1 /* 2 * Copyright (c) 1995-2000 Intel Corporation. All rights reserved. 3 */ 4 /* 5 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 6 * Use is subject to license terms. 7 */ 8 9 #ifndef _KMFTYPES_H 10 #define _KMFTYPES_H 11 12 #pragma ident "%Z%%M% %I% %E% SMI" 13 14 #include <sys/types.h> 15 #include <stdlib.h> 16 #include <strings.h> 17 #include <pthread.h> 18 19 #include <security/cryptoki.h> 20 21 #ifdef __cplusplus 22 extern "C" { 23 #endif 24 25 typedef uint32_t KMF_BOOL; 26 27 #define KMF_FALSE (0) 28 #define KMF_TRUE (1) 29 30 /* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */ 31 typedef struct _kmf_handle *KMF_HANDLE_T; 32 33 /* 34 * KMF_DATA 35 * The KMF_DATA structure is used to associate a length, in bytes, with 36 * an arbitrary block of contiguous memory. 37 */ 38 typedef struct kmf_data 39 { 40 size_t Length; /* in bytes */ 41 uchar_t *Data; 42 } KMF_DATA; 43 44 typedef struct { 45 uchar_t *val; 46 size_t len; 47 } KMF_BIGINT; 48 49 /* 50 * KMF_OID 51 * The object identifier (OID) structure is used to hold a unique identifier for 52 * the atomic data fields and the compound substructure that comprise the fields 53 * of a certificate or CRL. 54 */ 55 typedef KMF_DATA KMF_OID; 56 57 typedef struct kmf_x509_private { 58 int keystore_type; 59 int flags; /* see below */ 60 char *label; 61 #define KMF_FLAG_CERT_VALID 1 /* contains valid certificate */ 62 #define KMF_FLAG_CERT_SIGNED 2 /* this is a signed certificate */ 63 } KMF_X509_PRIVATE; 64 65 /* 66 * KMF_X509_DER_CERT 67 * This structure associates packed DER certificate data. 68 * Also, it contains the private information internal used 69 * by KMF layer. 70 */ 71 typedef struct 72 { 73 KMF_DATA certificate; 74 KMF_X509_PRIVATE kmf_private; 75 } KMF_X509_DER_CERT; 76 77 typedef enum { 78 KMF_KEYSTORE_NSS = 1, 79 KMF_KEYSTORE_OPENSSL = 2, 80 KMF_KEYSTORE_PK11TOKEN = 3, 81 KMF_KEYSTORE_DEFAULT /* based on configuration */ 82 } KMF_KEYSTORE_TYPE; 83 84 #define VALID_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\ 85 (t <= KMF_KEYSTORE_PK11TOKEN)) 86 87 typedef enum { 88 KMF_FORMAT_UNDEF = 0, 89 KMF_FORMAT_ASN1 = 1, /* DER */ 90 KMF_FORMAT_PEM = 2, 91 KMF_FORMAT_PKCS12 = 3, 92 KMF_FORMAT_RAWKEY = 4, /* For FindKey operation */ 93 KMF_FORMAT_PEM_KEYPAIR = 5 94 } KMF_ENCODE_FORMAT; 95 96 #define KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF 97 98 typedef enum { 99 KMF_ALL_CERTS = 0, 100 KMF_NONEXPIRED_CERTS = 1, 101 KMF_EXPIRED_CERTS = 2 102 } KMF_CERT_VALIDITY; 103 104 105 typedef enum { 106 KMF_ALL_EXTNS = 0, 107 KMF_CRITICAL_EXTNS = 1, 108 KMF_NONCRITICAL_EXTNS = 2 109 } KMF_FLAG_CERT_EXTN; 110 111 112 typedef enum { 113 KMF_KU_SIGN_CERT = 0, 114 KMF_KU_SIGN_DATA = 1, 115 KMF_KU_ENCRYPT_DATA = 2 116 } KMF_KU_PURPOSE; 117 118 /* 119 * Algorithms 120 * This type defines a set of constants used to identify cryptographic 121 * algorithms. 122 */ 123 typedef enum { 124 KMF_ALGID_NONE = 0, 125 KMF_ALGID_CUSTOM, 126 KMF_ALGID_SHA1, 127 KMF_ALGID_RSA, 128 KMF_ALGID_DSA, 129 KMF_ALGID_MD5WithRSA, 130 KMF_ALGID_MD2WithRSA, 131 KMF_ALGID_SHA1WithRSA, 132 KMF_ALGID_SHA1WithDSA 133 } KMF_ALGORITHM_INDEX; 134 135 136 /* 137 * Generic credential structure used by other structures below 138 * to convey authentication information to the underlying 139 * mechanisms. 140 */ 141 typedef struct { 142 char *cred; 143 uint32_t credlen; 144 } KMF_CREDENTIAL; 145 146 typedef enum { 147 KMF_KEYALG_NONE = 0, 148 KMF_RSA = 1, 149 KMF_DSA = 2, 150 KMF_AES = 3, 151 KMF_RC4 = 4, 152 KMF_DES = 5, 153 KMF_DES3 = 6, 154 KMF_GENERIC_SECRET = 7 155 }KMF_KEY_ALG; 156 157 typedef enum { 158 KMF_KEYCLASS_NONE = 0, 159 KMF_ASYM_PUB = 1, /* public key of an asymmetric keypair */ 160 KMF_ASYM_PRI = 2, /* private key of an asymmetric keypair */ 161 KMF_SYMMETRIC = 3 /* symmetric key */ 162 }KMF_KEY_CLASS; 163 164 165 typedef enum { 166 KMF_CERT = 0, 167 KMF_CSR = 1, 168 KMF_CRL = 2 169 }KMF_OBJECT_TYPE; 170 171 172 typedef struct { 173 KMF_BIGINT mod; 174 KMF_BIGINT pubexp; 175 KMF_BIGINT priexp; 176 KMF_BIGINT prime1; 177 KMF_BIGINT prime2; 178 KMF_BIGINT exp1; 179 KMF_BIGINT exp2; 180 KMF_BIGINT coef; 181 } KMF_RAW_RSA_KEY; 182 183 typedef struct { 184 KMF_BIGINT prime; 185 KMF_BIGINT subprime; 186 KMF_BIGINT base; 187 KMF_BIGINT value; 188 KMF_BIGINT pubvalue; 189 } KMF_RAW_DSA_KEY; 190 191 typedef struct { 192 KMF_BIGINT keydata; 193 } KMF_RAW_SYM_KEY; 194 195 typedef struct { 196 KMF_KEY_ALG keytype; 197 boolean_t sensitive; 198 boolean_t not_extractable; 199 union { 200 KMF_RAW_RSA_KEY rsa; 201 KMF_RAW_DSA_KEY dsa; 202 KMF_RAW_SYM_KEY sym; 203 }rawdata; 204 } KMF_RAW_KEY_DATA; 205 206 207 typedef struct { 208 KMF_KEYSTORE_TYPE kstype; 209 KMF_KEY_ALG keyalg; 210 KMF_KEY_CLASS keyclass; 211 boolean_t israw; 212 char *keylabel; 213 void *keyp; 214 } KMF_KEY_HANDLE; 215 216 typedef struct { 217 KMF_KEYSTORE_TYPE kstype; 218 uint32_t errcode; 219 } KMF_ERROR; 220 221 /* 222 * Typenames to use with subjectAltName 223 */ 224 typedef enum { 225 GENNAME_OTHERNAME = 0x00, 226 GENNAME_RFC822NAME, 227 GENNAME_DNSNAME, 228 GENNAME_X400ADDRESS, 229 GENNAME_DIRECTORYNAME, 230 GENNAME_EDIPARTYNAME, 231 GENNAME_URI, 232 GENNAME_IPADDRESS, 233 GENNAME_REGISTEREDID 234 } KMF_GENERALNAMECHOICES; 235 236 /* 237 * KMF_FIELD 238 * This structure contains the OID/value pair for any item that can be 239 * identified by an OID. 240 */ 241 typedef struct 242 { 243 KMF_OID FieldOid; 244 KMF_DATA FieldValue; 245 } KMF_FIELD; 246 247 typedef enum { 248 KMF_OK = 0x00, 249 KMF_ERR_BAD_PARAMETER = 0x01, 250 KMF_ERR_BAD_KEY_FORMAT = 0x02, 251 KMF_ERR_BAD_ALGORITHM = 0x03, 252 KMF_ERR_MEMORY = 0x04, 253 KMF_ERR_ENCODING = 0x05, 254 KMF_ERR_PLUGIN_INIT = 0x06, 255 KMF_ERR_PLUGIN_NOTFOUND = 0x07, 256 KMF_ERR_INTERNAL = 0x0b, 257 KMF_ERR_BAD_CERT_FORMAT = 0x0c, 258 KMF_ERR_KEYGEN_FAILED = 0x0d, 259 KMF_ERR_UNINITIALIZED = 0x10, 260 KMF_ERR_ISSUER = 0x11, 261 KMF_ERR_NOT_REVOKED = 0x12, 262 KMF_ERR_CERT_NOT_FOUND = 0x13, 263 KMF_ERR_CRL_NOT_FOUND = 0x14, 264 KMF_ERR_RDN_PARSER = 0x15, 265 KMF_ERR_RDN_ATTR = 0x16, 266 KMF_ERR_SLOTNAME = 0x17, 267 KMF_ERR_EMPTY_CRL = 0x18, 268 KMF_ERR_BUFFER_SIZE = 0x19, 269 KMF_ERR_AUTH_FAILED = 0x1a, 270 KMF_ERR_TOKEN_SELECTED = 0x1b, 271 KMF_ERR_NO_TOKEN_SELECTED = 0x1c, 272 KMF_ERR_TOKEN_NOT_PRESENT = 0x1d, 273 KMF_ERR_EXTENSION_NOT_FOUND = 0x1e, 274 KMF_ERR_POLICY_ENGINE = 0x1f, 275 KMF_ERR_POLICY_DB_FORMAT = 0x20, 276 KMF_ERR_POLICY_NOT_FOUND = 0x21, 277 KMF_ERR_POLICY_DB_FILE = 0x22, 278 KMF_ERR_POLICY_NAME = 0x23, 279 KMF_ERR_OCSP_POLICY = 0x24, 280 KMF_ERR_TA_POLICY = 0x25, 281 KMF_ERR_KEY_NOT_FOUND = 0x26, 282 KMF_ERR_OPEN_FILE = 0x27, 283 KMF_ERR_OCSP_BAD_ISSUER = 0x28, 284 KMF_ERR_OCSP_BAD_CERT = 0x29, 285 KMF_ERR_OCSP_CREATE_REQUEST = 0x2a, 286 KMF_ERR_CONNECT_SERVER = 0x2b, 287 KMF_ERR_SEND_REQUEST = 0x2c, 288 KMF_ERR_OCSP_CERTID = 0x2d, 289 KMF_ERR_OCSP_MALFORMED_RESPONSE = 0x2e, 290 KMF_ERR_OCSP_RESPONSE_STATUS = 0x2f, 291 KMF_ERR_OCSP_NO_BASIC_RESPONSE = 0x30, 292 KMF_ERR_OCSP_BAD_SIGNER = 0x31, 293 KMF_ERR_OCSP_RESPONSE_SIGNATURE = 0x32, 294 KMF_ERR_OCSP_UNKNOWN_CERT = 0x33, 295 KMF_ERR_OCSP_STATUS_TIME_INVALID = 0x34, 296 KMF_ERR_BAD_HTTP_RESPONSE = 0x35, 297 KMF_ERR_RECV_RESPONSE = 0x36, 298 KMF_ERR_RECV_TIMEOUT = 0x37, 299 KMF_ERR_DUPLICATE_KEYFILE = 0x38, 300 KMF_ERR_AMBIGUOUS_PATHNAME = 0x39, 301 KMF_ERR_FUNCTION_NOT_FOUND = 0x3a, 302 KMF_ERR_PKCS12_FORMAT = 0x3b, 303 KMF_ERR_BAD_KEY_TYPE = 0x3c, 304 KMF_ERR_BAD_KEY_CLASS = 0x3d, 305 KMF_ERR_BAD_KEY_SIZE = 0x3e, 306 KMF_ERR_BAD_HEX_STRING = 0x3f, 307 KMF_ERR_KEYUSAGE = 0x40, 308 KMF_ERR_VALIDITY_PERIOD = 0x41, 309 KMF_ERR_OCSP_REVOKED = 0x42, 310 KMF_ERR_CERT_MULTIPLE_FOUND = 0x43, 311 KMF_ERR_WRITE_FILE = 0x44, 312 KMF_ERR_BAD_URI = 0x45, 313 KMF_ERR_BAD_CRLFILE = 0x46, 314 KMF_ERR_BAD_CERTFILE = 0x47, 315 KMF_ERR_GETKEYVALUE_FAILED = 0x48, 316 KMF_ERR_BAD_KEYHANDLE = 0x49, 317 KMF_ERR_BAD_OBJECT_TYPE = 0x4a, 318 KMF_ERR_OCSP_RESPONSE_LIFETIME = 0x4b, 319 KMF_ERR_UNKNOWN_CSR_ATTRIBUTE = 0x4c, 320 KMF_ERR_UNINITIALIZED_TOKEN = 0x4d, 321 KMF_ERR_INCOMPLETE_TBS_CERT = 0x4e, 322 KMF_ERR_MISSING_ERRCODE = 0x4f, 323 KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50, 324 KMF_ERR_SENSITIVE_KEY = 0x51, 325 KMF_ERR_UNEXTRACTABLE_KEY = 0x52, 326 KMF_ERR_KEY_MISMATCH = 0x53, 327 KMF_ERR_ATTR_NOT_FOUND = 0x54 328 } KMF_RETURN; 329 330 /* Data structures for OCSP support */ 331 typedef enum { 332 OCSP_GOOD = 0, 333 OCSP_REVOKED = 1, 334 OCSP_UNKNOWN = 2 335 } KMF_OCSP_CERT_STATUS; 336 337 typedef enum { 338 OCSP_SUCCESS = 0, 339 OCSP_MALFORMED_REQUEST = 1, 340 OCSP_INTERNAL_ERROR = 2, 341 OCSP_TRYLATER = 3, 342 OCSP_SIGREQUIRED = 4, 343 OCSP_UNAUTHORIZED = 5 344 } KMF_OCSP_RESPONSE_STATUS; 345 346 typedef enum { 347 OCSP_NOSTATUS = -1, 348 OCSP_UNSPECIFIED = 0, 349 OCSP_KEYCOMPROMISE = 1, 350 OCSP_CACOMPROMISE = 2, 351 OCSP_AFFILIATIONCHANGE = 3, 352 OCSP_SUPERCEDED = 4, 353 OCSP_CESSATIONOFOPERATION = 5, 354 OCSP_CERTIFICATEHOLD = 6, 355 OCSP_REMOVEFROMCRL = 7 356 } KMF_OCSP_REVOKED_STATUS; 357 358 typedef enum { 359 KMF_ALGCLASS_NONE = 0, 360 KMF_ALGCLASS_CUSTOM, 361 KMF_ALGCLASS_SIGNATURE, 362 KMF_ALGCLASS_SYMMETRIC, 363 KMF_ALGCLASS_DIGEST, 364 KMF_ALGCLASS_RANDOMGEN, 365 KMF_ALGCLASS_UNIQUEGEN, 366 KMF_ALGCLASS_MAC, 367 KMF_ALGCLASS_ASYMMETRIC, 368 KMF_ALGCLASS_KEYGEN, 369 KMF_ALGCLASS_DERIVEKEY 370 } KMF_ALGCLASS; 371 372 typedef enum { 373 KMF_CERT_ISSUER = 1, 374 KMF_CERT_SUBJECT, 375 KMF_CERT_VERSION, 376 KMF_CERT_SERIALNUM, 377 KMF_CERT_NOTBEFORE, 378 KMF_CERT_NOTAFTER, 379 KMF_CERT_PUBKEY_ALG, 380 KMF_CERT_SIGNATURE_ALG, 381 KMF_CERT_EMAIL, 382 KMF_CERT_PUBKEY_DATA, 383 KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD, 384 KMF_X509_EXT_CERT_POLICIES, 385 KMF_X509_EXT_SUBJ_ALTNAME, 386 KMF_X509_EXT_ISSUER_ALTNAME, 387 KMF_X509_EXT_BASIC_CONSTRAINTS, 388 KMF_X509_EXT_NAME_CONSTRAINTS, 389 KMF_X509_EXT_POLICY_CONSTRAINTS, 390 KMF_X509_EXT_EXT_KEY_USAGE, 391 KMF_X509_EXT_INHIBIT_ANY_POLICY, 392 KMF_X509_EXT_AUTH_KEY_ID, 393 KMF_X509_EXT_SUBJ_KEY_ID, 394 KMF_X509_EXT_POLICY_MAPPINGS, 395 KMF_X509_EXT_CRL_DIST_POINTS, 396 KMF_X509_EXT_FRESHEST_CRL, 397 KMF_X509_EXT_KEY_USAGE 398 } KMF_PRINTABLE_ITEM; 399 400 /* 401 * KMF_X509_ALGORITHM_IDENTIFIER 402 * This structure holds an object identifier naming a 403 * cryptographic algorithm and an optional set of 404 * parameters to be used as input to that algorithm. 405 */ 406 typedef struct 407 { 408 KMF_OID algorithm; 409 KMF_DATA parameters; 410 } KMF_X509_ALGORITHM_IDENTIFIER; 411 412 /* 413 * KMF_X509_TYPE_VALUE_PAIR 414 * This structure contain an type-value pair. 415 */ 416 typedef struct 417 { 418 KMF_OID type; 419 uint8_t valueType; /* The Tag to use when BER encoded */ 420 KMF_DATA value; 421 } KMF_X509_TYPE_VALUE_PAIR; 422 423 424 /* 425 * KMF_X509_RDN 426 * This structure contains a Relative Distinguished Name 427 * composed of an ordered set of type-value pairs. 428 */ 429 typedef struct 430 { 431 uint32_t numberOfPairs; 432 KMF_X509_TYPE_VALUE_PAIR *AttributeTypeAndValue; 433 } KMF_X509_RDN; 434 435 /* 436 * KMF_X509_NAME 437 * This structure contains a set of Relative Distinguished Names. 438 */ 439 typedef struct 440 { 441 uint32_t numberOfRDNs; 442 KMF_X509_RDN *RelativeDistinguishedName; 443 } KMF_X509_NAME; 444 445 /* 446 * KMF_X509_SPKI 447 * This structure contains the public key and the 448 * description of the verification algorithm 449 * appropriate for use with this key. 450 */ 451 typedef struct 452 { 453 KMF_X509_ALGORITHM_IDENTIFIER algorithm; 454 KMF_DATA subjectPublicKey; 455 } KMF_X509_SPKI; 456 457 /* 458 * KMF_X509_TIME 459 * Time is represented as a string according to the 460 * definitions of GeneralizedTime and UTCTime 461 * defined in RFC 2459. 462 */ 463 typedef struct 464 { 465 uint8_t timeType; 466 KMF_DATA time; 467 } KMF_X509_TIME; 468 469 /* 470 * KMF_X509_VALIDITY 471 */ 472 typedef struct 473 { 474 KMF_X509_TIME notBefore; 475 KMF_X509_TIME notAfter; 476 } KMF_X509_VALIDITY; 477 478 /* 479 * KMF_X509EXT_BASICCONSTRAINTS 480 */ 481 typedef struct 482 { 483 KMF_BOOL cA; 484 KMF_BOOL pathLenConstraintPresent; 485 uint32_t pathLenConstraint; 486 } KMF_X509EXT_BASICCONSTRAINTS; 487 488 /* 489 * KMF_X509EXT_DATA_FORMAT 490 * This list defines the valid formats for a certificate extension. 491 */ 492 typedef enum 493 { 494 KMF_X509_DATAFORMAT_ENCODED = 0, 495 KMF_X509_DATAFORMAT_PARSED, 496 KMF_X509_DATAFORMAT_PAIR 497 } KMF_X509EXT_DATA_FORMAT; 498 499 500 /* 501 * KMF_X509EXT_TAGandVALUE 502 * This structure contains a BER/DER encoded 503 * extension value and the type of that value. 504 */ 505 typedef struct 506 { 507 uint8_t type; 508 KMF_DATA value; 509 } KMF_X509EXT_TAGandVALUE; 510 511 512 /* 513 * KMF_X509EXT_PAIR 514 * This structure aggregates two extension representations: 515 * a tag and value, and a parsed X509 extension representation. 516 */ 517 typedef struct 518 { 519 KMF_X509EXT_TAGandVALUE tagAndValue; 520 void *parsedValue; 521 } KMF_X509EXT_PAIR; 522 523 /* 524 * KMF_X509_EXTENSION 525 * This structure contains a complete certificate extension. 526 */ 527 typedef struct 528 { 529 KMF_OID extnId; 530 KMF_BOOL critical; 531 KMF_X509EXT_DATA_FORMAT format; 532 union 533 { 534 KMF_X509EXT_TAGandVALUE *tagAndValue; 535 void *parsedValue; 536 KMF_X509EXT_PAIR *valuePair; 537 } value; 538 KMF_DATA BERvalue; 539 } KMF_X509_EXTENSION; 540 541 542 /* 543 * KMF_X509_EXTENSIONS 544 * This structure contains the set of all certificate 545 * extensions contained in a certificate. 546 */ 547 typedef struct 548 { 549 uint32_t numberOfExtensions; 550 KMF_X509_EXTENSION *extensions; 551 } KMF_X509_EXTENSIONS; 552 553 /* 554 * KMF_X509_TBS_CERT 555 * This structure contains a complete X.509 certificate. 556 */ 557 typedef struct 558 { 559 KMF_DATA version; 560 KMF_BIGINT serialNumber; 561 KMF_X509_ALGORITHM_IDENTIFIER signature; 562 KMF_X509_NAME issuer; 563 KMF_X509_VALIDITY validity; 564 KMF_X509_NAME subject; 565 KMF_X509_SPKI subjectPublicKeyInfo; 566 KMF_DATA issuerUniqueIdentifier; 567 KMF_DATA subjectUniqueIdentifier; 568 KMF_X509_EXTENSIONS extensions; 569 } KMF_X509_TBS_CERT; 570 571 /* 572 * KMF_X509_SIGNATURE 573 * This structure contains a cryptographic digital signature. 574 */ 575 typedef struct 576 { 577 KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier; 578 KMF_DATA encrypted; 579 } KMF_X509_SIGNATURE; 580 581 /* 582 * KMF_X509_CERTIFICATE 583 * This structure associates a set of decoded certificate 584 * values with the signature covering those values. 585 */ 586 typedef struct 587 { 588 KMF_X509_TBS_CERT certificate; 589 KMF_X509_SIGNATURE signature; 590 } KMF_X509_CERTIFICATE; 591 592 #define CERT_ALG_OID(c) &c->certificate.signature.algorithm 593 #define CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm 594 595 /* 596 * KMF_TBS_CSR 597 * This structure contains a complete PKCS#10 certificate request 598 */ 599 typedef struct 600 { 601 KMF_DATA version; 602 KMF_X509_NAME subject; 603 KMF_X509_SPKI subjectPublicKeyInfo; 604 KMF_X509_EXTENSIONS extensions; 605 } KMF_TBS_CSR; 606 607 /* 608 * KMF_CSR_DATA 609 * This structure contains a complete PKCS#10 certificate signed request 610 */ 611 typedef struct 612 { 613 KMF_TBS_CSR csr; 614 KMF_X509_SIGNATURE signature; 615 } KMF_CSR_DATA; 616 617 /* 618 * KMF_X509EXT_POLICYQUALIFIERINFO 619 */ 620 typedef struct 621 { 622 KMF_OID policyQualifierId; 623 KMF_DATA value; 624 } KMF_X509EXT_POLICYQUALIFIERINFO; 625 626 /* 627 * KMF_X509EXT_POLICYQUALIFIERS 628 */ 629 typedef struct 630 { 631 uint32_t numberOfPolicyQualifiers; 632 KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier; 633 } KMF_X509EXT_POLICYQUALIFIERS; 634 635 /* 636 * KMF_X509EXT_POLICYINFO 637 */ 638 typedef struct 639 { 640 KMF_OID policyIdentifier; 641 KMF_X509EXT_POLICYQUALIFIERS policyQualifiers; 642 } KMF_X509EXT_POLICYINFO; 643 644 typedef struct 645 { 646 uint32_t numberOfPolicyInfo; 647 KMF_X509EXT_POLICYINFO *policyInfo; 648 } KMF_X509EXT_CERT_POLICIES; 649 650 typedef struct 651 { 652 uchar_t critical; 653 uint16_t KeyUsageBits; 654 } KMF_X509EXT_KEY_USAGE; 655 656 typedef struct 657 { 658 uchar_t critical; 659 uint16_t nEKUs; 660 KMF_OID *keyPurposeIdList; 661 } KMF_X509EXT_EKU; 662 663 664 /* 665 * X509 AuthorityInfoAccess extension 666 */ 667 typedef struct 668 { 669 KMF_OID AccessMethod; 670 KMF_DATA AccessLocation; 671 } KMF_X509EXT_ACCESSDESC; 672 673 typedef struct 674 { 675 uint32_t numberOfAccessDescription; 676 KMF_X509EXT_ACCESSDESC *AccessDesc; 677 } KMF_X509EXT_AUTHINFOACCESS; 678 679 680 /* 681 * X509 Crl Distribution Point extension 682 */ 683 typedef struct { 684 KMF_GENERALNAMECHOICES choice; 685 KMF_DATA name; 686 } KMF_GENERALNAME; 687 688 typedef struct { 689 uint32_t number; 690 KMF_GENERALNAME *namelist; 691 } KMF_GENERALNAMES; 692 693 typedef enum { 694 DP_GENERAL_NAME = 1, 695 DP_RELATIVE_NAME = 2 696 } KMF_CRL_DIST_POINT_TYPE; 697 698 typedef struct { 699 KMF_CRL_DIST_POINT_TYPE type; 700 union { 701 KMF_GENERALNAMES full_name; 702 KMF_DATA relative_name; 703 } name; 704 KMF_DATA reasons; 705 KMF_GENERALNAMES crl_issuer; 706 } KMF_CRL_DIST_POINT; 707 708 typedef struct { 709 uint32_t number; 710 KMF_CRL_DIST_POINT *dplist; 711 } KMF_X509EXT_CRLDISTPOINTS; 712 713 typedef enum { 714 KMF_DATA_ATTR, 715 KMF_OID_ATTR, 716 KMF_BIGINT_ATTR, 717 KMF_X509_DER_CERT_ATTR, 718 KMF_KEYSTORE_TYPE_ATTR, 719 KMF_ENCODE_FORMAT_ATTR, 720 KMF_CERT_VALIDITY_ATTR, 721 KMF_KU_PURPOSE_ATTR, 722 KMF_ALGORITHM_INDEX_ATTR, 723 KMF_TOKEN_LABEL_ATTR, 724 KMF_READONLY_ATTR, 725 KMF_DIRPATH_ATTR, 726 KMF_CERTPREFIX_ATTR, 727 KMF_KEYPREFIX_ATTR, 728 KMF_SECMODNAME_ATTR, 729 KMF_CREDENTIAL_ATTR, 730 KMF_TRUSTFLAG_ATTR, 731 KMF_CRL_FILENAME_ATTR, 732 KMF_CRL_CHECK_ATTR, 733 KMF_CRL_DATA_ATTR, 734 KMF_CRL_SUBJECT_ATTR, 735 KMF_CRL_ISSUER_ATTR, 736 KMF_CRL_NAMELIST_ATTR, 737 KMF_CRL_COUNT_ATTR, 738 KMF_CRL_OUTFILE_ATTR, 739 KMF_CERT_LABEL_ATTR, 740 KMF_SUBJECT_NAME_ATTR, 741 KMF_ISSUER_NAME_ATTR, 742 KMF_CERT_FILENAME_ATTR, 743 KMF_KEY_FILENAME_ATTR, 744 KMF_OUTPUT_FILENAME_ATTR, 745 KMF_IDSTR_ATTR, 746 KMF_CERT_DATA_ATTR, 747 KMF_OCSP_RESPONSE_DATA_ATTR, 748 KMF_OCSP_RESPONSE_STATUS_ATTR, 749 KMF_OCSP_RESPONSE_REASON_ATTR, 750 KMF_OCSP_RESPONSE_CERT_STATUS_ATTR, 751 KMF_OCSP_REQUEST_FILENAME_ATTR, 752 KMF_KEYALG_ATTR, 753 KMF_KEYCLASS_ATTR, 754 KMF_KEYLABEL_ATTR, 755 KMF_KEYLENGTH_ATTR, 756 KMF_RSAEXP_ATTR, 757 KMF_TACERT_DATA_ATTR, 758 KMF_SLOT_ID_ATTR, 759 KMF_PK12CRED_ATTR, 760 KMF_ISSUER_CERT_DATA_ATTR, 761 KMF_USER_CERT_DATA_ATTR, 762 KMF_SIGNER_CERT_DATA_ATTR, 763 KMF_IGNORE_RESPONSE_SIGN_ATTR, 764 KMF_RESPONSE_LIFETIME_ATTR, 765 KMF_KEY_HANDLE_ATTR, 766 KMF_PRIVKEY_HANDLE_ATTR, 767 KMF_PUBKEY_HANDLE_ATTR, 768 KMF_ERROR_ATTR, 769 KMF_X509_NAME_ATTR, 770 KMF_X509_SPKI_ATTR, 771 KMF_X509_CERTIFICATE_ATTR, 772 KMF_RAW_KEY_ATTR, 773 KMF_CSR_DATA_ATTR, 774 KMF_GENERALNAMECHOICES_ATTR, 775 KMF_STOREKEY_BOOL_ATTR, 776 KMF_SENSITIVE_BOOL_ATTR, 777 KMF_NON_EXTRACTABLE_BOOL_ATTR, 778 KMF_TOKEN_BOOL_ATTR, 779 KMF_PRIVATE_BOOL_ATTR, 780 KMF_NEWPIN_ATTR, 781 KMF_IN_SIGN_ATTR, 782 KMF_OUT_DATA_ATTR, 783 KMF_COUNT_ATTR, 784 KMF_DESTROY_BOOL_ATTR, 785 KMF_TBS_CERT_DATA_ATTR, 786 KMF_PLAINTEXT_DATA_ATTR, 787 KMF_CIPHERTEXT_DATA_ATTR, 788 KMF_VALIDATE_RESULT_ATTR, 789 KMF_KEY_DATA_ATTR 790 } KMF_ATTR_TYPE; 791 792 typedef struct { 793 KMF_ATTR_TYPE type; 794 void *pValue; 795 uint32_t valueLen; 796 } KMF_ATTRIBUTE; 797 798 /* 799 * Definitions for common X.509v3 certificate attribute OIDs 800 */ 801 #define OID_ISO_MEMBER 42 /* Also in PKCS */ 802 #define OID_US OID_ISO_MEMBER, 134, 72 /* Also in PKCS */ 803 #define OID_CA OID_ISO_MEMBER, 124 804 805 #define OID_ISO_IDENTIFIED_ORG 43 806 #define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 807 #define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 808 #define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 809 #define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */ 810 811 #define OID_ISO_CCITT_DIR_SERVICE 85 812 #define OID_ISO_CCITT_COUNTRY 96 813 #define OID_COUNTRY_US OID_ISO_CCITT_COUNTRY, 134, 72 814 #define OID_COUNTRY_CA OID_ISO_CCITT_COUNTRY, 124 815 #define OID_COUNTRY_US_ORG OID_COUNTRY_US, 1 816 #define OID_COUNTRY_US_MHS_MD OID_COUNTRY_US, 2 817 #define OID_COUNTRY_US_STATE OID_COUNTRY_US, 3 818 819 /* From the PKCS Standards */ 820 #define OID_ISO_MEMBER_LENGTH 1 821 #define OID_US_LENGTH (OID_ISO_MEMBER_LENGTH + 2) 822 823 #define OID_RSA OID_US, 134, 247, 13 824 #define OID_RSA_LENGTH (OID_US_LENGTH + 3) 825 826 #define OID_RSA_HASH OID_RSA, 2 827 #define OID_RSA_HASH_LENGTH (OID_RSA_LENGTH + 1) 828 829 #define OID_RSA_ENCRYPT OID_RSA, 3 830 #define OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1) 831 832 #define OID_PKCS OID_RSA, 1 833 #define OID_PKCS_LENGTH (OID_RSA_LENGTH + 1) 834 835 #define OID_PKCS_1 OID_PKCS, 1 836 #define OID_PKCS_1_LENGTH (OID_PKCS_LENGTH + 1) 837 838 #define OID_PKCS_2 OID_PKCS, 2 839 #define OID_PKCS_3 OID_PKCS, 3 840 #define OID_PKCS_3_LENGTH (OID_PKCS_LENGTH + 1) 841 842 #define OID_PKCS_4 OID_PKCS, 4 843 #define OID_PKCS_5 OID_PKCS, 5 844 #define OID_PKCS_5_LENGTH (OID_PKCS_LENGTH + 1) 845 #define OID_PKCS_6 OID_PKCS, 6 846 #define OID_PKCS_7 OID_PKCS, 7 847 #define OID_PKCS_7_LENGTH (OID_PKCS_LENGTH + 1) 848 849 #define OID_PKCS_7_Data OID_PKCS_7, 1 850 #define OID_PKCS_7_SignedData OID_PKCS_7, 2 851 #define OID_PKCS_7_EnvelopedData OID_PKCS_7, 3 852 #define OID_PKCS_7_SignedAndEnvelopedData OID_PKCS_7, 4 853 #define OID_PKCS_7_DigestedData OID_PKCS_7, 5 854 #define OID_PKCS_7_EncryptedData OID_PKCS_7, 6 855 856 #define OID_PKCS_8 OID_PKCS, 8 857 #define OID_PKCS_9 OID_PKCS, 9 858 #define OID_PKCS_9_LENGTH (OID_PKCS_LENGTH + 1) 859 860 #define OID_PKCS_9_CONTENT_TYPE OID_PKCS_9, 3 861 #define OID_PKCS_9_MESSAGE_DIGEST OID_PKCS_9, 4 862 #define OID_PKCS_9_SIGNING_TIME OID_PKCS_9, 5 863 #define OID_PKCS_9_COUNTER_SIGNATURE OID_PKCS_9, 6 864 #define OID_PKCS_9_EXTENSION_REQUEST OID_PKCS_9, 14 865 866 #define OID_PKCS_10 OID_PKCS, 10 867 868 #define OID_PKCS_12 OID_PKCS, 12 869 #define OID_PKCS_12_LENGTH (OID_PKCS_LENGTH + 1) 870 871 #define PBEWithSHAAnd128BitRC4 OID_PKCS_12, 1, 1 872 #define PBEWithSHAAnd40BitRC4 OID_PKCS_12, 1, 2 873 #define PBEWithSHAAnd3KeyTripleDES_CBC OID_PKCS_12, 1, 3 874 #define PBEWithSHAAnd2KeyTripleDES_CBC OID_PKCS_12, 1, 4 875 #define PBEWithSHAAnd128BitRC2_CBC OID_PKCS_12, 1, 5 876 #define PBEWithSHAAnd40BitRC2_CBC OID_PKCS_12, 1, 6 877 878 #define OID_BAG_TYPES OID_PKCS_12, 10, 1 879 #define OID_KeyBag OID_BAG_TYPES, 1 880 #define OID_PKCS8ShroudedKeyBag OID_BAG_TYPES, 2 881 #define OID_CertBag OID_BAG_TYPES, 3 882 #define OID_CrlBag OID_BAG_TYPES, 4 883 #define OID_SecretBag OID_BAG_TYPES, 5 884 #define OID_SafeContentsBag OID_BAG_TYPES, 6 885 886 #define OID_ContentInfo OID_PKCS_7, 0, 1 887 888 #define OID_CERT_TYPES OID_PKCS_9, 22 889 #define OID_x509Certificate OID_CERT_TYPES, 1 890 #define OID_sdsiCertificate OID_CERT_TYPES, 2 891 892 #define OID_CRL_TYPES OID_PKCS_9, 23 893 #define OID_x509Crl OID_CRL_TYPES, 1 894 895 #define OID_DS OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */ 896 #define OID_DS_LENGTH 1 897 898 #define OID_ATTR_TYPE OID_DS, 4 /* Also in X.501 */ 899 #define OID_ATTR_TYPE_LENGTH (OID_DS_LENGTH + 1) 900 901 #define OID_DSALG OID_DS, 8 /* Also in X.501 */ 902 #define OID_DSALG_LENGTH (OID_DS_LENGTH + 1) 903 904 #define OID_EXTENSION OID_DS, 29 /* Also in X.501 */ 905 #define OID_EXTENSION_LENGTH (OID_DS_LENGTH + 1) 906 907 /* 908 * From RFC 1274: 909 * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) } 910 */ 911 #define OID_PILOT 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1 912 #define OID_PILOT_LENGTH 9 913 914 #define OID_USERID OID_PILOT 1 915 #define OID_USERID_LENGTH (OID_PILOT_LENGTH + 1) 916 917 /* 918 * From PKIX part1 919 * { iso(1) identified-organization(3) dod(6) internet(1) 920 * security(5) mechanisms(5) pkix(7) } 921 */ 922 #define OID_PKIX 43, 6, 1, 5, 5, 7 923 #define OID_PKIX_LENGTH 6 924 925 /* private certificate extensions, { id-pkix 1 } */ 926 #define OID_PKIX_PE OID_PKIX, 1 927 #define OID_PKIX_PE_LENGTH (OID_PKIX_LENGTH + 1) 928 929 /* policy qualifier types {id-pkix 2 } */ 930 #define OID_PKIX_QT OID_PKIX, 2 931 #define OID_PKIX_QT_LENGTH (OID_PKIX_LENGTH + 1) 932 933 /* CPS qualifier, { id-qt 1 } */ 934 #define OID_PKIX_QT_CPS OID_PKIX_QT, 1 935 #define OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1) 936 /* user notice qualifier, { id-qt 2 } */ 937 #define OID_PKIX_QT_UNOTICE OID_PKIX_QT, 2 938 #define OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1) 939 940 /* extended key purpose OIDs {id-pkix 3 } */ 941 #define OID_PKIX_KP OID_PKIX, 3 942 #define OID_PKIX_KP_LENGTH (OID_PKIX_LENGTH + 1) 943 944 /* access descriptors {id-pkix 4 } */ 945 #define OID_PKIX_AD OID_PKIX, 48 946 #define OID_PKIX_AD_LENGTH (OID_PKIX_LENGTH + 1) 947 948 /* access descriptors */ 949 /* OCSP */ 950 #define OID_PKIX_AD_OCSP OID_PKIX_AD, 1 951 #define OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1) 952 953 /* cAIssuers */ 954 #define OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2 955 #define OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1) 956 957 /* end PKIX part1 */ 958 #define OID_APPL_TCP_PROTO 43, 6, 1, 2, 1, 27, 4 959 #define OID_APPL_TCP_PROTO_LENGTH 8 960 961 #define OID_DAP OID_DS, 3, 1 962 #define OID_DAP_LENGTH (OID_DS_LENGTH + 2) 963 964 /* From x9.57 */ 965 #define OID_OIW_LENGTH 2 966 967 #define OID_OIW_SECSIG OID_OIW, 3 968 #define OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1) 969 970 #define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 971 #define OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1) 972 973 #define OID_OIWDIR OID_OIW, 7, 2 974 #define OID_OIWDIR_LENGTH (OID_OIW_LENGTH + 2) 975 976 #define OID_OIWDIR_CRPT OID_OIWDIR, 1 977 978 #define OID_OIWDIR_HASH OID_OIWDIR, 2 979 #define OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1) 980 981 #define OID_OIWDIR_SIGN OID_OIWDIR, 3 982 #define OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1) 983 984 #define OID_X9CM OID_US, 206, 56 985 #define OID_X9CM_MODULE OID_X9CM, 1 986 #define OID_X9CM_INSTRUCTION OID_X9CM, 2 987 #define OID_X9CM_ATTR OID_X9CM, 3 988 #define OID_X9CM_X9ALGORITHM OID_X9CM, 4 989 #define OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1) 990 991 #define INTEL 96, 134, 72, 1, 134, 248, 77 992 #define INTEL_LENGTH 7 993 994 #define INTEL_SEC_FORMATS INTEL_CDSASECURITY, 1 995 #define INTEL_SEC_FORMATS_LENGTH (INTEL_CDSASECURITY_LENGTH + 1) 996 997 #define INTEL_SEC_ALGS INTEL_CDSASECURITY, 2, 5 998 #define INTEL_SEC_ALGS_LENGTH (INTEL_CDSASECURITY_LENGTH + 2) 999 1000 extern const KMF_OID 1001 KMFOID_AliasedEntryName, 1002 KMFOID_AuthorityRevocationList, 1003 KMFOID_BusinessCategory, 1004 KMFOID_CACertificate, 1005 KMFOID_CertificateRevocationList, 1006 KMFOID_ChallengePassword, 1007 KMFOID_CollectiveFacsimileTelephoneNumber, 1008 KMFOID_CollectiveInternationalISDNNumber, 1009 KMFOID_CollectiveOrganizationName, 1010 KMFOID_CollectiveOrganizationalUnitName, 1011 KMFOID_CollectivePhysicalDeliveryOfficeName, 1012 KMFOID_CollectivePostOfficeBox, 1013 KMFOID_CollectivePostalAddress, 1014 KMFOID_CollectivePostalCode, 1015 KMFOID_CollectiveStateProvinceName, 1016 KMFOID_CollectiveStreetAddress, 1017 KMFOID_CollectiveTelephoneNumber, 1018 KMFOID_CollectiveTelexNumber, 1019 KMFOID_CollectiveTelexTerminalIdentifier, 1020 KMFOID_CommonName, 1021 KMFOID_ContentType, 1022 KMFOID_CounterSignature, 1023 KMFOID_CountryName, 1024 KMFOID_CrossCertificatePair, 1025 KMFOID_DNQualifier, 1026 KMFOID_Description, 1027 KMFOID_DestinationIndicator, 1028 KMFOID_DistinguishedName, 1029 KMFOID_EmailAddress, 1030 KMFOID_EnhancedSearchGuide, 1031 KMFOID_ExtendedCertificateAttributes, 1032 KMFOID_ExtensionRequest, 1033 KMFOID_FacsimileTelephoneNumber, 1034 KMFOID_GenerationQualifier, 1035 KMFOID_GivenName, 1036 KMFOID_HouseIdentifier, 1037 KMFOID_Initials, 1038 KMFOID_InternationalISDNNumber, 1039 KMFOID_KnowledgeInformation, 1040 KMFOID_LocalityName, 1041 KMFOID_Member, 1042 KMFOID_MessageDigest, 1043 KMFOID_Name, 1044 KMFOID_ObjectClass, 1045 KMFOID_OrganizationName, 1046 KMFOID_OrganizationalUnitName, 1047 KMFOID_Owner, 1048 KMFOID_PhysicalDeliveryOfficeName, 1049 KMFOID_PostOfficeBox, 1050 KMFOID_PostalAddress, 1051 KMFOID_PostalCode, 1052 KMFOID_PreferredDeliveryMethod, 1053 KMFOID_PresentationAddress, 1054 KMFOID_ProtocolInformation, 1055 KMFOID_RFC822mailbox, 1056 KMFOID_RegisteredAddress, 1057 KMFOID_RoleOccupant, 1058 KMFOID_SearchGuide, 1059 KMFOID_SeeAlso, 1060 KMFOID_SerialNumber, 1061 KMFOID_SigningTime, 1062 KMFOID_StateProvinceName, 1063 KMFOID_StreetAddress, 1064 KMFOID_SupportedApplicationContext, 1065 KMFOID_Surname, 1066 KMFOID_TelephoneNumber, 1067 KMFOID_TelexNumber, 1068 KMFOID_TelexTerminalIdentifier, 1069 KMFOID_Title, 1070 KMFOID_UniqueIdentifier, 1071 KMFOID_UniqueMember, 1072 KMFOID_UnstructuredAddress, 1073 KMFOID_UnstructuredName, 1074 KMFOID_UserCertificate, 1075 KMFOID_UserPassword, 1076 KMFOID_X_121Address, 1077 KMFOID_domainComponent, 1078 KMFOID_userid; 1079 1080 extern const KMF_OID 1081 KMFOID_AuthorityKeyID, 1082 KMFOID_AuthorityInfoAccess, 1083 KMFOID_VerisignCertificatePolicy, 1084 KMFOID_KeyUsageRestriction, 1085 KMFOID_SubjectDirectoryAttributes, 1086 KMFOID_SubjectKeyIdentifier, 1087 KMFOID_KeyUsage, 1088 KMFOID_PrivateKeyUsagePeriod, 1089 KMFOID_SubjectAltName, 1090 KMFOID_IssuerAltName, 1091 KMFOID_BasicConstraints, 1092 KMFOID_CrlNumber, 1093 KMFOID_CrlReason, 1094 KMFOID_HoldInstructionCode, 1095 KMFOID_InvalidityDate, 1096 KMFOID_DeltaCrlIndicator, 1097 KMFOID_IssuingDistributionPoints, 1098 KMFOID_NameConstraints, 1099 KMFOID_CrlDistributionPoints, 1100 KMFOID_CertificatePolicies, 1101 KMFOID_PolicyMappings, 1102 KMFOID_PolicyConstraints, 1103 KMFOID_AuthorityKeyIdentifier, 1104 KMFOID_ExtendedKeyUsage, 1105 KMFOID_PkixAdOcsp, 1106 KMFOID_PkixAdCaIssuers, 1107 KMFOID_PKIX_PQ_CPSuri, 1108 KMFOID_PKIX_PQ_Unotice, 1109 KMFOID_PKIX_KP_ServerAuth, 1110 KMFOID_PKIX_KP_ClientAuth, 1111 KMFOID_PKIX_KP_CodeSigning, 1112 KMFOID_PKIX_KP_EmailProtection, 1113 KMFOID_PKIX_KP_IPSecEndSystem, 1114 KMFOID_PKIX_KP_IPSecTunnel, 1115 KMFOID_PKIX_KP_IPSecUser, 1116 KMFOID_PKIX_KP_TimeStamping, 1117 KMFOID_PKIX_KP_OCSPSigning, 1118 KMFOID_SHA1, 1119 KMFOID_RSA, 1120 KMFOID_DSA, 1121 KMFOID_MD5WithRSA, 1122 KMFOID_MD2WithRSA, 1123 KMFOID_SHA1WithRSA, 1124 KMFOID_SHA1WithDSA, 1125 KMFOID_OIW_DSAWithSHA1, 1126 KMFOID_X9CM_DSA, 1127 KMFOID_X9CM_DSAWithSHA1; 1128 1129 /* 1130 * KMF Certificate validation codes. These may be masked together. 1131 */ 1132 #define KMF_CERT_VALIDATE_OK 0x00 1133 #define KMF_CERT_VALIDATE_ERR_TA 0x01 1134 #define KMF_CERT_VALIDATE_ERR_USER 0x02 1135 #define KMF_CERT_VALIDATE_ERR_SIGNATURE 0x04 1136 #define KMF_CERT_VALIDATE_ERR_KEYUSAGE 0x08 1137 #define KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE 0x10 1138 #define KMF_CERT_VALIDATE_ERR_TIME 0x20 1139 #define KMF_CERT_VALIDATE_ERR_CRL 0x40 1140 #define KMF_CERT_VALIDATE_ERR_OCSP 0x80 1141 #define KMF_CERT_VALIDATE_ERR_ISSUER 0x100 1142 1143 /* 1144 * KMF Key Usage bitmasks 1145 */ 1146 #define KMF_digitalSignature 0x8000 1147 #define KMF_nonRepudiation 0x4000 1148 #define KMF_keyEncipherment 0x2000 1149 #define KMF_dataEncipherment 0x1000 1150 #define KMF_keyAgreement 0x0800 1151 #define KMF_keyCertSign 0x0400 1152 #define KMF_cRLSign 0x0200 1153 #define KMF_encipherOnly 0x0100 1154 #define KMF_decipherOnly 0x0080 1155 1156 #define KMF_KUBITMASK 0xFF80 1157 1158 /* 1159 * KMF Extended KeyUsage OID definitions 1160 */ 1161 #define KMF_EKU_SERVERAUTH 0x01 1162 #define KMF_EKU_CLIENTAUTH 0x02 1163 #define KMF_EKU_CODESIGNING 0x04 1164 #define KMF_EKU_EMAIL 0x08 1165 #define KMF_EKU_TIMESTAMP 0x10 1166 #define KMF_EKU_OCSPSIGNING 0x20 1167 1168 1169 /* 1170 * Legacy support only - do not use these data structures - they can be 1171 * removed at any time. 1172 */ 1173 1174 /* Keystore Configuration */ 1175 typedef struct { 1176 char *configdir; 1177 char *certPrefix; 1178 char *keyPrefix; 1179 char *secModName; 1180 } KMF_NSS_CONFIG; 1181 1182 typedef struct { 1183 char *label; 1184 boolean_t readonly; 1185 } KMF_PKCS11_CONFIG; 1186 1187 typedef struct { 1188 KMF_KEYSTORE_TYPE kstype; 1189 union { 1190 KMF_NSS_CONFIG nss_conf; 1191 KMF_PKCS11_CONFIG pkcs11_conf; 1192 } ks_config_u; 1193 } KMF_CONFIG_PARAMS; 1194 1195 #define nssconfig ks_config_u.nss_conf 1196 #define pkcs11config ks_config_u.pkcs11_conf 1197 1198 1199 typedef struct 1200 { 1201 char *trustflag; 1202 char *slotlabel; /* "internal" by default */ 1203 int issuerId; 1204 int subjectId; 1205 char *crlfile; /* for ImportCRL */ 1206 boolean_t crl_check; /* for ImportCRL */ 1207 1208 /* 1209 * The following 2 variables are for FindCertInCRL. The caller can 1210 * either specify certLabel or provide the entire certificate in 1211 * DER format as input. 1212 */ 1213 char *certLabel; /* for FindCertInCRL */ 1214 KMF_DATA *certificate; /* for FindCertInCRL */ 1215 1216 /* 1217 * crl_subjName and crl_issuerName are used as the CRL deletion 1218 * criteria. One should be non-NULL and the other one should be NULL. 1219 * If crl_subjName is not NULL, then delete CRL by the subject name. 1220 * Othewise, delete by the issuer name. 1221 */ 1222 char *crl_subjName; 1223 char *crl_issuerName; 1224 } KMF_NSS_PARAMS; 1225 1226 typedef struct { 1227 char *dirpath; 1228 char *certfile; 1229 char *crlfile; 1230 char *keyfile; 1231 char *outcrlfile; 1232 boolean_t crl_check; /* CRL import check; default is true */ 1233 KMF_ENCODE_FORMAT format; /* output file format */ 1234 } KMF_OPENSSL_PARAMS; 1235 1236 typedef struct { 1237 boolean_t private; /* for finding CKA_PRIVATE objects */ 1238 boolean_t sensitive; 1239 boolean_t not_extractable; 1240 boolean_t token; /* true == token object, false == session */ 1241 } KMF_PKCS11_PARAMS; 1242 1243 typedef struct { 1244 KMF_KEYSTORE_TYPE kstype; 1245 char *certLabel; 1246 char *issuer; 1247 char *subject; 1248 char *idstr; 1249 KMF_BIGINT *serial; 1250 KMF_CERT_VALIDITY find_cert_validity; 1251 1252 union { 1253 KMF_NSS_PARAMS nss_opts; 1254 KMF_OPENSSL_PARAMS openssl_opts; 1255 KMF_PKCS11_PARAMS pkcs11_opts; 1256 } ks_opt_u; 1257 } KMF_FINDCERT_PARAMS, KMF_DELETECERT_PARAMS; 1258 1259 typedef struct { 1260 KMF_KEYSTORE_TYPE kstype; 1261 KMF_CREDENTIAL cred; 1262 KMF_KEY_CLASS keyclass; 1263 KMF_KEY_ALG keytype; 1264 KMF_ENCODE_FORMAT format; /* for key */ 1265 char *findLabel; 1266 char *idstr; 1267 union { 1268 KMF_NSS_PARAMS nss_opts; 1269 KMF_OPENSSL_PARAMS openssl_opts; 1270 KMF_PKCS11_PARAMS pkcs11_opts; 1271 } ks_opt_u; 1272 } KMF_FINDKEY_PARAMS; 1273 1274 typedef struct { 1275 KMF_KEYSTORE_TYPE kstype; 1276 KMF_KEY_ALG keytype; 1277 uint32_t keylength; 1278 char *keylabel; 1279 KMF_CREDENTIAL cred; 1280 KMF_BIGINT rsa_exponent; 1281 union { 1282 KMF_NSS_PARAMS nss_opts; 1283 KMF_OPENSSL_PARAMS openssl_opts; 1284 }ks_opt_u; 1285 } KMF_CREATEKEYPAIR_PARAMS; 1286 1287 1288 typedef struct { 1289 KMF_KEYSTORE_TYPE kstype; 1290 KMF_CREDENTIAL cred; 1291 KMF_ENCODE_FORMAT format; /* for key */ 1292 char *certLabel; 1293 KMF_ALGORITHM_INDEX algid; 1294 union { 1295 KMF_NSS_PARAMS nss_opts; 1296 KMF_OPENSSL_PARAMS openssl_opts; 1297 }ks_opt_u; 1298 } KMF_CRYPTOWITHCERT_PARAMS; 1299 1300 typedef struct { 1301 char *crl_name; 1302 } KMF_CHECKCRLDATE_PARAMS; 1303 1304 #define nssparms ks_opt_u.nss_opts 1305 #define sslparms ks_opt_u.openssl_opts 1306 #define pkcs11parms ks_opt_u.pkcs11_opts 1307 1308 #ifdef __cplusplus 1309 } 1310 #endif 1311 #endif /* _KMFTYPES_H */ 1312