameters to be used as input to that algorithm.
416  */
417 typedef struct
418 {
419 	KMF_OID algorithm;
420 	KMF_DATA parameters;
421 } KMF_X509_ALGORITHM_IDENTIFIER;
422 
423 /*
424  * KMF_X509_TYPE_VALUE_PAIR
425  * This structure contain an type-value pair.
426  */
427 typedef struct
428 {
429 	KMF_OID type;
430 	uint8_t valueType; /* The Tag to use when BER encoded */
431 	KMF_DATA value;
432 } KMF_X509_TYPE_VALUE_PAIR;
433 
434 
435 /*
436  * KMF_X509_RDN
437  * This structure contains a Relative Distinguished Name
438  * composed of an ordered set of type-value pairs.
439  */
440 typedef struct
441 {
442 	uint32_t			numberOfPairs;
443 	KMF_X509_TYPE_VALUE_PAIR	*AttributeTypeAndValue;
444 } KMF_X509_RDN;
445 
446 /*
447  * KMF_X509_NAME
448  * This structure contains a set of Relative Distinguished Names.
449  */
450 typedef struct
451 {
452 	uint32_t numberOfRDNs;
453 	KMF_X509_RDN	*RelativeDistinguishedName;
454 } KMF_X509_NAME;
455 
456 /*
457  * KMF_X509_SPKI
458  * This structure contains the public key and the
459  * description of the verification algorithm
460  * appropriate for use with this key.
461  */
462 typedef struct
463 {
464 	KMF_X509_ALGORITHM_IDENTIFIER algorithm;
465 	KMF_DATA subjectPublicKey;
466 } KMF_X509_SPKI;
467 
468 /*
469  * KMF_X509_TIME
470  * Time is represented as a string according to the
471  * definitions of GeneralizedTime and UTCTime
472  * defined in RFC 2459.
473  */
474 typedef struct
475 {
476 	uint8_t timeType;
477 	KMF_DATA time;
478 } KMF_X509_TIME;
479 
480 /*
481  * KMF_X509_VALIDITY
482  */
483 typedef struct
484 {
485 	KMF_X509_TIME notBefore;
486 	KMF_X509_TIME notAfter;
487 } KMF_X509_VALIDITY;
488 
489 /*
490  *   KMF_X509EXT_BASICCONSTRAINTS
491  */
492 typedef struct
493 {
494 	KMF_BOOL cA;
495 	KMF_BOOL pathLenConstraintPresent;
496 	uint32_t pathLenConstraint;
497 } KMF_X509EXT_BASICCONSTRAINTS;
498 
499 /*
500  * KMF_X509EXT_DATA_FORMAT
501  * This list defines the valid formats for a certificate extension.
502  */
503 typedef enum
504 {
505 	KMF_X509_DATAFORMAT_ENCODED = 0,
506 	KMF_X509_DATAFORMAT_PARSED,
507 	KMF_X509_DATAFORMAT_PAIR
508 } KMF_X509EXT_DATA_FORMAT;
509 
510 
511 /*
512  * KMF_X509EXT_TAGandVALUE
513  * This structure contains a BER/DER encoded
514  * extension value and the type of that value.
515  */
516 typedef struct
517 {
518 	uint8_t type;
519 	KMF_DATA value;
520 } KMF_X509EXT_TAGandVALUE;
521 
522 
523 /*
524  * KMF_X509EXT_PAIR
525  * This structure aggregates two extension representations:
526  * a tag and value, and a parsed X509 extension representation.
527  */
528 typedef struct
529 {
530 	KMF_X509EXT_TAGandVALUE tagAndValue;
531 	void *parsedValue;
532 } KMF_X509EXT_PAIR;
533 
534 /*
535  * KMF_X509_EXTENSION
536  * This structure contains a complete certificate extension.
537  */
538 typedef struct
539 {
540 	KMF_OID extnId;
541 	KMF_BOOL critical;
542 	KMF_X509EXT_DATA_FORMAT format;
543 	union
544 	{
545 		KMF_X509EXT_TAGandVALUE *tagAndValue;
546 		void *parsedValue;
547 		KMF_X509EXT_PAIR *valuePair;
548 	} value;
549 	KMF_DATA BERvalue;
550 } KMF_X509_EXTENSION;
551 
552 
553 /*
554  * KMF_X509_EXTENSIONS
555  * This structure contains the set of all certificate
556  * extensions contained in a certificate.
557  */
558 typedef struct
559 {
560 	uint32_t numberOfExtensions;
561 	KMF_X509_EXTENSION *extensions;
562 } KMF_X509_EXTENSIONS;
563 
564 /*
565  * KMF_X509_TBS_CERT
566  * This structure contains a complete X.509 certificate.
567  */
568 typedef struct
569 {
570 	KMF_DATA version;
571 	KMF_BIGINT serialNumber;
572 	KMF_X509_ALGORITHM_IDENTIFIER signature;
573 	KMF_X509_NAME issuer;
574 	KMF_X509_VALIDITY validity;
575 	KMF_X509_NAME subject;
576 	KMF_X509_SPKI subjectPublicKeyInfo;
577 	KMF_DATA issuerUniqueIdentifier;
578 	KMF_DATA subjectUniqueIdentifier;
579 	KMF_X509_EXTENSIONS extensions;
580 } KMF_X509_TBS_CERT;
581 
582 /*
583  * KMF_X509_SIGNATURE
584  * This structure contains a cryptographic digital signature.
585  */
586 typedef struct
587 {
588 	KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier;
589 	KMF_DATA encrypted;
590 } KMF_X509_SIGNATURE;
591 
592 /*
593  * KMF_X509_CERTIFICATE
594  * This structure associates a set of decoded certificate
595  * values with the signature covering those values.
596  */
597 typedef struct
598 {
599 	KMF_X509_TBS_CERT certificate;
600 	KMF_X509_SIGNATURE signature;
601 } KMF_X509_CERTIFICATE;
602 
603 #define	CERT_ALG_OID(c) &c->certificate.signature.algorithm
604 #define	CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm
605 
606 /*
607  * KMF_TBS_CSR
608  * This structure contains a complete PKCS#10 certificate request
609  */
610 typedef struct
611 {
612 	KMF_DATA version;
613 	KMF_X509_NAME subject;
614 	KMF_X509_SPKI subjectPublicKeyInfo;
615 	KMF_X509_EXTENSIONS extensions;
616 } KMF_TBS_CSR;
617 
618 /*
619  * KMF_CSR_DATA
620  * This structure contains a complete PKCS#10 certificate signed request
621  */
622 typedef struct
623 {
624 	KMF_TBS_CSR csr;
625 	KMF_X509_SIGNATURE signature;
626 } KMF_CSR_DATA;
627 
628 /*
629  * KMF_X509EXT_POLICYQUALIFIERINFO
630  */
631 typedef struct
632 {
633 	KMF_OID policyQualifierId;
634 	KMF_DATA value;
635 } KMF_X509EXT_POLICYQUALIFIERINFO;
636 
637 /*
638  * KMF_X509EXT_POLICYQUALIFIERS
639  */
640 typedef struct
641 {
642 	uint32_t numberOfPolicyQualifiers;
643 	KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier;
644 } KMF_X509EXT_POLICYQUALIFIERS;
645 
646 /*
647  * KMF_X509EXT_POLICYINFO
648  */
649 typedef struct
650 {
651 	KMF_OID policyIdentifier;
652 	KMF_X509EXT_POLICYQUALIFIERS policyQualifiers;
653 } KMF_X509EXT_POLICYINFO;
654 
655 typedef struct
656 {
657 	uint32_t numberOfPolicyInfo;
658 	KMF_X509EXT_POLICYINFO *policyInfo;
659 } KMF_X509EXT_CERT_POLICIES;
660 
661 typedef struct
662 {
663 	uchar_t critical;
664 	uint16_t KeyUsageBits;
665 } KMF_X509EXT_KEY_USAGE;
666 
667 typedef struct
668 {
669 	uchar_t		critical;
670 	uint16_t	nEKUs;
671 	KMF_OID	*keyPurposeIdList;
672 } KMF_X509EXT_EKU;
673 
674 
675 /*
676  * X509 AuthorityInfoAccess extension
677  */
678 typedef struct
679 {
680 	KMF_OID AccessMethod;
681 	KMF_DATA AccessLocation;
682 } KMF_X509EXT_ACCESSDESC;
683 
684 typedef struct
685 {
686 	uint32_t numberOfAccessDescription;
687 	KMF_X509EXT_ACCESSDESC *AccessDesc;
688 } KMF_X509EXT_AUTHINFOACCESS;
689 
690 
691 /*
692  * X509 Crl Distribution Point extension
693  */
694 typedef struct {
695 	KMF_GENERALNAMECHOICES	choice;
696 	KMF_DATA		name;
697 } KMF_GENERALNAME;
698 
699 typedef struct {
700 	uint32_t	number;
701 	KMF_GENERALNAME *namelist;
702 } KMF_GENERALNAMES;
703 
704 typedef enum  {
705 	DP_GENERAL_NAME = 1,
706 	DP_RELATIVE_NAME = 2
707 } KMF_CRL_DIST_POINT_TYPE;
708 
709 typedef struct {
710 	KMF_CRL_DIST_POINT_TYPE type;
711 	union {
712 		KMF_GENERALNAMES full_name;
713 		KMF_DATA relative_name;
714 	} name;
715 	KMF_DATA reasons;
716 	KMF_GENERALNAMES crl_issuer;
717 } KMF_CRL_DIST_POINT;
718 
719 typedef struct {
720 	uint32_t number;
721 	KMF_CRL_DIST_POINT *dplist;
722 } KMF_X509EXT_CRLDISTPOINTS;
723 
724 typedef enum {
725 	KMF_DATA_ATTR,
726 	KMF_OID_ATTR,
727 	KMF_BIGINT_ATTR,
728 	KMF_X509_DER_CERT_ATTR,
729 	KMF_KEYSTORE_TYPE_ATTR,
730 	KMF_ENCODE_FORMAT_ATTR,
731 	KMF_CERT_VALIDITY_ATTR,
732 	KMF_KU_PURPOSE_ATTR,
733 	KMF_ALGORITHM_INDEX_ATTR,
734 	KMF_TOKEN_LABEL_ATTR,
735 	KMF_READONLY_ATTR,
736 	KMF_DIRPATH_ATTR,
737 	KMF_CERTPREFIX_ATTR,
738 	KMF_KEYPREFIX_ATTR,
739 	KMF_SECMODNAME_ATTR,
740 	KMF_CREDENTIAL_ATTR,
741 	KMF_TRUSTFLAG_ATTR,
742 	KMF_CRL_FILENAME_ATTR,
743 	KMF_CRL_CHECK_ATTR,
744 	KMF_CRL_DATA_ATTR,
745 	KMF_CRL_SUBJECT_ATTR,
746 	KMF_CRL_ISSUER_ATTR,
747 	KMF_CRL_NAMELIST_ATTR,
748 	KMF_CRL_COUNT_ATTR,
749 	KMF_CRL_OUTFILE_ATTR,
750 	KMF_CERT_LABEL_ATTR,
751 	KMF_SUBJECT_NAME_ATTR,
752 	KMF_ISSUER_NAME_ATTR,
753 	KMF_CERT_FILENAME_ATTR,
754 	KMF_KEY_FILENAME_ATTR,
755 	KMF_OUTPUT_FILENAME_ATTR,
756 	KMF_IDSTR_ATTR,
757 	KMF_CERT_DATA_ATTR,
758 	KMF_OCSP_RESPONSE_DATA_ATTR,
759 	KMF_OCSP_RESPONSE_STATUS_ATTR,
760 	KMF_OCSP_RESPONSE_REASON_ATTR,
761 	KMF_OCSP_RESPONSE_CERT_STATUS_ATTR,
762 	KMF_OCSP_REQUEST_FILENAME_ATTR,
763 	KMF_KEYALG_ATTR,
764 	KMF_KEYCLASS_ATTR,
765 	KMF_KEYLABEL_ATTR,
766 	KMF_KEYLENGTH_ATTR,
767 	KMF_RSAEXP_ATTR,
768 	KMF_TACERT_DATA_ATTR,
769 	KMF_SLOT_ID_ATTR,
770 	KMF_PK12CRED_ATTR,
771 	KMF_ISSUER_CERT_DATA_ATTR,
772 	KMF_USER_CERT_DATA_ATTR,
773 	KMF_SIGNER_CERT_DATA_ATTR,
774 	KMF_IGNORE_RESPONSE_SIGN_ATTR,
775 	KMF_RESPONSE_LIFETIME_ATTR,
776 	KMF_KEY_HANDLE_ATTR,
777 	KMF_PRIVKEY_HANDLE_ATTR,
778 	KMF_PUBKEY_HANDLE_ATTR,
779 	KMF_ERROR_ATTR,
780 	KMF_X509_NAME_ATTR,
781 	KMF_X509_SPKI_ATTR,
782 	KMF_X509_CERTIFICATE_ATTR,
783 	KMF_RAW_KEY_ATTR,
784 	KMF_CSR_DATA_ATTR,
785 	KMF_GENERALNAMECHOICES_ATTR,
786 	KMF_STOREKEY_BOOL_ATTR,
787 	KMF_SENSITIVE_BOOL_ATTR,
788 	KMF_NON_EXTRACTABLE_BOOL_ATTR,
789 	KMF_TOKEN_BOOL_ATTR,
790 	KMF_PRIVATE_BOOL_ATTR,
791 	KMF_NEWPIN_ATTR,
792 	KMF_IN_SIGN_ATTR,
793 	KMF_OUT_DATA_ATTR,
794 	KMF_COUNT_ATTR,
795 	KMF_DESTROY_BOOL_ATTR,
796 	KMF_TBS_CERT_DATA_ATTR,
797 	KMF_PLAINTEXT_DATA_ATTR,
798 	KMF_CIPHERTEXT_DATA_ATTR,
799 	KMF_VALIDATE_RESULT_ATTR,
800 	KMF_KEY_DATA_ATTR,
801 	KMF_PK11_USER_TYPE_ATTR,
802 	KMF_ECC_CURVE_OID_ATTR,
803 	KMF_MAPPER_NAME_ATTR,
804 	KMF_MAPPER_PATH_ATTR,
805 	KMF_MAPPER_OPTIONS_ATTR
806 } KMF_ATTR_TYPE;
807 
808 typedef struct {
809 	KMF_ATTR_TYPE	type;
810 	void		*pValue;
811 	uint32_t	valueLen;
812 } KMF_ATTRIBUTE;
813 
814 /*
815  * Definitions for common X.509v3 certificate attribute OIDs
816  */
817 #define	OID_ISO_MEMBER	42	/* Also in PKCS */
818 #define	OID_US	OID_ISO_MEMBER, 134, 72 /* Also in PKCS */
819 #define	OID_CA	OID_ISO_MEMBER, 124
820 
821 #define	OID_ISO_IDENTIFIED_ORG 43
822 #define	OID_OSINET	OID_ISO_IDENTIFIED_ORG, 4
823 #define	OID_GOSIP	OID_ISO_IDENTIFIED_ORG, 5
824 #define	OID_DOD	OID_ISO_IDENTIFIED_ORG, 6
825 #define	OID_OIW	OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */
826 
827 #define	OID_ISO_CCITT_DIR_SERVICE 85
828 #define	OID_ISO_CCITT_COUNTRY	96
829 #define	OID_COUNTRY_US	OID_ISO_CCITT_COUNTRY, 134, 72
830 #define	OID_COUNTRY_CA	OID_ISO_CCITT_COUNTRY, 124
831 #define	OID_COUNTRY_US_ORG	OID_COUNTRY_US, 1
832 #define	OID_COUNTRY_US_MHS_MD	OID_COUNTRY_US, 2
833 #define	OID_COUNTRY_US_STATE	OID_COUNTRY_US, 3
834 
835 /* From the PKCS Standards */
836 #define	OID_ISO_MEMBER_LENGTH 1
837 #define	OID_US_LENGTH	(OID_ISO_MEMBER_LENGTH + 2)
838 
839 #define	OID_RSA	OID_US, 134, 247, 13
840 #define	OID_RSA_LENGTH	(OID_US_LENGTH + 3)
841 
842 #define	OID_RSA_HASH	OID_RSA, 2
843 #define	OID_RSA_HASH_LENGTH   (OID_RSA_LENGTH + 1)
844 
845 #define	OID_RSA_ENCRYPT	OID_RSA, 3
846 #define	OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1)
847 
848 #define	OID_PKCS	OID_RSA, 1
849 #define	OID_PKCS_LENGTH	(OID_RSA_LENGTH + 1)
850 
851 #define	OID_PKCS_1	OID_PKCS, 1
852 #define	OID_PKCS_1_LENGTH	(OID_PKCS_LENGTH + 1)
853 
854 #define	OID_PKCS_2	OID_PKCS, 2
855 #define	OID_PKCS_3	OID_PKCS, 3
856 #define	OID_PKCS_3_LENGTH	(OID_PKCS_LENGTH + 1)
857 
858 #define	OID_PKCS_4	OID_PKCS, 4
859 #define	OID_PKCS_5	OID_PKCS, 5
860 #define	OID_PKCS_5_LENGTH	(OID_PKCS_LENGTH + 1)
861 #define	OID_PKCS_6	OID_PKCS, 6
862 #define	OID_PKCS_7	OID_PKCS, 7
863 #define	OID_PKCS_7_LENGTH	(OID_PKCS_LENGTH + 1)
864 
865 #define	OID_PKCS_7_Data			OID_PKCS_7, 1
866 #define	OID_PKCS_7_SignedData		OID_PKCS_7, 2
867 #define	OID_PKCS_7_EnvelopedData	OID_PKCS_7, 3
868 #define	OID_PKCS_7_SignedAndEnvelopedData	OID_PKCS_7, 4
869 #define	OID_PKCS_7_DigestedData		OID_PKCS_7, 5
870 #define	OID_PKCS_7_EncryptedData	OID_PKCS_7, 6
871 
872 #define	OID_PKCS_8	OID_PKCS, 8
873 #define	OID_PKCS_9	OID_PKCS, 9
874 #define	OID_PKCS_9_LENGTH	(OID_PKCS_LENGTH + 1)
875 
876 #define	OID_PKCS_9_CONTENT_TYPE		OID_PKCS_9, 3
877 #define	OID_PKCS_9_MESSAGE_DIGEST	OID_PKCS_9, 4
878 #define	OID_PKCS_9_SIGNING_TIME		OID_PKCS_9, 5
879 #define	OID_PKCS_9_COUNTER_SIGNATURE	OID_PKCS_9, 6
880 #define	OID_PKCS_9_EXTENSION_REQUEST	OID_PKCS_9, 14
881 
882 #define	OID_PKCS_10	OID_PKCS, 10
883 
884 #define	OID_PKCS_12	OID_PKCS, 12
885 #define	OID_PKCS_12_LENGTH	(OID_PKCS_LENGTH + 1)
886 
887 #define	PBEWithSHAAnd128BitRC4	OID_PKCS_12, 1, 1
888 #define	PBEWithSHAAnd40BitRC4	OID_PKCS_12, 1, 2
889 #define	PBEWithSHAAnd3KeyTripleDES_CBC	OID_PKCS_12, 1, 3
890 #define	PBEWithSHAAnd2KeyTripleDES_CBC	OID_PKCS_12, 1, 4
891 #define	PBEWithSHAAnd128BitRC2_CBC	OID_PKCS_12, 1, 5
892 #define	PBEWithSHAAnd40BitRC2_CBC	OID_PKCS_12, 1, 6
893 
894 #define	OID_BAG_TYPES		OID_PKCS_12, 10, 1
895 #define	OID_KeyBag		OID_BAG_TYPES, 1
896 #define	OID_PKCS8ShroudedKeyBag	OID_BAG_TYPES, 2
897 #define	OID_CertBag		OID_BAG_TYPES, 3
898 #define	OID_CrlBag		OID_BAG_TYPES, 4
899 #define	OID_SecretBag		OID_BAG_TYPES, 5
900 #define	OID_SafeContentsBag	OID_BAG_TYPES, 6
901 
902 #define	OID_ContentInfo		OID_PKCS_7, 0, 1
903 
904 #define	OID_CERT_TYPES		OID_PKCS_9, 22
905 #define	OID_x509Certificate	OID_CERT_TYPES, 1
906 #define	OID_sdsiCertificate	OID_CERT_TYPES, 2
907 
908 #define	OID_CRL_TYPES		OID_PKCS_9, 23
909 #define	OID_x509Crl		OID_CRL_TYPES, 1
910 
911 #define	OID_DS	OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */
912 #define	OID_DS_LENGTH	1
913 
914 #define	OID_ATTR_TYPE	OID_DS, 4	/* Also in X.501 */
915 #define	OID_ATTR_TYPE_LENGTH  (OID_DS_LENGTH + 1)
916 
917 #define	OID_DSALG	OID_DS, 8	/* Also in X.501 */
918 #define	OID_DSALG_LENGTH	(OID_DS_LENGTH + 1)
919 
920 #define	OID_EXTENSION	OID_DS, 29	/* Also in X.501 */
921 #define	OID_EXTENSION_LENGTH  (OID_DS_LENGTH + 1)
922 
923 /*
924  * From RFC 1274:
925  * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) }
926  */
927 #define	OID_PILOT	0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
928 #define	OID_PILOT_LENGTH	9
929 
930 #define	OID_USERID		OID_PILOT 1
931 #define	OID_USERID_LENGTH	(OID_PILOT_LENGTH + 1)
932 
933 /*
934  * From PKIX part1
935  * { iso(1) identified-organization(3) dod(6) internet(1)
936  *   security(5) mechanisms(5) pkix(7) }
937  */
938 #define	OID_PKIX	43, 6, 1, 5, 5, 7
939 #define	OID_PKIX_LENGTH	6
940 
941 /* private certificate extensions, { id-pkix 1 } */
942 #define	OID_PKIX_PE	OID_PKIX, 1
943 #define	OID_PKIX_PE_LENGTH   (OID_PKIX_LENGTH + 1)
944 
945 /* policy qualifier types {id-pkix 2 } */
946 #define	OID_PKIX_QT	OID_PKIX, 2
947 #define	OID_PKIX_QT_LENGTH   (OID_PKIX_LENGTH + 1)
948 
949 /* CPS qualifier, { id-qt 1 } */
950 #define	OID_PKIX_QT_CPS	OID_PKIX_QT, 1
951 #define	OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1)
952 /* user notice qualifier, { id-qt 2 } */
953 #define	OID_PKIX_QT_UNOTICE  OID_PKIX_QT, 2
954 #define	OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1)
955 
956 /* extended key purpose OIDs {id-pkix 3 } */
957 #define	OID_PKIX_KP	OID_PKIX, 3
958 #define	OID_PKIX_KP_LENGTH   (OID_PKIX_LENGTH + 1)
959 
960 /* access descriptors {id-pkix 4 } */
961 #define	OID_PKIX_AD	OID_PKIX, 48
962 #define	OID_PKIX_AD_LENGTH   (OID_PKIX_LENGTH + 1)
963 
964 /* access descriptors */
965 /* OCSP */
966 #define	OID_PKIX_AD_OCSP	OID_PKIX_AD, 1
967 #define	OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1)
968 
969 /* cAIssuers */
970 #define	OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2
971 #define	OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1)
972 
973 /* end PKIX part1 */
974 
975 /*
976  * From RFC4556 (PKINIT)
977  *
978  * pkinit = { iso(1) identified-organization(3) dod(6) internet(1)
979  *   security(5) kerberosv5(2) pkinit(3) }
980  */
981 #define	OID_KRB5_PKINIT	43, 6, 1, 5, 2, 3
982 #define	OID_KRB5_PKINIT_LENGTH	6
983 
984 #define	OID_KRB5_PKINIT_KPCLIENTAUTH	OID_KRB5_PKINIT, 4
985 #define	OID_KRB5_PKINIT_KPCLIENTAUTH_LENGTH (OID_KRB5_PKINIT_LENGTH + 1)
986 
987 #define	OID_KRB5_PKINIT_KPKDC		OID_KRB5_PKINIT, 5
988 #define	OID_KRB5_PKINIT_KPKDC_LENGTH	(OID_KRB5_PKINIT_LENGTH + 1)
989 
990 #define	OID_KRB5_SAN	43, 6, 1, 5, 2, 2
991 #define	OID_KRB5_SAN_LENGTH 6
992 
993 /*
994  * Microsoft OIDs:
995  * id-ms-san-sc-logon-upn =
996  * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
997  *  enterprise(1) microsoft(311) 20 2 3}
998  *
999  * id-ms-kp-sc-logon =
1000  * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
1001  *  enterprise(1) microsoft(311) 20 2 2}
1002  */
1003 #define	OID_MS	43, 6, 1, 4, 1, 130, 55
1004 #define	OID_MS_LENGTH 7
1005 #define	OID_MS_KP_SC_LOGON		OID_MS, 20, 2, 2
1006 #define	OID_MS_KP_SC_LOGON_LENGTH	(OID_MS_LENGTH + 3)
1007 
1008 #define	OID_MS_KP_SC_LOGON_UPN		OID_MS, 20, 2, 3
1009 #define	OID_MS_KP_SC_LOGON_UPN_LENGTH	(OID_MS_LENGTH + 3)
1010 
1011 #define	OID_APPL_TCP_PROTO		43, 6, 1, 2, 1, 27, 4
1012 #define	OID_APPL_TCP_PROTO_LENGTH	8
1013 
1014 #define	OID_DAP	OID_DS, 3, 1
1015 #define	OID_DAP_LENGTH	(OID_DS_LENGTH + 2)
1016 
1017 /* From x9.57 */
1018 #define	OID_OIW_LENGTH	2
1019 
1020 #define	OID_OIW_SECSIG	OID_OIW, 3
1021 #define	OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1)
1022 
1023 #define	OID_OIW_ALGORITHM	OID_OIW_SECSIG, 2
1024 #define	OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1)
1025 
1026 #define	OID_OIWDIR	OID_OIW, 7, 2
1027 #define	OID_OIWDIR_LENGTH    (OID_OIW_LENGTH + 2)
1028 
1029 #define	OID_OIWDIR_CRPT	OID_OIWDIR, 1
1030 
1031 #define	OID_OIWDIR_HASH	OID_OIWDIR, 2
1032 #define	OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1)
1033 
1034 #define	OID_OIWDIR_SIGN	OID_OIWDIR, 3
1035 #define	OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1)
1036 
1037 #define	OID_X9CM	OID_US, 206, 56
1038 #define	OID_X9CM_MODULE	OID_X9CM, 1
1039 #define	OID_X9CM_INSTRUCTION OID_X9CM, 2
1040 #define	OID_X9CM_ATTR	OID_X9CM, 3
1041 #define	OID_X9CM_X9ALGORITHM OID_X9CM, 4
1042 #define	OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1)
1043 
1044 #define	INTEL	96, 134, 72, 1, 134, 248, 77
1045 #define	INTEL_LENGTH 7
1046 
1047 #define	INTEL_SEC_FORMATS	INTEL_CDSASECURITY, 1
1048 #define	INTEL_SEC_FORMATS_LENGTH	(INTEL_CDSASECURITY_LENGTH + 1)
1049 
1050 #define	INTEL_SEC_ALGS	INTEL_CDSASECURITY, 2, 5
1051 #define	INTEL_SEC_ALGS_LENGTH	(INTEL_CDSASECURITY_LENGTH + 2)
1052 
1053 extern const KMF_OID
1054 KMFOID_AliasedEntryName,
1055 KMFOID_AuthorityRevocationList,
1056 KMFOID_BusinessCategory,
1057 KMFOID_CACertificate,
1058 KMFOID_CertificateRevocationList,
1059 KMFOID_ChallengePassword,
1060 KMFOID_CollectiveFacsimileTelephoneNumber,
1061 KMFOID_CollectiveInternationalISDNNumber,
1062 KMFOID_CollectiveOrganizationName,
1063 KMFOID_CollectiveOrganizationalUnitName,
1064 KMFOID_CollectivePhysicalDeliveryOfficeName,
1065 KMFOID_CollectivePostOfficeBox,
1066 KMFOID_CollectivePostalAddress,
1067 KMFOID_CollectivePostalCode,
1068 KMFOID_CollectiveStateProvinceName,
1069 KMFOID_CollectiveStreetAddress,
1070 KMFOID_CollectiveTelephoneNumber,
1071 KMFOID_CollectiveTelexNumber,
1072 KMFOID_CollectiveTelexTerminalIdentifier,
1073 KMFOID_CommonName,
1074 KMFOID_ContentType,
1075 KMFOID_CounterSignature,
1076 KMFOID_CountryName,
1077 KMFOID_CrossCertificatePair,
1078 KMFOID_DNQualifier,
1079 KMFOID_Description,
1080 KMFOID_DestinationIndicator,
1081 KMFOID_DistinguishedName,
1082 KMFOID_EmailAddress,
1083 KMFOID_EnhancedSearchGuide,
1084 KMFOID_ExtendedCertificateAttributes,
1085 KMFOID_ExtensionRequest,
1086 KMFOID_FacsimileTelephoneNumber,
1087 KMFOID_GenerationQualifier,
1088 KMFOID_GivenName,
1089 KMFOID_HouseIdentifier,
1090 KMFOID_Initials,
1091 KMFOID_InternationalISDNNumber,
1092 KMFOID_KnowledgeInformation,
1093 KMFOID_LocalityName,
1094 KMFOID_Member,
1095 KMFOID_MessageDigest,
1096 KMFOID_Name,
1097 KMFOID_ObjectClass,
1098 KMFOID_OrganizationName,
1099 KMFOID_OrganizationalUnitName,
1100 KMFOID_Owner,
1101 KMFOID_PhysicalDeliveryOfficeName,
1102 KMFOID_PostOfficeBox,
1103 KMFOID_PostalAddress,
1104 KMFOID_PostalCode,
1105 KMFOID_PreferredDeliveryMethod,
1106 KMFOID_PresentationAddress,
1107 KMFOID_ProtocolInformation,
1108 KMFOID_RFC822mailbox,
1109 KMFOID_RegisteredAddress,
1110 KMFOID_RoleOccupant,
1111 KMFOID_SearchGuide,
1112 KMFOID_SeeAlso,
1113 KMFOID_SerialNumber,
1114 KMFOID_SigningTime,
1115 KMFOID_StateProvinceName,
1116 KMFOID_StreetAddress,
1117 KMFOID_SupportedApplicationContext,
1118 KMFOID_Surname,
1119 KMFOID_TelephoneNumber,
1120 KMFOID_TelexNumber,
1121 KMFOID_TelexTerminalIdentifier,
1122 KMFOID_Title,
1123 KMFOID_UniqueIdentifier,
1124 KMFOID_UniqueMember,
1125 KMFOID_UnstructuredAddress,
1126 KMFOID_UnstructuredName,
1127 KMFOID_UserCertificate,
1128 KMFOID_UserPassword,
1129 KMFOID_X_121Address,
1130 KMFOID_domainComponent,
1131 KMFOID_userid;
1132 
1133 extern const KMF_OID
1134 KMFOID_AuthorityKeyID,
1135 KMFOID_AuthorityInfoAccess,
1136 KMFOID_VerisignCertificatePolicy,
1137 KMFOID_KeyUsageRestriction,
1138 KMFOID_SubjectDirectoryAttributes,
1139 KMFOID_SubjectKeyIdentifier,
1140 KMFOID_KeyUsage,
1141 KMFOID_PrivateKeyUsagePeriod,
1142 KMFOID_SubjectAltName,
1143 KMFOID_IssuerAltName,
1144 KMFOID_BasicConstraints,
1145 KMFOID_CrlNumber,
1146 KMFOID_CrlReason,
1147 KMFOID_HoldInstructionCode,
1148 KMFOID_InvalidityDate,
1149 KMFOID_DeltaCrlIndicator,
1150 KMFOID_IssuingDistributionPoints,
1151 KMFOID_NameConstraints,
1152 KMFOID_CrlDistributionPoints,
1153 KMFOID_CertificatePolicies,
1154 KMFOID_PolicyMappings,
1155 KMFOID_PolicyConstraints,
1156 KMFOID_AuthorityKeyIdentifier,
1157 KMFOID_ExtendedKeyUsage,
1158 KMFOID_PkixAdOcsp,
1159 KMFOID_PkixAdCaIssuers,
1160 KMFOID_PKIX_PQ_CPSuri,
1161 KMFOID_PKIX_PQ_Unotice,
1162 KMFOID_PKIX_KP_ServerAuth,
1163 KMFOID_PKIX_KP_ClientAuth,
1164 KMFOID_PKIX_KP_CodeSigning,
1165 KMFOID_PKIX_KP_EmailProtection,
1166 KMFOID_PKIX_KP_IPSecEndSystem,
1167 KMFOID_PKIX_KP_IPSecTunnel,
1168 KMFOID_PKIX_KP_IPSecUser,
1169 KMFOID_PKIX_KP_TimeStamping,
1170 KMFOID_PKIX_KP_OCSPSigning,
1171 KMFOID_SHA1,
1172 KMFOID_RSA,
1173 KMFOID_DSA,
1174 KMFOID_MD5,
1175 KMFOID_MD5WithRSA,
1176 KMFOID_MD2WithRSA,
1177 KMFOID_SHA1WithRSA,
1178 KMFOID_SHA256WithRSA,
1179 KMFOID_SHA384WithRSA,
1180 KMFOID_SHA512WithRSA,
1181 KMFOID_SHA1WithDSA,
1182 KMFOID_X9CM_DSA,
1183 KMFOID_X9CM_DSAWithSHA1;
1184 
1185 /* For PKINIT support */
1186 extern const KMF_OID
1187 KMFOID_PKINIT_san,
1188 KMFOID_PKINIT_ClientAuth,
1189 KMFOID_PKINIT_Kdc,
1190 KMFOID_MS_KP_SCLogon,
1191 KMFOID_MS_KP_SCLogon_UPN;
1192 
1193 /* For ECC support */
1194 extern const KMF_OID
1195 KMFOID_EC_PUBLIC_KEY,
1196 KMFOID_SHA1WithECDSA,
1197 KMFOID_SHA224WithECDSA,
1198 KMFOID_SHA256WithECDSA,
1199 KMFOID_SHA384WithECDSA,
1200 KMFOID_SHA512WithECDSA,
1201 KMFOID_SHA224WithDSA,
1202 KMFOID_SHA256WithDSA,
1203 KMFOID_SHA224,
1204 KMFOID_SHA256,
1205 KMFOID_SHA384,
1206 KMFOID_SHA512,
1207 KMFOID_ECC_secp112r1,
1208 KMFOID_ECC_secp112r2,
1209 KMFOID_ECC_secp128r1,
1210 KMFOID_ECC_secp128r2,
1211 KMFOID_ECC_secp160k1,
1212 KMFOID_ECC_secp160r1,
1213 KMFOID_ECC_secp160r2,
1214 KMFOID_ECC_secp192k1,
1215 KMFOID_ECC_secp224k1,
1216 KMFOID_ECC_secp224r1,
1217 KMFOID_ECC_secp256k1,
1218 KMFOID_ECC_secp384r1,
1219 KMFOID_ECC_secp521r1,
1220 KMFOID_ECC_sect113r1,
1221 KMFOID_ECC_sect113r2,
1222 KMFOID_ECC_sect131r1,
1223 KMFOID_ECC_sect131r2,
1224 KMFOID_ECC_sect163k1,
1225 KMFOID_ECC_sect163r1,
1226 KMFOID_ECC_sect163r2,
1227 KMFOID_ECC_sect193r1,
1228 KMFOID_ECC_sect193r2,
1229 KMFOID_ECC_sect233k1,
1230 KMFOID_ECC_sect233r1,
1231 KMFOID_ECC_sect239k1,
1232 KMFOID_ECC_sect283k1,
1233 KMFOID_ECC_sect283r1,
1234 KMFOID_ECC_sect409k1,
1235 KMFOID_ECC_sect409r1,
1236 KMFOID_ECC_sect571k1,
1237 KMFOID_ECC_sect571r1,
1238 KMFOID_ECC_c2pnb163v1,
1239 KMFOID_ECC_c2pnb163v2,
1240 KMFOID_ECC_c2pnb163v3,
1241 KMFOID_ECC_c2pnb176v1,
1242 KMFOID_ECC_c2tnb191v1,
1243 KMFOID_ECC_c2tnb191v2,
1244 KMFOID_ECC_c2tnb191v3,
1245 KMFOID_ECC_c2pnb208w1,
1246 KMFOID_ECC_c2tnb239v1,
1247 KMFOID_ECC_c2tnb239v2,
1248 KMFOID_ECC_c2tnb239v3,
1249 KMFOID_ECC_c2pnb272w1,
1250 KMFOID_ECC_c2pnb304w1,
1251 KMFOID_ECC_c2tnb359v1,
1252 KMFOID_ECC_c2pnb368w1,
1253 KMFOID_ECC_c2tnb431r1,
1254 KMFOID_ECC_prime192v2,
1255 KMFOID_ECC_prime192v3,
1256 KMFOID_ECC_secp192r1,
1257 KMFOID_ECC_secp256r1;
1258 
1259 /*
1260  * ANSI X9-62 prime192v1 is same as secp192r1 and
1261  * ANSI X9-62 prime256v1 is same as secp256r1
1262  */
1263 #define	KMFOID_ANSIX962_prime192v1 KMFOID_ECC_secp192r1
1264 #define	KMFOID_ANSIX962_prime256v1 KMFOID_ECC_secp256r1
1265 
1266 /*
1267  * KMF Certificate validation codes.  These may be masked together.
1268  */
1269 #define	KMF_CERT_VALIDATE_OK		0x00
1270 #define	KMF_CERT_VALIDATE_ERR_TA	0x01
1271 #define	KMF_CERT_VALIDATE_ERR_USER	0x02
1272 #define	KMF_CERT_VALIDATE_ERR_SIGNATURE	0x04
1273 #define	KMF_CERT_VALIDATE_ERR_KEYUSAGE	0x08
1274 #define	KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE	0x10
1275 #define	KMF_CERT_VALIDATE_ERR_TIME	0x20
1276 #define	KMF_CERT_VALIDATE_ERR_CRL	0x40
1277 #define	KMF_CERT_VALIDATE_ERR_OCSP	0x80
1278 #define	KMF_CERT_VALIDATE_ERR_ISSUER	0x100
1279 
1280 /*
1281  * KMF Key Usage bitmasks
1282  */
1283 #define	KMF_digitalSignature	0x8000
1284 #define	KMF_nonRepudiation	0x4000
1285 #define	KMF_keyEncipherment	0x2000
1286 #define	KMF_dataEncipherment	0x1000
1287 #define	KMF_keyAgreement	0x0800
1288 #define	KMF_keyCertSign		0x0400
1289 #define	KMF_cRLSign		0x0200
1290 #define	KMF_encipherOnly	0x0100
1291 #define	KMF_decipherOnly	0x0080
1292 
1293 #define	KMF_KUBITMASK 0xFF80
1294 
1295 /*
1296  * KMF Extended KeyUsage OID definitions
1297  */
1298 #define	KMF_EKU_SERVERAUTH			0x01
1299 #define	KMF_EKU_CLIENTAUTH			0x02
1300 #define	KMF_EKU_CODESIGNING			0x04
1301 #define	KMF_EKU_EMAIL				0x08
1302 #define	KMF_EKU_TIMESTAMP			0x10
1303 #define	KMF_EKU_OCSPSIGNING			0x20
1304 
1305 #ifdef __cplusplus
1306 }
1307 #endif
1308 #endif /* _KMFTYPES_H */
1309