1/*
2 * Copyright (c) 1995-2000 Intel Corporation. All rights reserved.
3 */
4/*
5 * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
6 */
7
8#ifndef _KMFTYPES_H
9#define	_KMFTYPES_H
10
11#include <sys/types.h>
12#include <stdlib.h>
13#include <strings.h>
14#include <pthread.h>
15
16#include <security/cryptoki.h>
17
18#ifdef __cplusplus
19extern "C" {
20#endif
21
22typedef uint32_t KMF_BOOL;
23
24#define	KMF_FALSE (0)
25#define	KMF_TRUE  (1)
26
27/* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */
28typedef struct _kmf_handle *KMF_HANDLE_T;
29
30/*
31 * KMF_DATA
32 * The KMF_DATA structure is used to associate a length, in bytes, with
33 * an arbitrary block of contiguous memory.
34 */
35typedef struct kmf_data
36{
37    size_t	Length; /* in bytes */
38    uchar_t	*Data;
39} KMF_DATA;
40
41typedef struct {
42	uchar_t		*val;
43	size_t		len;
44} KMF_BIGINT;
45
46/*
47 * KMF_OID
48 * The object identifier (OID) structure is used to hold a unique identifier for
49 * the atomic data fields and the compound substructure that comprise the fields
50 * of a certificate or CRL.
51 */
52typedef KMF_DATA KMF_OID;
53
54typedef struct kmf_x509_private {
55	int	keystore_type;
56	int	flags;			/* see below */
57	char	*label;
58#define	KMF_FLAG_CERT_VALID	1	/* contains valid certificate */
59#define	KMF_FLAG_CERT_SIGNED	2	/* this is a signed certificate */
60} KMF_X509_PRIVATE;
61
62/*
63 * KMF_X509_DER_CERT
64 * This structure associates packed DER certificate data.
65 * Also, it contains the private information internal used
66 * by KMF layer.
67 */
68typedef struct
69{
70	KMF_DATA		certificate;
71	KMF_X509_PRIVATE	kmf_private;
72} KMF_X509_DER_CERT;
73
74typedef int KMF_KEYSTORE_TYPE;
75#define	KMF_KEYSTORE_NSS	1
76#define	KMF_KEYSTORE_OPENSSL	2
77#define	KMF_KEYSTORE_PK11TOKEN	3
78
79#define	VALID_DEFAULT_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\
80	(t <= KMF_KEYSTORE_PK11TOKEN))
81
82typedef enum {
83	KMF_FORMAT_UNDEF =	0,
84	KMF_FORMAT_ASN1 =	1,	/* DER */
85	KMF_FORMAT_PEM =	2,
86	KMF_FORMAT_PKCS12 =	3,
87	KMF_FORMAT_RAWKEY =	4,	/* For FindKey operation */
88	KMF_FORMAT_PEM_KEYPAIR = 5
89} KMF_ENCODE_FORMAT;
90
91#define	KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF
92
93typedef enum {
94	KMF_ALL_CERTS =		0,
95	KMF_NONEXPIRED_CERTS =	1,
96	KMF_EXPIRED_CERTS =	2
97} KMF_CERT_VALIDITY;
98
99
100typedef enum {
101	KMF_ALL_EXTNS =		0,
102	KMF_CRITICAL_EXTNS = 	1,
103	KMF_NONCRITICAL_EXTNS =	2
104} KMF_FLAG_CERT_EXTN;
105
106
107typedef enum {
108	KMF_KU_SIGN_CERT	= 0,
109	KMF_KU_SIGN_DATA	= 1,
110	KMF_KU_ENCRYPT_DATA	= 2
111} KMF_KU_PURPOSE;
112
113/*
114 * Algorithms
115 * This type defines a set of constants used to identify cryptographic
116 * algorithms.
117 *
118 * When adding new ALGID, be careful not to rearrange existing
119 * values, doing so can cause problem in the STC test suite.
120 */
121typedef enum {
122	KMF_ALGID_NONE	= 0,
123	KMF_ALGID_CUSTOM,
124	KMF_ALGID_SHA1,
125	KMF_ALGID_RSA,
126	KMF_ALGID_DSA,
127	KMF_ALGID_MD5WithRSA,
128	KMF_ALGID_MD2WithRSA,
129	KMF_ALGID_SHA1WithRSA,
130	KMF_ALGID_SHA1WithDSA,
131
132	KMF_ALGID_ECDSA,
133
134	KMF_ALGID_SHA256WithRSA,
135	KMF_ALGID_SHA384WithRSA,
136	KMF_ALGID_SHA512WithRSA,
137
138	KMF_ALGID_SHA256WithDSA,
139
140	KMF_ALGID_SHA1WithECDSA,
141	KMF_ALGID_SHA256WithECDSA,
142	KMF_ALGID_SHA384WithECDSA,
143	KMF_ALGID_SHA512WithECDSA
144} KMF_ALGORITHM_INDEX;
145
146/*
147 * Generic credential structure used by other structures below
148 * to convey authentication information to the underlying
149 * mechanisms.
150 */
151typedef struct {
152	char *cred;
153	uint32_t credlen;
154} KMF_CREDENTIAL;
155
156typedef enum {
157	KMF_KEYALG_NONE = 0,
158	KMF_RSA = 1,
159	KMF_DSA = 2,
160	KMF_AES = 3,
161	KMF_RC4 = 4,
162	KMF_DES = 5,
163	KMF_DES3 = 6,
164	KMF_GENERIC_SECRET = 7,
165	KMF_ECDSA = 8
166}KMF_KEY_ALG;
167
168typedef enum {
169	KMF_KEYCLASS_NONE = 0,
170	KMF_ASYM_PUB = 1,	/* public key of an asymmetric keypair */
171	KMF_ASYM_PRI = 2,	/* private key of an asymmetric keypair */
172	KMF_SYMMETRIC = 3	/* symmetric key */
173}KMF_KEY_CLASS;
174
175typedef enum {
176	KMF_CERT = 0,
177	KMF_CSR = 1,
178	KMF_CRL = 2
179}KMF_OBJECT_TYPE;
180
181typedef struct {
182	KMF_BIGINT	mod;
183	KMF_BIGINT	pubexp;
184	KMF_BIGINT	priexp;
185	KMF_BIGINT	prime1;
186	KMF_BIGINT	prime2;
187	KMF_BIGINT	exp1;
188	KMF_BIGINT	exp2;
189	KMF_BIGINT	coef;
190} KMF_RAW_RSA_KEY;
191
192typedef struct {
193	KMF_BIGINT	prime;
194	KMF_BIGINT	subprime;
195	KMF_BIGINT	base;
196	KMF_BIGINT	value;
197	KMF_BIGINT	pubvalue;
198} KMF_RAW_DSA_KEY;
199
200typedef struct {
201	KMF_BIGINT	keydata;
202} KMF_RAW_SYM_KEY;
203
204typedef struct {
205	KMF_BIGINT	value;
206	KMF_OID		params;
207} KMF_RAW_EC_KEY;
208
209typedef struct {
210	KMF_KEY_ALG	keytype;
211	boolean_t	sensitive;
212	boolean_t	not_extractable;
213	union {
214		KMF_RAW_RSA_KEY	rsa;
215		KMF_RAW_DSA_KEY	dsa;
216		KMF_RAW_SYM_KEY	sym;
217		KMF_RAW_EC_KEY  ec;
218	}rawdata;
219	char *label;
220	KMF_DATA id;
221} KMF_RAW_KEY_DATA;
222
223typedef struct {
224	KMF_KEYSTORE_TYPE	kstype;
225	KMF_KEY_ALG		keyalg;
226	KMF_KEY_CLASS		keyclass;
227	boolean_t		israw;
228	char			*keylabel;
229	void			*keyp;
230} KMF_KEY_HANDLE;
231
232typedef struct {
233	KMF_KEYSTORE_TYPE	kstype;
234	uint32_t		errcode;
235} KMF_ERROR;
236
237/*
238 * Typenames to use with subjectAltName
239 */
240typedef enum {
241	GENNAME_OTHERNAME	= 0x00,
242	GENNAME_RFC822NAME,
243	GENNAME_DNSNAME,
244	GENNAME_X400ADDRESS,
245	GENNAME_DIRECTORYNAME,
246	GENNAME_EDIPARTYNAME,
247	GENNAME_URI,
248	GENNAME_IPADDRESS,
249	GENNAME_REGISTEREDID,
250	GENNAME_KRB5PRINC,
251	GENNAME_SCLOGON_UPN
252} KMF_GENERALNAMECHOICES;
253
254/*
255 * KMF_FIELD
256 * This structure contains the OID/value pair for any item that can be
257 * identified by an OID.
258 */
259typedef struct
260{
261	KMF_OID		FieldOid;
262	KMF_DATA	FieldValue;
263} KMF_FIELD;
264
265typedef enum {
266	KMF_OK			= 0x00,
267	KMF_ERR_BAD_PARAMETER	= 0x01,
268	KMF_ERR_BAD_KEY_FORMAT	= 0x02,
269	KMF_ERR_BAD_ALGORITHM	= 0x03,
270	KMF_ERR_MEMORY		= 0x04,
271	KMF_ERR_ENCODING	= 0x05,
272	KMF_ERR_PLUGIN_INIT	= 0x06,
273	KMF_ERR_PLUGIN_NOTFOUND	= 0x07,
274	KMF_ERR_INTERNAL	= 0x0b,
275	KMF_ERR_BAD_CERT_FORMAT	= 0x0c,
276	KMF_ERR_KEYGEN_FAILED	= 0x0d,
277	KMF_ERR_UNINITIALIZED	= 0x10,
278	KMF_ERR_ISSUER		= 0x11,
279	KMF_ERR_NOT_REVOKED	= 0x12,
280	KMF_ERR_CERT_NOT_FOUND	= 0x13,
281	KMF_ERR_CRL_NOT_FOUND	= 0x14,
282	KMF_ERR_RDN_PARSER	= 0x15,
283	KMF_ERR_RDN_ATTR	= 0x16,
284	KMF_ERR_SLOTNAME	= 0x17,
285	KMF_ERR_EMPTY_CRL	= 0x18,
286	KMF_ERR_BUFFER_SIZE	= 0x19,
287	KMF_ERR_AUTH_FAILED	= 0x1a,
288	KMF_ERR_TOKEN_SELECTED	= 0x1b,
289	KMF_ERR_NO_TOKEN_SELECTED	= 0x1c,
290	KMF_ERR_TOKEN_NOT_PRESENT	= 0x1d,
291	KMF_ERR_EXTENSION_NOT_FOUND	= 0x1e,
292	KMF_ERR_POLICY_ENGINE		= 0x1f,
293	KMF_ERR_POLICY_DB_FORMAT	= 0x20,
294	KMF_ERR_POLICY_NOT_FOUND	= 0x21,
295	KMF_ERR_POLICY_DB_FILE		= 0x22,
296	KMF_ERR_POLICY_NAME		= 0x23,
297	KMF_ERR_OCSP_POLICY		= 0x24,
298	KMF_ERR_TA_POLICY		= 0x25,
299	KMF_ERR_KEY_NOT_FOUND		= 0x26,
300	KMF_ERR_OPEN_FILE		= 0x27,
301	KMF_ERR_OCSP_BAD_ISSUER		= 0x28,
302	KMF_ERR_OCSP_BAD_CERT		= 0x29,
303	KMF_ERR_OCSP_CREATE_REQUEST	= 0x2a,
304	KMF_ERR_CONNECT_SERVER		= 0x2b,
305	KMF_ERR_SEND_REQUEST		= 0x2c,
306	KMF_ERR_OCSP_CERTID		= 0x2d,
307	KMF_ERR_OCSP_MALFORMED_RESPONSE	= 0x2e,
308	KMF_ERR_OCSP_RESPONSE_STATUS	= 0x2f,
309	KMF_ERR_OCSP_NO_BASIC_RESPONSE	= 0x30,
310	KMF_ERR_OCSP_BAD_SIGNER		= 0x31,
311
312	KMF_ERR_OCSP_RESPONSE_SIGNATURE	= 0x32,
313	KMF_ERR_OCSP_UNKNOWN_CERT	= 0x33,
314	KMF_ERR_OCSP_STATUS_TIME_INVALID	= 0x34,
315	KMF_ERR_BAD_HTTP_RESPONSE	= 0x35,
316	KMF_ERR_RECV_RESPONSE		= 0x36,
317	KMF_ERR_RECV_TIMEOUT		= 0x37,
318	KMF_ERR_DUPLICATE_KEYFILE	= 0x38,
319	KMF_ERR_AMBIGUOUS_PATHNAME	= 0x39,
320	KMF_ERR_FUNCTION_NOT_FOUND	= 0x3a,
321	KMF_ERR_PKCS12_FORMAT		= 0x3b,
322	KMF_ERR_BAD_KEY_TYPE		= 0x3c,
323	KMF_ERR_BAD_KEY_CLASS		= 0x3d,
324	KMF_ERR_BAD_KEY_SIZE		= 0x3e,
325	KMF_ERR_BAD_HEX_STRING		= 0x3f,
326	KMF_ERR_KEYUSAGE		= 0x40,
327	KMF_ERR_VALIDITY_PERIOD		= 0x41,
328	KMF_ERR_OCSP_REVOKED		= 0x42,
329	KMF_ERR_CERT_MULTIPLE_FOUND	= 0x43,
330	KMF_ERR_WRITE_FILE		= 0x44,
331	KMF_ERR_BAD_URI			= 0x45,
332	KMF_ERR_BAD_CRLFILE		= 0x46,
333	KMF_ERR_BAD_CERTFILE		= 0x47,
334	KMF_ERR_GETKEYVALUE_FAILED	= 0x48,
335	KMF_ERR_BAD_KEYHANDLE		= 0x49,
336	KMF_ERR_BAD_OBJECT_TYPE		= 0x4a,
337	KMF_ERR_OCSP_RESPONSE_LIFETIME	= 0x4b,
338	KMF_ERR_UNKNOWN_CSR_ATTRIBUTE	= 0x4c,
339	KMF_ERR_UNINITIALIZED_TOKEN	= 0x4d,
340	KMF_ERR_INCOMPLETE_TBS_CERT	= 0x4e,
341	KMF_ERR_MISSING_ERRCODE		= 0x4f,
342	KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50,
343	KMF_ERR_SENSITIVE_KEY		= 0x51,
344	KMF_ERR_UNEXTRACTABLE_KEY	= 0x52,
345	KMF_ERR_KEY_MISMATCH		= 0x53,
346	KMF_ERR_ATTR_NOT_FOUND		= 0x54,
347	KMF_ERR_KMF_CONF		= 0x55,
348	KMF_ERR_NAME_NOT_MATCHED	= 0x56,
349	KMF_ERR_MAPPER_OPEN		= 0x57,
350	KMF_ERR_MAPPER_NOT_FOUND	= 0x58,
351	KMF_ERR_MAPPING_FAILED		= 0x59,
352	KMF_ERR_CERT_VALIDATION		= 0x60
353} KMF_RETURN;
354
355/* Data structures for OCSP support */
356typedef enum {
357	OCSP_GOOD	= 0,
358	OCSP_REVOKED	= 1,
359	OCSP_UNKNOWN	= 2
360} KMF_OCSP_CERT_STATUS;
361
362typedef enum {
363	OCSP_SUCCESS 		= 0,
364	OCSP_MALFORMED_REQUEST	= 1,
365	OCSP_INTERNAL_ERROR	= 2,
366	OCSP_TRYLATER		= 3,
367	OCSP_SIGREQUIRED	= 4,
368	OCSP_UNAUTHORIZED	= 5
369} KMF_OCSP_RESPONSE_STATUS;
370
371typedef enum {
372	OCSP_NOSTATUS		= -1,
373	OCSP_UNSPECIFIED	= 0,
374	OCSP_KEYCOMPROMISE	= 1,
375	OCSP_CACOMPROMISE	= 2,
376	OCSP_AFFILIATIONCHANGE	= 3,
377	OCSP_SUPERCEDED		= 4,
378	OCSP_CESSATIONOFOPERATION = 5,
379	OCSP_CERTIFICATEHOLD	= 6,
380	OCSP_REMOVEFROMCRL	= 7
381} KMF_OCSP_REVOKED_STATUS;
382
383typedef enum {
384	KMF_CERT_ISSUER		= 1,
385	KMF_CERT_SUBJECT,
386	KMF_CERT_VERSION,
387	KMF_CERT_SERIALNUM,
388	KMF_CERT_NOTBEFORE,
389	KMF_CERT_NOTAFTER,
390	KMF_CERT_PUBKEY_ALG,
391	KMF_CERT_SIGNATURE_ALG,
392	KMF_CERT_EMAIL,
393	KMF_CERT_PUBKEY_DATA,
394	KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD,
395	KMF_X509_EXT_CERT_POLICIES,
396	KMF_X509_EXT_SUBJ_ALTNAME,
397	KMF_X509_EXT_ISSUER_ALTNAME,
398	KMF_X509_EXT_BASIC_CONSTRAINTS,
399	KMF_X509_EXT_NAME_CONSTRAINTS,
400	KMF_X509_EXT_POLICY_CONSTRAINTS,
401	KMF_X509_EXT_EXT_KEY_USAGE,
402	KMF_X509_EXT_INHIBIT_ANY_POLICY,
403	KMF_X509_EXT_AUTH_KEY_ID,
404	KMF_X509_EXT_SUBJ_KEY_ID,
405	KMF_X509_EXT_POLICY_MAPPINGS,
406	KMF_X509_EXT_CRL_DIST_POINTS,
407	KMF_X509_EXT_FRESHEST_CRL,
408	KMF_X509_EXT_KEY_USAGE
409} KMF_PRINTABLE_ITEM;
410
411/*
412 * KMF_X509_ALGORITHM_IDENTIFIER
413 * This structure holds an object identifier naming a
414 * cryptographic algorithm and an optional set of
415 * parameters to be used as input to that algorithm.
416 */
417typedef struct
418{
419	KMF_OID algorithm;
420	KMF_DATA parameters;
421} KMF_X509_ALGORITHM_IDENTIFIER;
422
423/*
424 * KMF_X509_TYPE_VALUE_PAIR
425 * This structure contain an type-value pair.
426 */
427typedef struct
428{
429	KMF_OID type;
430	uint8_t valueType; /* The Tag to use when BER encoded */
431	KMF_DATA value;
432} KMF_X509_TYPE_VALUE_PAIR;
433
434
435/*
436 * KMF_X509_RDN
437 * This structure contains a Relative Distinguished Name
438 * composed of an ordered set of type-value pairs.
439 */
440typedef struct
441{
442	uint32_t			numberOfPairs;
443	KMF_X509_TYPE_VALUE_PAIR	*AttributeTypeAndValue;
444} KMF_X509_RDN;
445
446/*
447 * KMF_X509_NAME
448 * This structure contains a set of Relative Distinguished Names.
449 */
450typedef struct
451{
452	uint32_t numberOfRDNs;
453	KMF_X509_RDN	*RelativeDistinguishedName;
454} KMF_X509_NAME;
455
456/*
457 * KMF_X509_SPKI
458 * This structure contains the public key and the
459 * description of the verification algorithm
460 * appropriate for use with this key.
461 */
462typedef struct
463{
464	KMF_X509_ALGORITHM_IDENTIFIER algorithm;
465	KMF_DATA subjectPublicKey;
466} KMF_X509_SPKI;
467
468/*
469 * KMF_X509_TIME
470 * Time is represented as a string according to the
471 * definitions of GeneralizedTime and UTCTime
472 * defined in RFC 2459.
473 */
474typedef struct
475{
476	uint8_t timeType;
477	KMF_DATA time;
478} KMF_X509_TIME;
479
480/*
481 * KMF_X509_VALIDITY
482 */
483typedef struct
484{
485	KMF_X509_TIME notBefore;
486	KMF_X509_TIME notAfter;
487} KMF_X509_VALIDITY;
488
489/*
490 *   KMF_X509EXT_BASICCONSTRAINTS
491 */
492typedef struct
493{
494	KMF_BOOL cA;
495	KMF_BOOL pathLenConstraintPresent;
496	uint32_t pathLenConstraint;
497} KMF_X509EXT_BASICCONSTRAINTS;
498
499/*
500 * KMF_X509EXT_DATA_FORMAT
501 * This list defines the valid formats for a certificate extension.
502 */
503typedef enum
504{
505	KMF_X509_DATAFORMAT_ENCODED = 0,
506	KMF_X509_DATAFORMAT_PARSED,
507	KMF_X509_DATAFORMAT_PAIR
508} KMF_X509EXT_DATA_FORMAT;
509
510
511/*
512 * KMF_X509EXT_TAGandVALUE
513 * This structure contains a BER/DER encoded
514 * extension value and the type of that value.
515 */
516typedef struct
517{
518	uint8_t type;
519	KMF_DATA value;
520} KMF_X509EXT_TAGandVALUE;
521
522
523/*
524 * KMF_X509EXT_PAIR
525 * This structure aggregates two extension representations:
526 * a tag and value, and a parsed X509 extension representation.
527 */
528typedef struct
529{
530	KMF_X509EXT_TAGandVALUE tagAndValue;
531	void *parsedValue;
532} KMF_X509EXT_PAIR;
533
534/*
535 * KMF_X509_EXTENSION
536 * This structure contains a complete certificate extension.
537 */
538typedef struct
539{
540	KMF_OID extnId;
541	KMF_BOOL critical;
542	KMF_X509EXT_DATA_FORMAT format;
543	union
544	{
545		KMF_X509EXT_TAGandVALUE *tagAndValue;
546		void *parsedValue;
547		KMF_X509EXT_PAIR *valuePair;
548	} value;
549	KMF_DATA BERvalue;
550} KMF_X509_EXTENSION;
551
552
553/*
554 * KMF_X509_EXTENSIONS
555 * This structure contains the set of all certificate
556 * extensions contained in a certificate.
557 */
558typedef struct
559{
560	uint32_t numberOfExtensions;
561	KMF_X509_EXTENSION *extensions;
562} KMF_X509_EXTENSIONS;
563
564/*
565 * KMF_X509_TBS_CERT
566 * This structure contains a complete X.509 certificate.
567 */
568typedef struct
569{
570	KMF_DATA version;
571	KMF_BIGINT serialNumber;
572	KMF_X509_ALGORITHM_IDENTIFIER signature;
573	KMF_X509_NAME issuer;
574	KMF_X509_VALIDITY validity;
575	KMF_X509_NAME subject;
576	KMF_X509_SPKI subjectPublicKeyInfo;
577	KMF_DATA issuerUniqueIdentifier;
578	KMF_DATA subjectUniqueIdentifier;
579	KMF_X509_EXTENSIONS extensions;
580} KMF_X509_TBS_CERT;
581
582/*
583 * KMF_X509_SIGNATURE
584 * This structure contains a cryptographic digital signature.
585 */
586typedef struct
587{
588	KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier;
589	KMF_DATA encrypted;
590} KMF_X509_SIGNATURE;
591
592/*
593 * KMF_X509_CERTIFICATE
594 * This structure associates a set of decoded certificate
595 * values with the signature covering those values.
596 */
597typedef struct
598{
599	KMF_X509_TBS_CERT certificate;
600	KMF_X509_SIGNATURE signature;
601} KMF_X509_CERTIFICATE;
602
603#define	CERT_ALG_OID(c) &c->certificate.signature.algorithm
604#define	CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm
605
606/*
607 * KMF_TBS_CSR
608 * This structure contains a complete PKCS#10 certificate request
609 */
610typedef struct
611{
612	KMF_DATA version;
613	KMF_X509_NAME subject;
614	KMF_X509_SPKI subjectPublicKeyInfo;
615	KMF_X509_EXTENSIONS extensions;
616} KMF_TBS_CSR;
617
618/*
619 * KMF_CSR_DATA
620 * This structure contains a complete PKCS#10 certificate signed request
621 */
622typedef struct
623{
624	KMF_TBS_CSR csr;
625	KMF_X509_SIGNATURE signature;
626} KMF_CSR_DATA;
627
628/*
629 * KMF_X509EXT_POLICYQUALIFIERINFO
630 */
631typedef struct
632{
633	KMF_OID policyQualifierId;
634	KMF_DATA value;
635} KMF_X509EXT_POLICYQUALIFIERINFO;
636
637/*
638 * KMF_X509EXT_POLICYQUALIFIERS
639 */
640typedef struct
641{
642	uint32_t numberOfPolicyQualifiers;
643	KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier;
644} KMF_X509EXT_POLICYQUALIFIERS;
645
646/*
647 * KMF_X509EXT_POLICYINFO
648 */
649typedef struct
650{
651	KMF_OID policyIdentifier;
652	KMF_X509EXT_POLICYQUALIFIERS policyQualifiers;
653} KMF_X509EXT_POLICYINFO;
654
655typedef struct
656{
657	uint32_t numberOfPolicyInfo;
658	KMF_X509EXT_POLICYINFO *policyInfo;
659} KMF_X509EXT_CERT_POLICIES;
660
661typedef struct
662{
663	uchar_t critical;
664	uint16_t KeyUsageBits;
665} KMF_X509EXT_KEY_USAGE;
666
667typedef struct
668{
669	uchar_t		critical;
670	uint16_t	nEKUs;
671	KMF_OID	*keyPurposeIdList;
672} KMF_X509EXT_EKU;
673
674
675/*
676 * X509 AuthorityInfoAccess extension
677 */
678typedef struct
679{
680	KMF_OID AccessMethod;
681	KMF_DATA AccessLocation;
682} KMF_X509EXT_ACCESSDESC;
683
684typedef struct
685{
686	uint32_t numberOfAccessDescription;
687	KMF_X509EXT_ACCESSDESC *AccessDesc;
688} KMF_X509EXT_AUTHINFOACCESS;
689
690
691/*
692 * X509 Crl Distribution Point extension
693 */
694typedef struct {
695	KMF_GENERALNAMECHOICES	choice;
696	KMF_DATA		name;
697} KMF_GENERALNAME;
698
699typedef struct {
700	uint32_t	number;
701	KMF_GENERALNAME *namelist;
702} KMF_GENERALNAMES;
703
704typedef enum  {
705	DP_GENERAL_NAME = 1,
706	DP_RELATIVE_NAME = 2
707} KMF_CRL_DIST_POINT_TYPE;
708
709typedef struct {
710	KMF_CRL_DIST_POINT_TYPE type;
711	union {
712		KMF_GENERALNAMES full_name;
713		KMF_DATA relative_name;
714	} name;
715	KMF_DATA reasons;
716	KMF_GENERALNAMES crl_issuer;
717} KMF_CRL_DIST_POINT;
718
719typedef struct {
720	uint32_t number;
721	KMF_CRL_DIST_POINT *dplist;
722} KMF_X509EXT_CRLDISTPOINTS;
723
724typedef enum {
725	KMF_DATA_ATTR,
726	KMF_OID_ATTR,
727	KMF_BIGINT_ATTR,
728	KMF_X509_DER_CERT_ATTR,
729	KMF_KEYSTORE_TYPE_ATTR,
730	KMF_ENCODE_FORMAT_ATTR,
731	KMF_CERT_VALIDITY_ATTR,
732	KMF_KU_PURPOSE_ATTR,
733	KMF_ALGORITHM_INDEX_ATTR,
734	KMF_TOKEN_LABEL_ATTR,
735	KMF_READONLY_ATTR,
736	KMF_DIRPATH_ATTR,
737	KMF_CERTPREFIX_ATTR,
738	KMF_KEYPREFIX_ATTR,
739	KMF_SECMODNAME_ATTR,
740	KMF_CREDENTIAL_ATTR,
741	KMF_TRUSTFLAG_ATTR,
742	KMF_CRL_FILENAME_ATTR,
743	KMF_CRL_CHECK_ATTR,
744	KMF_CRL_DATA_ATTR,
745	KMF_CRL_SUBJECT_ATTR,
746	KMF_CRL_ISSUER_ATTR,
747	KMF_CRL_NAMELIST_ATTR,
748	KMF_CRL_COUNT_ATTR,
749	KMF_CRL_OUTFILE_ATTR,
750	KMF_CERT_LABEL_ATTR,
751	KMF_SUBJECT_NAME_ATTR,
752	KMF_ISSUER_NAME_ATTR,
753	KMF_CERT_FILENAME_ATTR,
754	KMF_KEY_FILENAME_ATTR,
755	KMF_OUTPUT_FILENAME_ATTR,
756	KMF_IDSTR_ATTR,
757	KMF_CERT_DATA_ATTR,
758	KMF_OCSP_RESPONSE_DATA_ATTR,
759	KMF_OCSP_RESPONSE_STATUS_ATTR,
760	KMF_OCSP_RESPONSE_REASON_ATTR,
761	KMF_OCSP_RESPONSE_CERT_STATUS_ATTR,
762	KMF_OCSP_REQUEST_FILENAME_ATTR,
763	KMF_KEYALG_ATTR,
764	KMF_KEYCLASS_ATTR,
765	KMF_KEYLABEL_ATTR,
766	KMF_KEYLENGTH_ATTR,
767	KMF_RSAEXP_ATTR,
768	KMF_TACERT_DATA_ATTR,
769	KMF_SLOT_ID_ATTR,
770	KMF_PK12CRED_ATTR,
771	KMF_ISSUER_CERT_DATA_ATTR,
772	KMF_USER_CERT_DATA_ATTR,
773	KMF_SIGNER_CERT_DATA_ATTR,
774	KMF_IGNORE_RESPONSE_SIGN_ATTR,
775	KMF_RESPONSE_LIFETIME_ATTR,
776	KMF_KEY_HANDLE_ATTR,
777	KMF_PRIVKEY_HANDLE_ATTR,
778	KMF_PUBKEY_HANDLE_ATTR,
779	KMF_ERROR_ATTR,
780	KMF_X509_NAME_ATTR,
781	KMF_X509_SPKI_ATTR,
782	KMF_X509_CERTIFICATE_ATTR,
783	KMF_RAW_KEY_ATTR,
784	KMF_CSR_DATA_ATTR,
785	KMF_GENERALNAMECHOICES_ATTR,
786	KMF_STOREKEY_BOOL_ATTR,
787	KMF_SENSITIVE_BOOL_ATTR,
788	KMF_NON_EXTRACTABLE_BOOL_ATTR,
789	KMF_TOKEN_BOOL_ATTR,
790	KMF_PRIVATE_BOOL_ATTR,
791	KMF_NEWPIN_ATTR,
792	KMF_IN_SIGN_ATTR,
793	KMF_OUT_DATA_ATTR,
794	KMF_COUNT_ATTR,
795	KMF_DESTROY_BOOL_ATTR,
796	KMF_TBS_CERT_DATA_ATTR,
797	KMF_PLAINTEXT_DATA_ATTR,
798	KMF_CIPHERTEXT_DATA_ATTR,
799	KMF_VALIDATE_RESULT_ATTR,
800	KMF_KEY_DATA_ATTR,
801	KMF_PK11_USER_TYPE_ATTR,
802	KMF_ECC_CURVE_OID_ATTR,
803	KMF_MAPPER_NAME_ATTR,
804	KMF_MAPPER_PATH_ATTR,
805	KMF_MAPPER_OPTIONS_ATTR
806} KMF_ATTR_TYPE;
807
808typedef struct {
809	KMF_ATTR_TYPE	type;
810	void		*pValue;
811	uint32_t	valueLen;
812} KMF_ATTRIBUTE;
813
814/*
815 * Definitions for common X.509v3 certificate attribute OIDs
816 */
817#define	OID_ISO_MEMBER	42	/* Also in PKCS */
818#define	OID_US	OID_ISO_MEMBER, 134, 72 /* Also in PKCS */
819#define	OID_CA	OID_ISO_MEMBER, 124
820
821#define	OID_ISO_IDENTIFIED_ORG 43
822#define	OID_OSINET	OID_ISO_IDENTIFIED_ORG, 4
823#define	OID_GOSIP	OID_ISO_IDENTIFIED_ORG, 5
824#define	OID_DOD	OID_ISO_IDENTIFIED_ORG, 6
825#define	OID_OIW	OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */
826
827#define	OID_ISO_CCITT_DIR_SERVICE 85
828#define	OID_ISO_CCITT_COUNTRY	96
829#define	OID_COUNTRY_US	OID_ISO_CCITT_COUNTRY, 134, 72
830#define	OID_COUNTRY_CA	OID_ISO_CCITT_COUNTRY, 124
831#define	OID_COUNTRY_US_ORG	OID_COUNTRY_US, 1
832#define	OID_COUNTRY_US_MHS_MD	OID_COUNTRY_US, 2
833#define	OID_COUNTRY_US_STATE	OID_COUNTRY_US, 3
834
835/* From the PKCS Standards */
836#define	OID_ISO_MEMBER_LENGTH 1
837#define	OID_US_LENGTH	(OID_ISO_MEMBER_LENGTH + 2)
838
839#define	OID_RSA	OID_US, 134, 247, 13
840#define	OID_RSA_LENGTH	(OID_US_LENGTH + 3)
841
842#define	OID_RSA_HASH	OID_RSA, 2
843#define	OID_RSA_HASH_LENGTH   (OID_RSA_LENGTH + 1)
844
845#define	OID_RSA_ENCRYPT	OID_RSA, 3
846#define	OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1)
847
848#define	OID_PKCS	OID_RSA, 1
849#define	OID_PKCS_LENGTH	(OID_RSA_LENGTH + 1)
850
851#define	OID_PKCS_1	OID_PKCS, 1
852#define	OID_PKCS_1_LENGTH	(OID_PKCS_LENGTH + 1)
853
854#define	OID_PKCS_2	OID_PKCS, 2
855#define	OID_PKCS_3	OID_PKCS, 3
856#define	OID_PKCS_3_LENGTH	(OID_PKCS_LENGTH + 1)
857
858#define	OID_PKCS_4	OID_PKCS, 4
859#define	OID_PKCS_5	OID_PKCS, 5
860#define	OID_PKCS_5_LENGTH	(OID_PKCS_LENGTH + 1)
861#define	OID_PKCS_6	OID_PKCS, 6
862#define	OID_PKCS_7	OID_PKCS, 7
863#define	OID_PKCS_7_LENGTH	(OID_PKCS_LENGTH + 1)
864
865#define	OID_PKCS_7_Data			OID_PKCS_7, 1
866#define	OID_PKCS_7_SignedData		OID_PKCS_7, 2
867#define	OID_PKCS_7_EnvelopedData	OID_PKCS_7, 3
868#define	OID_PKCS_7_SignedAndEnvelopedData	OID_PKCS_7, 4
869#define	OID_PKCS_7_DigestedData		OID_PKCS_7, 5
870#define	OID_PKCS_7_EncryptedData	OID_PKCS_7, 6
871
872#define	OID_PKCS_8	OID_PKCS, 8
873#define	OID_PKCS_9	OID_PKCS, 9
874#define	OID_PKCS_9_LENGTH	(OID_PKCS_LENGTH + 1)
875
876#define	OID_PKCS_9_CONTENT_TYPE		OID_PKCS_9, 3
877#define	OID_PKCS_9_MESSAGE_DIGEST	OID_PKCS_9, 4
878#define	OID_PKCS_9_SIGNING_TIME		OID_PKCS_9, 5
879#define	OID_PKCS_9_COUNTER_SIGNATURE	OID_PKCS_9, 6
880#define	OID_PKCS_9_EXTENSION_REQUEST	OID_PKCS_9, 14
881
882#define	OID_PKCS_10	OID_PKCS, 10
883
884#define	OID_PKCS_12	OID_PKCS, 12
885#define	OID_PKCS_12_LENGTH	(OID_PKCS_LENGTH + 1)
886
887#define	PBEWithSHAAnd128BitRC4	OID_PKCS_12, 1, 1
888#define	PBEWithSHAAnd40BitRC4	OID_PKCS_12, 1, 2
889#define	PBEWithSHAAnd3KeyTripleDES_CBC	OID_PKCS_12, 1, 3
890#define	PBEWithSHAAnd2KeyTripleDES_CBC	OID_PKCS_12, 1, 4
891#define	PBEWithSHAAnd128BitRC2_CBC	OID_PKCS_12, 1, 5
892#define	PBEWithSHAAnd40BitRC2_CBC	OID_PKCS_12, 1, 6
893
894#define	OID_BAG_TYPES		OID_PKCS_12, 10, 1
895#define	OID_KeyBag		OID_BAG_TYPES, 1
896#define	OID_PKCS8ShroudedKeyBag	OID_BAG_TYPES, 2
897#define	OID_CertBag		OID_BAG_TYPES, 3
898#define	OID_CrlBag		OID_BAG_TYPES, 4
899#define	OID_SecretBag		OID_BAG_TYPES, 5
900#define	OID_SafeContentsBag	OID_BAG_TYPES, 6
901
902#define	OID_ContentInfo		OID_PKCS_7, 0, 1
903
904#define	OID_CERT_TYPES		OID_PKCS_9, 22
905#define	OID_x509Certificate	OID_CERT_TYPES, 1
906#define	OID_sdsiCertificate	OID_CERT_TYPES, 2
907
908#define	OID_CRL_TYPES		OID_PKCS_9, 23
909#define	OID_x509Crl		OID_CRL_TYPES, 1
910
911#define	OID_DS	OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */
912#define	OID_DS_LENGTH	1
913
914#define	OID_ATTR_TYPE	OID_DS, 4	/* Also in X.501 */
915#define	OID_ATTR_TYPE_LENGTH  (OID_DS_LENGTH + 1)
916
917#define	OID_DSALG	OID_DS, 8	/* Also in X.501 */
918#define	OID_DSALG_LENGTH	(OID_DS_LENGTH + 1)
919
920#define	OID_EXTENSION	OID_DS, 29	/* Also in X.501 */
921#define	OID_EXTENSION_LENGTH  (OID_DS_LENGTH + 1)
922
923/*
924 * From RFC 1274:
925 * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) }
926 */
927#define	OID_PILOT	0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
928#define	OID_PILOT_LENGTH	9
929
930#define	OID_USERID		OID_PILOT 1
931#define	OID_USERID_LENGTH	(OID_PILOT_LENGTH + 1)
932
933/*
934 * From PKIX part1
935 * { iso(1) identified-organization(3) dod(6) internet(1)
936 *   security(5) mechanisms(5) pkix(7) }
937 */
938#define	OID_PKIX	43, 6, 1, 5, 5, 7
939#define	OID_PKIX_LENGTH	6
940
941/* private certificate extensions, { id-pkix 1 } */
942#define	OID_PKIX_PE	OID_PKIX, 1
943#define	OID_PKIX_PE_LENGTH   (OID_PKIX_LENGTH + 1)
944
945/* policy qualifier types {id-pkix 2 } */
946#define	OID_PKIX_QT	OID_PKIX, 2
947#define	OID_PKIX_QT_LENGTH   (OID_PKIX_LENGTH + 1)
948
949/* CPS qualifier, { id-qt 1 } */
950#define	OID_PKIX_QT_CPS	OID_PKIX_QT, 1
951#define	OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1)
952/* user notice qualifier, { id-qt 2 } */
953#define	OID_PKIX_QT_UNOTICE  OID_PKIX_QT, 2
954#define	OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1)
955
956/* extended key purpose OIDs {id-pkix 3 } */
957#define	OID_PKIX_KP	OID_PKIX, 3
958#define	OID_PKIX_KP_LENGTH   (OID_PKIX_LENGTH + 1)
959
960/* access descriptors {id-pkix 4 } */
961#define	OID_PKIX_AD	OID_PKIX, 48
962#define	OID_PKIX_AD_LENGTH   (OID_PKIX_LENGTH + 1)
963
964/* access descriptors */
965/* OCSP */
966#define	OID_PKIX_AD_OCSP	OID_PKIX_AD, 1
967#define	OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1)
968
969/* cAIssuers */
970#define	OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2
971#define	OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1)
972
973/* end PKIX part1 */
974
975/*
976 * From RFC4556 (PKINIT)
977 *
978 * pkinit = { iso(1) identified-organization(3) dod(6) internet(1)
979 *   security(5) kerberosv5(2) pkinit(3) }
980 */
981#define	OID_KRB5_PKINIT	43, 6, 1, 5, 2, 3
982#define	OID_KRB5_PKINIT_LENGTH	6
983
984#define	OID_KRB5_PKINIT_KPCLIENTAUTH	OID_KRB5_PKINIT, 4
985#define	OID_KRB5_PKINIT_KPCLIENTAUTH_LENGTH (OID_KRB5_PKINIT_LENGTH + 1)
986
987#define	OID_KRB5_PKINIT_KPKDC		OID_KRB5_PKINIT, 5
988#define	OID_KRB5_PKINIT_KPKDC_LENGTH	(OID_KRB5_PKINIT_LENGTH + 1)
989
990#define	OID_KRB5_SAN	43, 6, 1, 5, 2, 2
991#define	OID_KRB5_SAN_LENGTH 6
992
993/*
994 * Microsoft OIDs:
995 * id-ms-san-sc-logon-upn =
996 * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
997 *  enterprise(1) microsoft(311) 20 2 3}
998 *
999 * id-ms-kp-sc-logon =
1000 * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
1001 *  enterprise(1) microsoft(311) 20 2 2}
1002 */
1003#define	OID_MS	43, 6, 1, 4, 1, 130, 55
1004#define	OID_MS_LENGTH 7
1005#define	OID_MS_KP_SC_LOGON		OID_MS, 20, 2, 2
1006#define	OID_MS_KP_SC_LOGON_LENGTH	(OID_MS_LENGTH + 3)
1007
1008#define	OID_MS_KP_SC_LOGON_UPN		OID_MS, 20, 2, 3
1009#define	OID_MS_KP_SC_LOGON_UPN_LENGTH	(OID_MS_LENGTH + 3)
1010
1011#define	OID_APPL_TCP_PROTO		43, 6, 1, 2, 1, 27, 4
1012#define	OID_APPL_TCP_PROTO_LENGTH	8
1013
1014#define	OID_DAP	OID_DS, 3, 1
1015#define	OID_DAP_LENGTH	(OID_DS_LENGTH + 2)
1016
1017/* From x9.57 */
1018#define	OID_OIW_LENGTH	2
1019
1020#define	OID_OIW_SECSIG	OID_OIW, 3
1021#define	OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1)
1022
1023#define	OID_OIW_ALGORITHM	OID_OIW_SECSIG, 2
1024#define	OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1)
1025
1026#define	OID_OIWDIR	OID_OIW, 7, 2
1027#define	OID_OIWDIR_LENGTH    (OID_OIW_LENGTH + 2)
1028
1029#define	OID_OIWDIR_CRPT	OID_OIWDIR, 1
1030
1031#define	OID_OIWDIR_HASH	OID_OIWDIR, 2
1032#define	OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1)
1033
1034#define	OID_OIWDIR_SIGN	OID_OIWDIR, 3
1035#define	OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1)
1036
1037#define	OID_X9CM	OID_US, 206, 56
1038#define	OID_X9CM_MODULE	OID_X9CM, 1
1039#define	OID_X9CM_INSTRUCTION OID_X9CM, 2
1040#define	OID_X9CM_ATTR	OID_X9CM, 3
1041#define	OID_X9CM_X9ALGORITHM OID_X9CM, 4
1042#define	OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1)
1043
1044#define	INTEL	96, 134, 72, 1, 134, 248, 77
1045#define	INTEL_LENGTH 7
1046
1047#define	INTEL_SEC_FORMATS	INTEL_CDSASECURITY, 1
1048#define	INTEL_SEC_FORMATS_LENGTH	(INTEL_CDSASECURITY_LENGTH + 1)
1049
1050#define	INTEL_SEC_ALGS	INTEL_CDSASECURITY, 2, 5
1051#define	INTEL_SEC_ALGS_LENGTH	(INTEL_CDSASECURITY_LENGTH + 2)
1052
1053extern const KMF_OID
1054KMFOID_AliasedEntryName,
1055KMFOID_AuthorityRevocationList,
1056KMFOID_BusinessCategory,
1057KMFOID_CACertificate,
1058KMFOID_CertificateRevocationList,
1059KMFOID_ChallengePassword,
1060KMFOID_CollectiveFacsimileTelephoneNumber,
1061KMFOID_CollectiveInternationalISDNNumber,
1062KMFOID_CollectiveOrganizationName,
1063KMFOID_CollectiveOrganizationalUnitName,
1064KMFOID_CollectivePhysicalDeliveryOfficeName,
1065KMFOID_CollectivePostOfficeBox,
1066KMFOID_CollectivePostalAddress,
1067KMFOID_CollectivePostalCode,
1068KMFOID_CollectiveStateProvinceName,
1069KMFOID_CollectiveStreetAddress,
1070KMFOID_CollectiveTelephoneNumber,
1071KMFOID_CollectiveTelexNumber,
1072KMFOID_CollectiveTelexTerminalIdentifier,
1073KMFOID_CommonName,
1074KMFOID_ContentType,
1075KMFOID_CounterSignature,
1076KMFOID_CountryName,
1077KMFOID_CrossCertificatePair,
1078KMFOID_DNQualifier,
1079KMFOID_Description,
1080KMFOID_DestinationIndicator,
1081KMFOID_DistinguishedName,
1082KMFOID_EmailAddress,
1083KMFOID_EnhancedSearchGuide,
1084KMFOID_ExtendedCertificateAttributes,
1085KMFOID_ExtensionRequest,
1086KMFOID_FacsimileTelephoneNumber,
1087KMFOID_GenerationQualifier,
1088KMFOID_GivenName,
1089KMFOID_HouseIdentifier,
1090KMFOID_Initials,
1091KMFOID_InternationalISDNNumber,
1092KMFOID_KnowledgeInformation,
1093KMFOID_LocalityName,
1094KMFOID_Member,
1095KMFOID_MessageDigest,
1096KMFOID_Name,
1097KMFOID_ObjectClass,
1098KMFOID_OrganizationName,
1099KMFOID_OrganizationalUnitName,
1100KMFOID_Owner,
1101KMFOID_PhysicalDeliveryOfficeName,
1102KMFOID_PostOfficeBox,
1103KMFOID_PostalAddress,
1104KMFOID_PostalCode,
1105KMFOID_PreferredDeliveryMethod,
1106KMFOID_PresentationAddress,
1107KMFOID_ProtocolInformation,
1108KMFOID_RFC822mailbox,
1109KMFOID_RegisteredAddress,
1110KMFOID_RoleOccupant,
1111KMFOID_SearchGuide,
1112KMFOID_SeeAlso,
1113KMFOID_SerialNumber,
1114KMFOID_SigningTime,
1115KMFOID_StateProvinceName,
1116KMFOID_StreetAddress,
1117KMFOID_SupportedApplicationContext,
1118KMFOID_Surname,
1119KMFOID_TelephoneNumber,
1120KMFOID_TelexNumber,
1121KMFOID_TelexTerminalIdentifier,
1122KMFOID_Title,
1123KMFOID_UniqueIdentifier,
1124KMFOID_UniqueMember,
1125KMFOID_UnstructuredAddress,
1126KMFOID_UnstructuredName,
1127KMFOID_UserCertificate,
1128KMFOID_UserPassword,
1129KMFOID_X_121Address,
1130KMFOID_domainComponent,
1131KMFOID_userid;
1132
1133extern const KMF_OID
1134KMFOID_AuthorityKeyID,
1135KMFOID_AuthorityInfoAccess,
1136KMFOID_VerisignCertificatePolicy,
1137KMFOID_KeyUsageRestriction,
1138KMFOID_SubjectDirectoryAttributes,
1139KMFOID_SubjectKeyIdentifier,
1140KMFOID_KeyUsage,
1141KMFOID_PrivateKeyUsagePeriod,
1142KMFOID_SubjectAltName,
1143KMFOID_IssuerAltName,
1144KMFOID_BasicConstraints,
1145KMFOID_CrlNumber,
1146KMFOID_CrlReason,
1147KMFOID_HoldInstructionCode,
1148KMFOID_InvalidityDate,
1149KMFOID_DeltaCrlIndicator,
1150KMFOID_IssuingDistributionPoints,
1151KMFOID_NameConstraints,
1152KMFOID_CrlDistributionPoints,
1153KMFOID_CertificatePolicies,
1154KMFOID_PolicyMappings,
1155KMFOID_PolicyConstraints,
1156KMFOID_AuthorityKeyIdentifier,
1157KMFOID_ExtendedKeyUsage,
1158KMFOID_PkixAdOcsp,
1159KMFOID_PkixAdCaIssuers,
1160KMFOID_PKIX_PQ_CPSuri,
1161KMFOID_PKIX_PQ_Unotice,
1162KMFOID_PKIX_KP_ServerAuth,
1163KMFOID_PKIX_KP_ClientAuth,
1164KMFOID_PKIX_KP_CodeSigning,
1165KMFOID_PKIX_KP_EmailProtection,
1166KMFOID_PKIX_KP_IPSecEndSystem,
1167KMFOID_PKIX_KP_IPSecTunnel,
1168KMFOID_PKIX_KP_IPSecUser,
1169KMFOID_PKIX_KP_TimeStamping,
1170KMFOID_PKIX_KP_OCSPSigning,
1171KMFOID_SHA1,
1172KMFOID_RSA,
1173KMFOID_DSA,
1174KMFOID_MD5,
1175KMFOID_MD5WithRSA,
1176KMFOID_MD2WithRSA,
1177KMFOID_SHA1WithRSA,
1178KMFOID_SHA256WithRSA,
1179KMFOID_SHA384WithRSA,
1180KMFOID_SHA512WithRSA,
1181KMFOID_SHA1WithDSA,
1182KMFOID_X9CM_DSA,
1183KMFOID_X9CM_DSAWithSHA1;
1184
1185/* For PKINIT support */
1186extern const KMF_OID
1187KMFOID_PKINIT_san,
1188KMFOID_PKINIT_ClientAuth,
1189KMFOID_PKINIT_Kdc,
1190KMFOID_MS_KP_SCLogon,
1191KMFOID_MS_KP_SCLogon_UPN;
1192
1193/* For ECC support */
1194extern const KMF_OID
1195KMFOID_EC_PUBLIC_KEY,
1196KMFOID_SHA1WithECDSA,
1197KMFOID_SHA224WithECDSA,
1198KMFOID_SHA256WithECDSA,
1199KMFOID_SHA384WithECDSA,
1200KMFOID_SHA512WithECDSA,
1201KMFOID_SHA224WithDSA,
1202KMFOID_SHA256WithDSA,
1203KMFOID_SHA224,
1204KMFOID_SHA256,
1205KMFOID_SHA384,
1206KMFOID_SHA512,
1207KMFOID_ECC_secp112r1,
1208KMFOID_ECC_secp112r2,
1209KMFOID_ECC_secp128r1,
1210KMFOID_ECC_secp128r2,
1211KMFOID_ECC_secp160k1,
1212KMFOID_ECC_secp160r1,
1213KMFOID_ECC_secp160r2,
1214KMFOID_ECC_secp192k1,
1215KMFOID_ECC_secp224k1,
1216KMFOID_ECC_secp224r1,
1217KMFOID_ECC_secp256k1,
1218KMFOID_ECC_secp384r1,
1219KMFOID_ECC_secp521r1,
1220KMFOID_ECC_sect113r1,
1221KMFOID_ECC_sect113r2,
1222KMFOID_ECC_sect131r1,
1223KMFOID_ECC_sect131r2,
1224KMFOID_ECC_sect163k1,
1225KMFOID_ECC_sect163r1,
1226KMFOID_ECC_sect163r2,
1227KMFOID_ECC_sect193r1,
1228KMFOID_ECC_sect193r2,
1229KMFOID_ECC_sect233k1,
1230KMFOID_ECC_sect233r1,
1231KMFOID_ECC_sect239k1,
1232KMFOID_ECC_sect283k1,
1233KMFOID_ECC_sect283r1,
1234KMFOID_ECC_sect409k1,
1235KMFOID_ECC_sect409r1,
1236KMFOID_ECC_sect571k1,
1237KMFOID_ECC_sect571r1,
1238KMFOID_ECC_c2pnb163v1,
1239KMFOID_ECC_c2pnb163v2,
1240KMFOID_ECC_c2pnb163v3,
1241KMFOID_ECC_c2pnb176v1,
1242KMFOID_ECC_c2tnb191v1,
1243KMFOID_ECC_c2tnb191v2,
1244KMFOID_ECC_c2tnb191v3,
1245KMFOID_ECC_c2pnb208w1,
1246KMFOID_ECC_c2tnb239v1,
1247KMFOID_ECC_c2tnb239v2,
1248KMFOID_ECC_c2tnb239v3,
1249KMFOID_ECC_c2pnb272w1,
1250KMFOID_ECC_c2pnb304w1,
1251KMFOID_ECC_c2tnb359v1,
1252KMFOID_ECC_c2pnb368w1,
1253KMFOID_ECC_c2tnb431r1,
1254KMFOID_ECC_prime192v2,
1255KMFOID_ECC_prime192v3,
1256KMFOID_ECC_secp192r1,
1257KMFOID_ECC_secp256r1;
1258
1259/*
1260 * ANSI X9-62 prime192v1 is same as secp192r1 and
1261 * ANSI X9-62 prime256v1 is same as secp256r1
1262 */
1263#define	KMFOID_ANSIX962_prime192v1 KMFOID_ECC_secp192r1
1264#define	KMFOID_ANSIX962_prime256v1 KMFOID_ECC_secp256r1
1265
1266/*
1267 * KMF Certificate validation codes.  These may be masked together.
1268 */
1269#define	KMF_CERT_VALIDATE_OK		0x00
1270#define	KMF_CERT_VALIDATE_ERR_TA	0x01
1271#define	KMF_CERT_VALIDATE_ERR_USER	0x02
1272#define	KMF_CERT_VALIDATE_ERR_SIGNATURE	0x04
1273#define	KMF_CERT_VALIDATE_ERR_KEYUSAGE	0x08
1274#define	KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE	0x10
1275#define	KMF_CERT_VALIDATE_ERR_TIME	0x20
1276#define	KMF_CERT_VALIDATE_ERR_CRL	0x40
1277#define	KMF_CERT_VALIDATE_ERR_OCSP	0x80
1278#define	KMF_CERT_VALIDATE_ERR_ISSUER	0x100
1279
1280/*
1281 * KMF Key Usage bitmasks
1282 */
1283#define	KMF_digitalSignature	0x8000
1284#define	KMF_nonRepudiation	0x4000
1285#define	KMF_keyEncipherment	0x2000
1286#define	KMF_dataEncipherment	0x1000
1287#define	KMF_keyAgreement	0x0800
1288#define	KMF_keyCertSign		0x0400
1289#define	KMF_cRLSign		0x0200
1290#define	KMF_encipherOnly	0x0100
1291#define	KMF_decipherOnly	0x0080
1292
1293#define	KMF_KUBITMASK 0xFF80
1294
1295/*
1296 * KMF Extended KeyUsage OID definitions
1297 */
1298#define	KMF_EKU_SERVERAUTH			0x01
1299#define	KMF_EKU_CLIENTAUTH			0x02
1300#define	KMF_EKU_CODESIGNING			0x04
1301#define	KMF_EKU_EMAIL				0x08
1302#define	KMF_EKU_TIMESTAMP			0x10
1303#define	KMF_EKU_OCSPSIGNING			0x20
1304
1305#ifdef __cplusplus
1306}
1307#endif
1308#endif /* _KMFTYPES_H */
1309