1 /* 2 * Copyright (c) 1995-2000 Intel Corporation. All rights reserved. 3 */ 4 /* 5 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 6 * Use is subject to license terms. 7 */ 8 9 #ifndef _KMFTYPES_H 10 #define _KMFTYPES_H 11 12 #pragma ident "%Z%%M% %I% %E% SMI" 13 14 #include <sys/types.h> 15 #include <stdlib.h> 16 #include <strings.h> 17 #include <pthread.h> 18 19 #include <security/cryptoki.h> 20 21 #ifdef __cplusplus 22 extern "C" { 23 #endif 24 25 typedef uint32_t KMF_BOOL; 26 27 #define KMF_FALSE (0) 28 #define KMF_TRUE (1) 29 30 /* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */ 31 typedef struct _kmf_handle *KMF_HANDLE_T; 32 33 /* 34 * KMF_DATA 35 * The KMF_DATA structure is used to associate a length, in bytes, with 36 * an arbitrary block of contiguous memory. 37 */ 38 typedef struct kmf_data 39 { 40 size_t Length; /* in bytes */ 41 uchar_t *Data; 42 } KMF_DATA; 43 44 typedef struct { 45 uchar_t *val; 46 size_t len; 47 } KMF_BIGINT; 48 49 /* 50 * KMF_OID 51 * The object identifier (OID) structure is used to hold a unique identifier for 52 * the atomic data fields and the compound substructure that comprise the fields 53 * of a certificate or CRL. 54 */ 55 typedef KMF_DATA KMF_OID; 56 57 typedef struct kmf_x509_private { 58 int keystore_type; 59 int flags; /* see below */ 60 char *label; 61 #define KMF_FLAG_CERT_VALID 1 /* contains valid certificate */ 62 #define KMF_FLAG_CERT_SIGNED 2 /* this is a signed certificate */ 63 } KMF_X509_PRIVATE; 64 65 /* 66 * KMF_X509_DER_CERT 67 * This structure associates packed DER certificate data. 68 * Also, it contains the private information internal used 69 * by KMF layer. 70 */ 71 typedef struct 72 { 73 KMF_DATA certificate; 74 KMF_X509_PRIVATE kmf_private; 75 } KMF_X509_DER_CERT; 76 77 typedef int KMF_KEYSTORE_TYPE; 78 #define KMF_KEYSTORE_NSS 1 79 #define KMF_KEYSTORE_OPENSSL 2 80 #define KMF_KEYSTORE_PK11TOKEN 3 81 82 #define VALID_DEFAULT_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\ 83 (t <= KMF_KEYSTORE_PK11TOKEN)) 84 85 typedef enum { 86 KMF_FORMAT_UNDEF = 0, 87 KMF_FORMAT_ASN1 = 1, /* DER */ 88 KMF_FORMAT_PEM = 2, 89 KMF_FORMAT_PKCS12 = 3, 90 KMF_FORMAT_RAWKEY = 4, /* For FindKey operation */ 91 KMF_FORMAT_PEM_KEYPAIR = 5 92 } KMF_ENCODE_FORMAT; 93 94 #define KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF 95 96 typedef enum { 97 KMF_ALL_CERTS = 0, 98 KMF_NONEXPIRED_CERTS = 1, 99 KMF_EXPIRED_CERTS = 2 100 } KMF_CERT_VALIDITY; 101 102 103 typedef enum { 104 KMF_ALL_EXTNS = 0, 105 KMF_CRITICAL_EXTNS = 1, 106 KMF_NONCRITICAL_EXTNS = 2 107 } KMF_FLAG_CERT_EXTN; 108 109 110 typedef enum { 111 KMF_KU_SIGN_CERT = 0, 112 KMF_KU_SIGN_DATA = 1, 113 KMF_KU_ENCRYPT_DATA = 2 114 } KMF_KU_PURPOSE; 115 116 /* 117 * Algorithms 118 * This type defines a set of constants used to identify cryptographic 119 * algorithms. 120 */ 121 typedef enum { 122 KMF_ALGID_NONE = 0, 123 KMF_ALGID_CUSTOM, 124 KMF_ALGID_SHA1, 125 KMF_ALGID_RSA, 126 KMF_ALGID_DSA, 127 KMF_ALGID_MD5WithRSA, 128 KMF_ALGID_MD2WithRSA, 129 KMF_ALGID_SHA1WithRSA, 130 KMF_ALGID_SHA1WithDSA 131 } KMF_ALGORITHM_INDEX; 132 133 134 /* 135 * Generic credential structure used by other structures below 136 * to convey authentication information to the underlying 137 * mechanisms. 138 */ 139 typedef struct { 140 char *cred; 141 uint32_t credlen; 142 } KMF_CREDENTIAL; 143 144 typedef enum { 145 KMF_KEYALG_NONE = 0, 146 KMF_RSA = 1, 147 KMF_DSA = 2, 148 KMF_AES = 3, 149 KMF_RC4 = 4, 150 KMF_DES = 5, 151 KMF_DES3 = 6, 152 KMF_GENERIC_SECRET = 7 153 }KMF_KEY_ALG; 154 155 typedef enum { 156 KMF_KEYCLASS_NONE = 0, 157 KMF_ASYM_PUB = 1, /* public key of an asymmetric keypair */ 158 KMF_ASYM_PRI = 2, /* private key of an asymmetric keypair */ 159 KMF_SYMMETRIC = 3 /* symmetric key */ 160 }KMF_KEY_CLASS; 161 162 163 typedef enum { 164 KMF_CERT = 0, 165 KMF_CSR = 1, 166 KMF_CRL = 2 167 }KMF_OBJECT_TYPE; 168 169 170 typedef struct { 171 KMF_BIGINT mod; 172 KMF_BIGINT pubexp; 173 KMF_BIGINT priexp; 174 KMF_BIGINT prime1; 175 KMF_BIGINT prime2; 176 KMF_BIGINT exp1; 177 KMF_BIGINT exp2; 178 KMF_BIGINT coef; 179 } KMF_RAW_RSA_KEY; 180 181 typedef struct { 182 KMF_BIGINT prime; 183 KMF_BIGINT subprime; 184 KMF_BIGINT base; 185 KMF_BIGINT value; 186 KMF_BIGINT pubvalue; 187 } KMF_RAW_DSA_KEY; 188 189 typedef struct { 190 KMF_BIGINT keydata; 191 } KMF_RAW_SYM_KEY; 192 193 typedef struct { 194 KMF_KEY_ALG keytype; 195 boolean_t sensitive; 196 boolean_t not_extractable; 197 union { 198 KMF_RAW_RSA_KEY rsa; 199 KMF_RAW_DSA_KEY dsa; 200 KMF_RAW_SYM_KEY sym; 201 }rawdata; 202 char *label; 203 KMF_DATA id; 204 } KMF_RAW_KEY_DATA; 205 206 typedef struct { 207 KMF_KEYSTORE_TYPE kstype; 208 KMF_KEY_ALG keyalg; 209 KMF_KEY_CLASS keyclass; 210 boolean_t israw; 211 char *keylabel; 212 void *keyp; 213 } KMF_KEY_HANDLE; 214 215 typedef struct { 216 KMF_KEYSTORE_TYPE kstype; 217 uint32_t errcode; 218 } KMF_ERROR; 219 220 /* 221 * Typenames to use with subjectAltName 222 */ 223 typedef enum { 224 GENNAME_OTHERNAME = 0x00, 225 GENNAME_RFC822NAME, 226 GENNAME_DNSNAME, 227 GENNAME_X400ADDRESS, 228 GENNAME_DIRECTORYNAME, 229 GENNAME_EDIPARTYNAME, 230 GENNAME_URI, 231 GENNAME_IPADDRESS, 232 GENNAME_REGISTEREDID 233 } KMF_GENERALNAMECHOICES; 234 235 /* 236 * KMF_FIELD 237 * This structure contains the OID/value pair for any item that can be 238 * identified by an OID. 239 */ 240 typedef struct 241 { 242 KMF_OID FieldOid; 243 KMF_DATA FieldValue; 244 } KMF_FIELD; 245 246 typedef enum { 247 KMF_OK = 0x00, 248 KMF_ERR_BAD_PARAMETER = 0x01, 249 KMF_ERR_BAD_KEY_FORMAT = 0x02, 250 KMF_ERR_BAD_ALGORITHM = 0x03, 251 KMF_ERR_MEMORY = 0x04, 252 KMF_ERR_ENCODING = 0x05, 253 KMF_ERR_PLUGIN_INIT = 0x06, 254 KMF_ERR_PLUGIN_NOTFOUND = 0x07, 255 KMF_ERR_INTERNAL = 0x0b, 256 KMF_ERR_BAD_CERT_FORMAT = 0x0c, 257 KMF_ERR_KEYGEN_FAILED = 0x0d, 258 KMF_ERR_UNINITIALIZED = 0x10, 259 KMF_ERR_ISSUER = 0x11, 260 KMF_ERR_NOT_REVOKED = 0x12, 261 KMF_ERR_CERT_NOT_FOUND = 0x13, 262 KMF_ERR_CRL_NOT_FOUND = 0x14, 263 KMF_ERR_RDN_PARSER = 0x15, 264 KMF_ERR_RDN_ATTR = 0x16, 265 KMF_ERR_SLOTNAME = 0x17, 266 KMF_ERR_EMPTY_CRL = 0x18, 267 KMF_ERR_BUFFER_SIZE = 0x19, 268 KMF_ERR_AUTH_FAILED = 0x1a, 269 KMF_ERR_TOKEN_SELECTED = 0x1b, 270 KMF_ERR_NO_TOKEN_SELECTED = 0x1c, 271 KMF_ERR_TOKEN_NOT_PRESENT = 0x1d, 272 KMF_ERR_EXTENSION_NOT_FOUND = 0x1e, 273 KMF_ERR_POLICY_ENGINE = 0x1f, 274 KMF_ERR_POLICY_DB_FORMAT = 0x20, 275 KMF_ERR_POLICY_NOT_FOUND = 0x21, 276 KMF_ERR_POLICY_DB_FILE = 0x22, 277 KMF_ERR_POLICY_NAME = 0x23, 278 KMF_ERR_OCSP_POLICY = 0x24, 279 KMF_ERR_TA_POLICY = 0x25, 280 KMF_ERR_KEY_NOT_FOUND = 0x26, 281 KMF_ERR_OPEN_FILE = 0x27, 282 KMF_ERR_OCSP_BAD_ISSUER = 0x28, 283 KMF_ERR_OCSP_BAD_CERT = 0x29, 284 KMF_ERR_OCSP_CREATE_REQUEST = 0x2a, 285 KMF_ERR_CONNECT_SERVER = 0x2b, 286 KMF_ERR_SEND_REQUEST = 0x2c, 287 KMF_ERR_OCSP_CERTID = 0x2d, 288 KMF_ERR_OCSP_MALFORMED_RESPONSE = 0x2e, 289 KMF_ERR_OCSP_RESPONSE_STATUS = 0x2f, 290 KMF_ERR_OCSP_NO_BASIC_RESPONSE = 0x30, 291 KMF_ERR_OCSP_BAD_SIGNER = 0x31, 292 293 KMF_ERR_OCSP_RESPONSE_SIGNATURE = 0x32, 294 KMF_ERR_OCSP_UNKNOWN_CERT = 0x33, 295 KMF_ERR_OCSP_STATUS_TIME_INVALID = 0x34, 296 KMF_ERR_BAD_HTTP_RESPONSE = 0x35, 297 KMF_ERR_RECV_RESPONSE = 0x36, 298 KMF_ERR_RECV_TIMEOUT = 0x37, 299 KMF_ERR_DUPLICATE_KEYFILE = 0x38, 300 KMF_ERR_AMBIGUOUS_PATHNAME = 0x39, 301 KMF_ERR_FUNCTION_NOT_FOUND = 0x3a, 302 KMF_ERR_PKCS12_FORMAT = 0x3b, 303 KMF_ERR_BAD_KEY_TYPE = 0x3c, 304 KMF_ERR_BAD_KEY_CLASS = 0x3d, 305 KMF_ERR_BAD_KEY_SIZE = 0x3e, 306 KMF_ERR_BAD_HEX_STRING = 0x3f, 307 KMF_ERR_KEYUSAGE = 0x40, 308 KMF_ERR_VALIDITY_PERIOD = 0x41, 309 KMF_ERR_OCSP_REVOKED = 0x42, 310 KMF_ERR_CERT_MULTIPLE_FOUND = 0x43, 311 KMF_ERR_WRITE_FILE = 0x44, 312 KMF_ERR_BAD_URI = 0x45, 313 KMF_ERR_BAD_CRLFILE = 0x46, 314 KMF_ERR_BAD_CERTFILE = 0x47, 315 KMF_ERR_GETKEYVALUE_FAILED = 0x48, 316 KMF_ERR_BAD_KEYHANDLE = 0x49, 317 KMF_ERR_BAD_OBJECT_TYPE = 0x4a, 318 KMF_ERR_OCSP_RESPONSE_LIFETIME = 0x4b, 319 KMF_ERR_UNKNOWN_CSR_ATTRIBUTE = 0x4c, 320 KMF_ERR_UNINITIALIZED_TOKEN = 0x4d, 321 KMF_ERR_INCOMPLETE_TBS_CERT = 0x4e, 322 KMF_ERR_MISSING_ERRCODE = 0x4f, 323 KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50, 324 KMF_ERR_SENSITIVE_KEY = 0x51, 325 KMF_ERR_UNEXTRACTABLE_KEY = 0x52, 326 KMF_ERR_KEY_MISMATCH = 0x53, 327 KMF_ERR_ATTR_NOT_FOUND = 0x54, 328 KMF_ERR_KMF_CONF = 0x55 329 } KMF_RETURN; 330 331 /* Data structures for OCSP support */ 332 typedef enum { 333 OCSP_GOOD = 0, 334 OCSP_REVOKED = 1, 335 OCSP_UNKNOWN = 2 336 } KMF_OCSP_CERT_STATUS; 337 338 typedef enum { 339 OCSP_SUCCESS = 0, 340 OCSP_MALFORMED_REQUEST = 1, 341 OCSP_INTERNAL_ERROR = 2, 342 OCSP_TRYLATER = 3, 343 OCSP_SIGREQUIRED = 4, 344 OCSP_UNAUTHORIZED = 5 345 } KMF_OCSP_RESPONSE_STATUS; 346 347 typedef enum { 348 OCSP_NOSTATUS = -1, 349 OCSP_UNSPECIFIED = 0, 350 OCSP_KEYCOMPROMISE = 1, 351 OCSP_CACOMPROMISE = 2, 352 OCSP_AFFILIATIONCHANGE = 3, 353 OCSP_SUPERCEDED = 4, 354 OCSP_CESSATIONOFOPERATION = 5, 355 OCSP_CERTIFICATEHOLD = 6, 356 OCSP_REMOVEFROMCRL = 7 357 } KMF_OCSP_REVOKED_STATUS; 358 359 typedef enum { 360 KMF_ALGCLASS_NONE = 0, 361 KMF_ALGCLASS_CUSTOM, 362 KMF_ALGCLASS_SIGNATURE, 363 KMF_ALGCLASS_SYMMETRIC, 364 KMF_ALGCLASS_DIGEST, 365 KMF_ALGCLASS_RANDOMGEN, 366 KMF_ALGCLASS_UNIQUEGEN, 367 KMF_ALGCLASS_MAC, 368 KMF_ALGCLASS_ASYMMETRIC, 369 KMF_ALGCLASS_KEYGEN, 370 KMF_ALGCLASS_DERIVEKEY 371 } KMF_ALGCLASS; 372 373 typedef enum { 374 KMF_CERT_ISSUER = 1, 375 KMF_CERT_SUBJECT, 376 KMF_CERT_VERSION, 377 KMF_CERT_SERIALNUM, 378 KMF_CERT_NOTBEFORE, 379 KMF_CERT_NOTAFTER, 380 KMF_CERT_PUBKEY_ALG, 381 KMF_CERT_SIGNATURE_ALG, 382 KMF_CERT_EMAIL, 383 KMF_CERT_PUBKEY_DATA, 384 KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD, 385 KMF_X509_EXT_CERT_POLICIES, 386 KMF_X509_EXT_SUBJ_ALTNAME, 387 KMF_X509_EXT_ISSUER_ALTNAME, 388 KMF_X509_EXT_BASIC_CONSTRAINTS, 389 KMF_X509_EXT_NAME_CONSTRAINTS, 390 KMF_X509_EXT_POLICY_CONSTRAINTS, 391 KMF_X509_EXT_EXT_KEY_USAGE, 392 KMF_X509_EXT_INHIBIT_ANY_POLICY, 393 KMF_X509_EXT_AUTH_KEY_ID, 394 KMF_X509_EXT_SUBJ_KEY_ID, 395 KMF_X509_EXT_POLICY_MAPPINGS, 396 KMF_X509_EXT_CRL_DIST_POINTS, 397 KMF_X509_EXT_FRESHEST_CRL, 398 KMF_X509_EXT_KEY_USAGE 399 } KMF_PRINTABLE_ITEM; 400 401 /* 402 * KMF_X509_ALGORITHM_IDENTIFIER 403 * This structure holds an object identifier naming a 404 * cryptographic algorithm and an optional set of 405 * parameters to be used as input to that algorithm. 406 */ 407 typedef struct 408 { 409 KMF_OID algorithm; 410 KMF_DATA parameters; 411 } KMF_X509_ALGORITHM_IDENTIFIER; 412 413 /* 414 * KMF_X509_TYPE_VALUE_PAIR 415 * This structure contain an type-value pair. 416 */ 417 typedef struct 418 { 419 KMF_OID type; 420 uint8_t valueType; /* The Tag to use when BER encoded */ 421 KMF_DATA value; 422 } KMF_X509_TYPE_VALUE_PAIR; 423 424 425 /* 426 * KMF_X509_RDN 427 * This structure contains a Relative Distinguished Name 428 * composed of an ordered set of type-value pairs. 429 */ 430 typedef struct 431 { 432 uint32_t numberOfPairs; 433 KMF_X509_TYPE_VALUE_PAIR *AttributeTypeAndValue; 434 } KMF_X509_RDN; 435 436 /* 437 * KMF_X509_NAME 438 * This structure contains a set of Relative Distinguished Names. 439 */ 440 typedef struct 441 { 442 uint32_t numberOfRDNs; 443 KMF_X509_RDN *RelativeDistinguishedName; 444 } KMF_X509_NAME; 445 446 /* 447 * KMF_X509_SPKI 448 * This structure contains the public key and the 449 * description of the verification algorithm 450 * appropriate for use with this key. 451 */ 452 typedef struct 453 { 454 KMF_X509_ALGORITHM_IDENTIFIER algorithm; 455 KMF_DATA subjectPublicKey; 456 } KMF_X509_SPKI; 457 458 /* 459 * KMF_X509_TIME 460 * Time is represented as a string according to the 461 * definitions of GeneralizedTime and UTCTime 462 * defined in RFC 2459. 463 */ 464 typedef struct 465 { 466 uint8_t timeType; 467 KMF_DATA time; 468 } KMF_X509_TIME; 469 470 /* 471 * KMF_X509_VALIDITY 472 */ 473 typedef struct 474 { 475 KMF_X509_TIME notBefore; 476 KMF_X509_TIME notAfter; 477 } KMF_X509_VALIDITY; 478 479 /* 480 * KMF_X509EXT_BASICCONSTRAINTS 481 */ 482 typedef struct 483 { 484 KMF_BOOL cA; 485 KMF_BOOL pathLenConstraintPresent; 486 uint32_t pathLenConstraint; 487 } KMF_X509EXT_BASICCONSTRAINTS; 488 489 /* 490 * KMF_X509EXT_DATA_FORMAT 491 * This list defines the valid formats for a certificate extension. 492 */ 493 typedef enum 494 { 495 KMF_X509_DATAFORMAT_ENCODED = 0, 496 KMF_X509_DATAFORMAT_PARSED, 497 KMF_X509_DATAFORMAT_PAIR 498 } KMF_X509EXT_DATA_FORMAT; 499 500 501 /* 502 * KMF_X509EXT_TAGandVALUE 503 * This structure contains a BER/DER encoded 504 * extension value and the type of that value. 505 */ 506 typedef struct 507 { 508 uint8_t type; 509 KMF_DATA value; 510 } KMF_X509EXT_TAGandVALUE; 511 512 513 /* 514 * KMF_X509EXT_PAIR 515 * This structure aggregates two extension representations: 516 * a tag and value, and a parsed X509 extension representation. 517 */ 518 typedef struct 519 { 520 KMF_X509EXT_TAGandVALUE tagAndValue; 521 void *parsedValue; 522 } KMF_X509EXT_PAIR; 523 524 /* 525 * KMF_X509_EXTENSION 526 * This structure contains a complete certificate extension. 527 */ 528 typedef struct 529 { 530 KMF_OID extnId; 531 KMF_BOOL critical; 532 KMF_X509EXT_DATA_FORMAT format; 533 union 534 { 535 KMF_X509EXT_TAGandVALUE *tagAndValue; 536 void *parsedValue; 537 KMF_X509EXT_PAIR *valuePair; 538 } value; 539 KMF_DATA BERvalue; 540 } KMF_X509_EXTENSION; 541 542 543 /* 544 * KMF_X509_EXTENSIONS 545 * This structure contains the set of all certificate 546 * extensions contained in a certificate. 547 */ 548 typedef struct 549 { 550 uint32_t numberOfExtensions; 551 KMF_X509_EXTENSION *extensions; 552 } KMF_X509_EXTENSIONS; 553 554 /* 555 * KMF_X509_TBS_CERT 556 * This structure contains a complete X.509 certificate. 557 */ 558 typedef struct 559 { 560 KMF_DATA version; 561 KMF_BIGINT serialNumber; 562 KMF_X509_ALGORITHM_IDENTIFIER signature; 563 KMF_X509_NAME issuer; 564 KMF_X509_VALIDITY validity; 565 KMF_X509_NAME subject; 566 KMF_X509_SPKI subjectPublicKeyInfo; 567 KMF_DATA issuerUniqueIdentifier; 568 KMF_DATA subjectUniqueIdentifier; 569 KMF_X509_EXTENSIONS extensions; 570 } KMF_X509_TBS_CERT; 571 572 /* 573 * KMF_X509_SIGNATURE 574 * This structure contains a cryptographic digital signature. 575 */ 576 typedef struct 577 { 578 KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier; 579 KMF_DATA encrypted; 580 } KMF_X509_SIGNATURE; 581 582 /* 583 * KMF_X509_CERTIFICATE 584 * This structure associates a set of decoded certificate 585 * values with the signature covering those values. 586 */ 587 typedef struct 588 { 589 KMF_X509_TBS_CERT certificate; 590 KMF_X509_SIGNATURE signature; 591 } KMF_X509_CERTIFICATE; 592 593 #define CERT_ALG_OID(c) &c->certificate.signature.algorithm 594 #define CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm 595 596 /* 597 * KMF_TBS_CSR 598 * This structure contains a complete PKCS#10 certificate request 599 */ 600 typedef struct 601 { 602 KMF_DATA version; 603 KMF_X509_NAME subject; 604 KMF_X509_SPKI subjectPublicKeyInfo; 605 KMF_X509_EXTENSIONS extensions; 606 } KMF_TBS_CSR; 607 608 /* 609 * KMF_CSR_DATA 610 * This structure contains a complete PKCS#10 certificate signed request 611 */ 612 typedef struct 613 { 614 KMF_TBS_CSR csr; 615 KMF_X509_SIGNATURE signature; 616 } KMF_CSR_DATA; 617 618 /* 619 * KMF_X509EXT_POLICYQUALIFIERINFO 620 */ 621 typedef struct 622 { 623 KMF_OID policyQualifierId; 624 KMF_DATA value; 625 } KMF_X509EXT_POLICYQUALIFIERINFO; 626 627 /* 628 * KMF_X509EXT_POLICYQUALIFIERS 629 */ 630 typedef struct 631 { 632 uint32_t numberOfPolicyQualifiers; 633 KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier; 634 } KMF_X509EXT_POLICYQUALIFIERS; 635 636 /* 637 * KMF_X509EXT_POLICYINFO 638 */ 639 typedef struct 640 { 641 KMF_OID policyIdentifier; 642 KMF_X509EXT_POLICYQUALIFIERS policyQualifiers; 643 } KMF_X509EXT_POLICYINFO; 644 645 typedef struct 646 { 647 uint32_t numberOfPolicyInfo; 648 KMF_X509EXT_POLICYINFO *policyInfo; 649 } KMF_X509EXT_CERT_POLICIES; 650 651 typedef struct 652 { 653 uchar_t critical; 654 uint16_t KeyUsageBits; 655 } KMF_X509EXT_KEY_USAGE; 656 657 typedef struct 658 { 659 uchar_t critical; 660 uint16_t nEKUs; 661 KMF_OID *keyPurposeIdList; 662 } KMF_X509EXT_EKU; 663 664 665 /* 666 * X509 AuthorityInfoAccess extension 667 */ 668 typedef struct 669 { 670 KMF_OID AccessMethod; 671 KMF_DATA AccessLocation; 672 } KMF_X509EXT_ACCESSDESC; 673 674 typedef struct 675 { 676 uint32_t numberOfAccessDescription; 677 KMF_X509EXT_ACCESSDESC *AccessDesc; 678 } KMF_X509EXT_AUTHINFOACCESS; 679 680 681 /* 682 * X509 Crl Distribution Point extension 683 */ 684 typedef struct { 685 KMF_GENERALNAMECHOICES choice; 686 KMF_DATA name; 687 } KMF_GENERALNAME; 688 689 typedef struct { 690 uint32_t number; 691 KMF_GENERALNAME *namelist; 692 } KMF_GENERALNAMES; 693 694 typedef enum { 695 DP_GENERAL_NAME = 1, 696 DP_RELATIVE_NAME = 2 697 } KMF_CRL_DIST_POINT_TYPE; 698 699 typedef struct { 700 KMF_CRL_DIST_POINT_TYPE type; 701 union { 702 KMF_GENERALNAMES full_name; 703 KMF_DATA relative_name; 704 } name; 705 KMF_DATA reasons; 706 KMF_GENERALNAMES crl_issuer; 707 } KMF_CRL_DIST_POINT; 708 709 typedef struct { 710 uint32_t number; 711 KMF_CRL_DIST_POINT *dplist; 712 } KMF_X509EXT_CRLDISTPOINTS; 713 714 typedef enum { 715 KMF_DATA_ATTR, 716 KMF_OID_ATTR, 717 KMF_BIGINT_ATTR, 718 KMF_X509_DER_CERT_ATTR, 719 KMF_KEYSTORE_TYPE_ATTR, 720 KMF_ENCODE_FORMAT_ATTR, 721 KMF_CERT_VALIDITY_ATTR, 722 KMF_KU_PURPOSE_ATTR, 723 KMF_ALGORITHM_INDEX_ATTR, 724 KMF_TOKEN_LABEL_ATTR, 725 KMF_READONLY_ATTR, 726 KMF_DIRPATH_ATTR, 727 KMF_CERTPREFIX_ATTR, 728 KMF_KEYPREFIX_ATTR, 729 KMF_SECMODNAME_ATTR, 730 KMF_CREDENTIAL_ATTR, 731 KMF_TRUSTFLAG_ATTR, 732 KMF_CRL_FILENAME_ATTR, 733 KMF_CRL_CHECK_ATTR, 734 KMF_CRL_DATA_ATTR, 735 KMF_CRL_SUBJECT_ATTR, 736 KMF_CRL_ISSUER_ATTR, 737 KMF_CRL_NAMELIST_ATTR, 738 KMF_CRL_COUNT_ATTR, 739 KMF_CRL_OUTFILE_ATTR, 740 KMF_CERT_LABEL_ATTR, 741 KMF_SUBJECT_NAME_ATTR, 742 KMF_ISSUER_NAME_ATTR, 743 KMF_CERT_FILENAME_ATTR, 744 KMF_KEY_FILENAME_ATTR, 745 KMF_OUTPUT_FILENAME_ATTR, 746 KMF_IDSTR_ATTR, 747 KMF_CERT_DATA_ATTR, 748 KMF_OCSP_RESPONSE_DATA_ATTR, 749 KMF_OCSP_RESPONSE_STATUS_ATTR, 750 KMF_OCSP_RESPONSE_REASON_ATTR, 751 KMF_OCSP_RESPONSE_CERT_STATUS_ATTR, 752 KMF_OCSP_REQUEST_FILENAME_ATTR, 753 KMF_KEYALG_ATTR, 754 KMF_KEYCLASS_ATTR, 755 KMF_KEYLABEL_ATTR, 756 KMF_KEYLENGTH_ATTR, 757 KMF_RSAEXP_ATTR, 758 KMF_TACERT_DATA_ATTR, 759 KMF_SLOT_ID_ATTR, 760 KMF_PK12CRED_ATTR, 761 KMF_ISSUER_CERT_DATA_ATTR, 762 KMF_USER_CERT_DATA_ATTR, 763 KMF_SIGNER_CERT_DATA_ATTR, 764 KMF_IGNORE_RESPONSE_SIGN_ATTR, 765 KMF_RESPONSE_LIFETIME_ATTR, 766 KMF_KEY_HANDLE_ATTR, 767 KMF_PRIVKEY_HANDLE_ATTR, 768 KMF_PUBKEY_HANDLE_ATTR, 769 KMF_ERROR_ATTR, 770 KMF_X509_NAME_ATTR, 771 KMF_X509_SPKI_ATTR, 772 KMF_X509_CERTIFICATE_ATTR, 773 KMF_RAW_KEY_ATTR, 774 KMF_CSR_DATA_ATTR, 775 KMF_GENERALNAMECHOICES_ATTR, 776 KMF_STOREKEY_BOOL_ATTR, 777 KMF_SENSITIVE_BOOL_ATTR, 778 KMF_NON_EXTRACTABLE_BOOL_ATTR, 779 KMF_TOKEN_BOOL_ATTR, 780 KMF_PRIVATE_BOOL_ATTR, 781 KMF_NEWPIN_ATTR, 782 KMF_IN_SIGN_ATTR, 783 KMF_OUT_DATA_ATTR, 784 KMF_COUNT_ATTR, 785 KMF_DESTROY_BOOL_ATTR, 786 KMF_TBS_CERT_DATA_ATTR, 787 KMF_PLAINTEXT_DATA_ATTR, 788 KMF_CIPHERTEXT_DATA_ATTR, 789 KMF_VALIDATE_RESULT_ATTR, 790 KMF_KEY_DATA_ATTR 791 } KMF_ATTR_TYPE; 792 793 typedef struct { 794 KMF_ATTR_TYPE type; 795 void *pValue; 796 uint32_t valueLen; 797 } KMF_ATTRIBUTE; 798 799 /* 800 * Definitions for common X.509v3 certificate attribute OIDs 801 */ 802 #define OID_ISO_MEMBER 42 /* Also in PKCS */ 803 #define OID_US OID_ISO_MEMBER, 134, 72 /* Also in PKCS */ 804 #define OID_CA OID_ISO_MEMBER, 124 805 806 #define OID_ISO_IDENTIFIED_ORG 43 807 #define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 808 #define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 809 #define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 810 #define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */ 811 812 #define OID_ISO_CCITT_DIR_SERVICE 85 813 #define OID_ISO_CCITT_COUNTRY 96 814 #define OID_COUNTRY_US OID_ISO_CCITT_COUNTRY, 134, 72 815 #define OID_COUNTRY_CA OID_ISO_CCITT_COUNTRY, 124 816 #define OID_COUNTRY_US_ORG OID_COUNTRY_US, 1 817 #define OID_COUNTRY_US_MHS_MD OID_COUNTRY_US, 2 818 #define OID_COUNTRY_US_STATE OID_COUNTRY_US, 3 819 820 /* From the PKCS Standards */ 821 #define OID_ISO_MEMBER_LENGTH 1 822 #define OID_US_LENGTH (OID_ISO_MEMBER_LENGTH + 2) 823 824 #define OID_RSA OID_US, 134, 247, 13 825 #define OID_RSA_LENGTH (OID_US_LENGTH + 3) 826 827 #define OID_RSA_HASH OID_RSA, 2 828 #define OID_RSA_HASH_LENGTH (OID_RSA_LENGTH + 1) 829 830 #define OID_RSA_ENCRYPT OID_RSA, 3 831 #define OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1) 832 833 #define OID_PKCS OID_RSA, 1 834 #define OID_PKCS_LENGTH (OID_RSA_LENGTH + 1) 835 836 #define OID_PKCS_1 OID_PKCS, 1 837 #define OID_PKCS_1_LENGTH (OID_PKCS_LENGTH + 1) 838 839 #define OID_PKCS_2 OID_PKCS, 2 840 #define OID_PKCS_3 OID_PKCS, 3 841 #define OID_PKCS_3_LENGTH (OID_PKCS_LENGTH + 1) 842 843 #define OID_PKCS_4 OID_PKCS, 4 844 #define OID_PKCS_5 OID_PKCS, 5 845 #define OID_PKCS_5_LENGTH (OID_PKCS_LENGTH + 1) 846 #define OID_PKCS_6 OID_PKCS, 6 847 #define OID_PKCS_7 OID_PKCS, 7 848 #define OID_PKCS_7_LENGTH (OID_PKCS_LENGTH + 1) 849 850 #define OID_PKCS_7_Data OID_PKCS_7, 1 851 #define OID_PKCS_7_SignedData OID_PKCS_7, 2 852 #define OID_PKCS_7_EnvelopedData OID_PKCS_7, 3 853 #define OID_PKCS_7_SignedAndEnvelopedData OID_PKCS_7, 4 854 #define OID_PKCS_7_DigestedData OID_PKCS_7, 5 855 #define OID_PKCS_7_EncryptedData OID_PKCS_7, 6 856 857 #define OID_PKCS_8 OID_PKCS, 8 858 #define OID_PKCS_9 OID_PKCS, 9 859 #define OID_PKCS_9_LENGTH (OID_PKCS_LENGTH + 1) 860 861 #define OID_PKCS_9_CONTENT_TYPE OID_PKCS_9, 3 862 #define OID_PKCS_9_MESSAGE_DIGEST OID_PKCS_9, 4 863 #define OID_PKCS_9_SIGNING_TIME OID_PKCS_9, 5 864 #define OID_PKCS_9_COUNTER_SIGNATURE OID_PKCS_9, 6 865 #define OID_PKCS_9_EXTENSION_REQUEST OID_PKCS_9, 14 866 867 #define OID_PKCS_10 OID_PKCS, 10 868 869 #define OID_PKCS_12 OID_PKCS, 12 870 #define OID_PKCS_12_LENGTH (OID_PKCS_LENGTH + 1) 871 872 #define PBEWithSHAAnd128BitRC4 OID_PKCS_12, 1, 1 873 #define PBEWithSHAAnd40BitRC4 OID_PKCS_12, 1, 2 874 #define PBEWithSHAAnd3KeyTripleDES_CBC OID_PKCS_12, 1, 3 875 #define PBEWithSHAAnd2KeyTripleDES_CBC OID_PKCS_12, 1, 4 876 #define PBEWithSHAAnd128BitRC2_CBC OID_PKCS_12, 1, 5 877 #define PBEWithSHAAnd40BitRC2_CBC OID_PKCS_12, 1, 6 878 879 #define OID_BAG_TYPES OID_PKCS_12, 10, 1 880 #define OID_KeyBag OID_BAG_TYPES, 1 881 #define OID_PKCS8ShroudedKeyBag OID_BAG_TYPES, 2 882 #define OID_CertBag OID_BAG_TYPES, 3 883 #define OID_CrlBag OID_BAG_TYPES, 4 884 #define OID_SecretBag OID_BAG_TYPES, 5 885 #define OID_SafeContentsBag OID_BAG_TYPES, 6 886 887 #define OID_ContentInfo OID_PKCS_7, 0, 1 888 889 #define OID_CERT_TYPES OID_PKCS_9, 22 890 #define OID_x509Certificate OID_CERT_TYPES, 1 891 #define OID_sdsiCertificate OID_CERT_TYPES, 2 892 893 #define OID_CRL_TYPES OID_PKCS_9, 23 894 #define OID_x509Crl OID_CRL_TYPES, 1 895 896 #define OID_DS OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */ 897 #define OID_DS_LENGTH 1 898 899 #define OID_ATTR_TYPE OID_DS, 4 /* Also in X.501 */ 900 #define OID_ATTR_TYPE_LENGTH (OID_DS_LENGTH + 1) 901 902 #define OID_DSALG OID_DS, 8 /* Also in X.501 */ 903 #define OID_DSALG_LENGTH (OID_DS_LENGTH + 1) 904 905 #define OID_EXTENSION OID_DS, 29 /* Also in X.501 */ 906 #define OID_EXTENSION_LENGTH (OID_DS_LENGTH + 1) 907 908 /* 909 * From RFC 1274: 910 * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) } 911 */ 912 #define OID_PILOT 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1 913 #define OID_PILOT_LENGTH 9 914 915 #define OID_USERID OID_PILOT 1 916 #define OID_USERID_LENGTH (OID_PILOT_LENGTH + 1) 917 918 /* 919 * From PKIX part1 920 * { iso(1) identified-organization(3) dod(6) internet(1) 921 * security(5) mechanisms(5) pkix(7) } 922 */ 923 #define OID_PKIX 43, 6, 1, 5, 5, 7 924 #define OID_PKIX_LENGTH 6 925 926 /* private certificate extensions, { id-pkix 1 } */ 927 #define OID_PKIX_PE OID_PKIX, 1 928 #define OID_PKIX_PE_LENGTH (OID_PKIX_LENGTH + 1) 929 930 /* policy qualifier types {id-pkix 2 } */ 931 #define OID_PKIX_QT OID_PKIX, 2 932 #define OID_PKIX_QT_LENGTH (OID_PKIX_LENGTH + 1) 933 934 /* CPS qualifier, { id-qt 1 } */ 935 #define OID_PKIX_QT_CPS OID_PKIX_QT, 1 936 #define OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1) 937 /* user notice qualifier, { id-qt 2 } */ 938 #define OID_PKIX_QT_UNOTICE OID_PKIX_QT, 2 939 #define OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1) 940 941 /* extended key purpose OIDs {id-pkix 3 } */ 942 #define OID_PKIX_KP OID_PKIX, 3 943 #define OID_PKIX_KP_LENGTH (OID_PKIX_LENGTH + 1) 944 945 /* access descriptors {id-pkix 4 } */ 946 #define OID_PKIX_AD OID_PKIX, 48 947 #define OID_PKIX_AD_LENGTH (OID_PKIX_LENGTH + 1) 948 949 /* access descriptors */ 950 /* OCSP */ 951 #define OID_PKIX_AD_OCSP OID_PKIX_AD, 1 952 #define OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1) 953 954 /* cAIssuers */ 955 #define OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2 956 #define OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1) 957 958 /* end PKIX part1 */ 959 #define OID_APPL_TCP_PROTO 43, 6, 1, 2, 1, 27, 4 960 #define OID_APPL_TCP_PROTO_LENGTH 8 961 962 #define OID_DAP OID_DS, 3, 1 963 #define OID_DAP_LENGTH (OID_DS_LENGTH + 2) 964 965 /* From x9.57 */ 966 #define OID_OIW_LENGTH 2 967 968 #define OID_OIW_SECSIG OID_OIW, 3 969 #define OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1) 970 971 #define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 972 #define OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1) 973 974 #define OID_OIWDIR OID_OIW, 7, 2 975 #define OID_OIWDIR_LENGTH (OID_OIW_LENGTH + 2) 976 977 #define OID_OIWDIR_CRPT OID_OIWDIR, 1 978 979 #define OID_OIWDIR_HASH OID_OIWDIR, 2 980 #define OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1) 981 982 #define OID_OIWDIR_SIGN OID_OIWDIR, 3 983 #define OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1) 984 985 #define OID_X9CM OID_US, 206, 56 986 #define OID_X9CM_MODULE OID_X9CM, 1 987 #define OID_X9CM_INSTRUCTION OID_X9CM, 2 988 #define OID_X9CM_ATTR OID_X9CM, 3 989 #define OID_X9CM_X9ALGORITHM OID_X9CM, 4 990 #define OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1) 991 992 #define INTEL 96, 134, 72, 1, 134, 248, 77 993 #define INTEL_LENGTH 7 994 995 #define INTEL_SEC_FORMATS INTEL_CDSASECURITY, 1 996 #define INTEL_SEC_FORMATS_LENGTH (INTEL_CDSASECURITY_LENGTH + 1) 997 998 #define INTEL_SEC_ALGS INTEL_CDSASECURITY, 2, 5 999 #define INTEL_SEC_ALGS_LENGTH (INTEL_CDSASECURITY_LENGTH + 2) 1000 1001 extern const KMF_OID 1002 KMFOID_AliasedEntryName, 1003 KMFOID_AuthorityRevocationList, 1004 KMFOID_BusinessCategory, 1005 KMFOID_CACertificate, 1006 KMFOID_CertificateRevocationList, 1007 KMFOID_ChallengePassword, 1008 KMFOID_CollectiveFacsimileTelephoneNumber, 1009 KMFOID_CollectiveInternationalISDNNumber, 1010 KMFOID_CollectiveOrganizationName, 1011 KMFOID_CollectiveOrganizationalUnitName, 1012 KMFOID_CollectivePhysicalDeliveryOfficeName, 1013 KMFOID_CollectivePostOfficeBox, 1014 KMFOID_CollectivePostalAddress, 1015 KMFOID_CollectivePostalCode, 1016 KMFOID_CollectiveStateProvinceName, 1017 KMFOID_CollectiveStreetAddress, 1018 KMFOID_CollectiveTelephoneNumber, 1019 KMFOID_CollectiveTelexNumber, 1020 KMFOID_CollectiveTelexTerminalIdentifier, 1021 KMFOID_CommonName, 1022 KMFOID_ContentType, 1023 KMFOID_CounterSignature, 1024 KMFOID_CountryName, 1025 KMFOID_CrossCertificatePair, 1026 KMFOID_DNQualifier, 1027 KMFOID_Description, 1028 KMFOID_DestinationIndicator, 1029 KMFOID_DistinguishedName, 1030 KMFOID_EmailAddress, 1031 KMFOID_EnhancedSearchGuide, 1032 KMFOID_ExtendedCertificateAttributes, 1033 KMFOID_ExtensionRequest, 1034 KMFOID_FacsimileTelephoneNumber, 1035 KMFOID_GenerationQualifier, 1036 KMFOID_GivenName, 1037 KMFOID_HouseIdentifier, 1038 KMFOID_Initials, 1039 KMFOID_InternationalISDNNumber, 1040 KMFOID_KnowledgeInformation, 1041 KMFOID_LocalityName, 1042 KMFOID_Member, 1043 KMFOID_MessageDigest, 1044 KMFOID_Name, 1045 KMFOID_ObjectClass, 1046 KMFOID_OrganizationName, 1047 KMFOID_OrganizationalUnitName, 1048 KMFOID_Owner, 1049 KMFOID_PhysicalDeliveryOfficeName, 1050 KMFOID_PostOfficeBox, 1051 KMFOID_PostalAddress, 1052 KMFOID_PostalCode, 1053 KMFOID_PreferredDeliveryMethod, 1054 KMFOID_PresentationAddress, 1055 KMFOID_ProtocolInformation, 1056 KMFOID_RFC822mailbox, 1057 KMFOID_RegisteredAddress, 1058 KMFOID_RoleOccupant, 1059 KMFOID_SearchGuide, 1060 KMFOID_SeeAlso, 1061 KMFOID_SerialNumber, 1062 KMFOID_SigningTime, 1063 KMFOID_StateProvinceName, 1064 KMFOID_StreetAddress, 1065 KMFOID_SupportedApplicationContext, 1066 KMFOID_Surname, 1067 KMFOID_TelephoneNumber, 1068 KMFOID_TelexNumber, 1069 KMFOID_TelexTerminalIdentifier, 1070 KMFOID_Title, 1071 KMFOID_UniqueIdentifier, 1072 KMFOID_UniqueMember, 1073 KMFOID_UnstructuredAddress, 1074 KMFOID_UnstructuredName, 1075 KMFOID_UserCertificate, 1076 KMFOID_UserPassword, 1077 KMFOID_X_121Address, 1078 KMFOID_domainComponent, 1079 KMFOID_userid; 1080 1081 extern const KMF_OID 1082 KMFOID_AuthorityKeyID, 1083 KMFOID_AuthorityInfoAccess, 1084 KMFOID_VerisignCertificatePolicy, 1085 KMFOID_KeyUsageRestriction, 1086 KMFOID_SubjectDirectoryAttributes, 1087 KMFOID_SubjectKeyIdentifier, 1088 KMFOID_KeyUsage, 1089 KMFOID_PrivateKeyUsagePeriod, 1090 KMFOID_SubjectAltName, 1091 KMFOID_IssuerAltName, 1092 KMFOID_BasicConstraints, 1093 KMFOID_CrlNumber, 1094 KMFOID_CrlReason, 1095 KMFOID_HoldInstructionCode, 1096 KMFOID_InvalidityDate, 1097 KMFOID_DeltaCrlIndicator, 1098 KMFOID_IssuingDistributionPoints, 1099 KMFOID_NameConstraints, 1100 KMFOID_CrlDistributionPoints, 1101 KMFOID_CertificatePolicies, 1102 KMFOID_PolicyMappings, 1103 KMFOID_PolicyConstraints, 1104 KMFOID_AuthorityKeyIdentifier, 1105 KMFOID_ExtendedKeyUsage, 1106 KMFOID_PkixAdOcsp, 1107 KMFOID_PkixAdCaIssuers, 1108 KMFOID_PKIX_PQ_CPSuri, 1109 KMFOID_PKIX_PQ_Unotice, 1110 KMFOID_PKIX_KP_ServerAuth, 1111 KMFOID_PKIX_KP_ClientAuth, 1112 KMFOID_PKIX_KP_CodeSigning, 1113 KMFOID_PKIX_KP_EmailProtection, 1114 KMFOID_PKIX_KP_IPSecEndSystem, 1115 KMFOID_PKIX_KP_IPSecTunnel, 1116 KMFOID_PKIX_KP_IPSecUser, 1117 KMFOID_PKIX_KP_TimeStamping, 1118 KMFOID_PKIX_KP_OCSPSigning, 1119 KMFOID_SHA1, 1120 KMFOID_RSA, 1121 KMFOID_DSA, 1122 KMFOID_MD5WithRSA, 1123 KMFOID_MD2WithRSA, 1124 KMFOID_SHA1WithRSA, 1125 KMFOID_SHA1WithDSA, 1126 KMFOID_OIW_DSAWithSHA1, 1127 KMFOID_X9CM_DSA, 1128 KMFOID_X9CM_DSAWithSHA1; 1129 1130 /* 1131 * KMF Certificate validation codes. These may be masked together. 1132 */ 1133 #define KMF_CERT_VALIDATE_OK 0x00 1134 #define KMF_CERT_VALIDATE_ERR_TA 0x01 1135 #define KMF_CERT_VALIDATE_ERR_USER 0x02 1136 #define KMF_CERT_VALIDATE_ERR_SIGNATURE 0x04 1137 #define KMF_CERT_VALIDATE_ERR_KEYUSAGE 0x08 1138 #define KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE 0x10 1139 #define KMF_CERT_VALIDATE_ERR_TIME 0x20 1140 #define KMF_CERT_VALIDATE_ERR_CRL 0x40 1141 #define KMF_CERT_VALIDATE_ERR_OCSP 0x80 1142 #define KMF_CERT_VALIDATE_ERR_ISSUER 0x100 1143 1144 /* 1145 * KMF Key Usage bitmasks 1146 */ 1147 #define KMF_digitalSignature 0x8000 1148 #define KMF_nonRepudiation 0x4000 1149 #define KMF_keyEncipherment 0x2000 1150 #define KMF_dataEncipherment 0x1000 1151 #define KMF_keyAgreement 0x0800 1152 #define KMF_keyCertSign 0x0400 1153 #define KMF_cRLSign 0x0200 1154 #define KMF_encipherOnly 0x0100 1155 #define KMF_decipherOnly 0x0080 1156 1157 #define KMF_KUBITMASK 0xFF80 1158 1159 /* 1160 * KMF Extended KeyUsage OID definitions 1161 */ 1162 #define KMF_EKU_SERVERAUTH 0x01 1163 #define KMF_EKU_CLIENTAUTH 0x02 1164 #define KMF_EKU_CODESIGNING 0x04 1165 #define KMF_EKU_EMAIL 0x08 1166 #define KMF_EKU_TIMESTAMP 0x10 1167 #define KMF_EKU_OCSPSIGNING 0x20 1168 1169 1170 /* 1171 * Legacy support only - do not use these data structures - they can be 1172 * removed at any time. 1173 */ 1174 1175 /* Keystore Configuration */ 1176 typedef struct { 1177 char *configdir; 1178 char *certPrefix; 1179 char *keyPrefix; 1180 char *secModName; 1181 } KMF_NSS_CONFIG; 1182 1183 typedef struct { 1184 char *label; 1185 boolean_t readonly; 1186 } KMF_PKCS11_CONFIG; 1187 1188 typedef struct { 1189 KMF_KEYSTORE_TYPE kstype; 1190 union { 1191 KMF_NSS_CONFIG nss_conf; 1192 KMF_PKCS11_CONFIG pkcs11_conf; 1193 } ks_config_u; 1194 } KMF_CONFIG_PARAMS; 1195 1196 #define nssconfig ks_config_u.nss_conf 1197 #define pkcs11config ks_config_u.pkcs11_conf 1198 1199 1200 typedef struct 1201 { 1202 char *trustflag; 1203 char *slotlabel; /* "internal" by default */ 1204 int issuerId; 1205 int subjectId; 1206 char *crlfile; /* for ImportCRL */ 1207 boolean_t crl_check; /* for ImportCRL */ 1208 1209 /* 1210 * The following 2 variables are for FindCertInCRL. The caller can 1211 * either specify certLabel or provide the entire certificate in 1212 * DER format as input. 1213 */ 1214 char *certLabel; /* for FindCertInCRL */ 1215 KMF_DATA *certificate; /* for FindCertInCRL */ 1216 1217 /* 1218 * crl_subjName and crl_issuerName are used as the CRL deletion 1219 * criteria. One should be non-NULL and the other one should be NULL. 1220 * If crl_subjName is not NULL, then delete CRL by the subject name. 1221 * Othewise, delete by the issuer name. 1222 */ 1223 char *crl_subjName; 1224 char *crl_issuerName; 1225 } KMF_NSS_PARAMS; 1226 1227 typedef struct { 1228 char *dirpath; 1229 char *certfile; 1230 char *crlfile; 1231 char *keyfile; 1232 char *outcrlfile; 1233 boolean_t crl_check; /* CRL import check; default is true */ 1234 KMF_ENCODE_FORMAT format; /* output file format */ 1235 } KMF_OPENSSL_PARAMS; 1236 1237 typedef struct { 1238 boolean_t private; /* for finding CKA_PRIVATE objects */ 1239 boolean_t sensitive; 1240 boolean_t not_extractable; 1241 boolean_t token; /* true == token object, false == session */ 1242 } KMF_PKCS11_PARAMS; 1243 1244 typedef struct { 1245 KMF_KEYSTORE_TYPE kstype; 1246 char *certLabel; 1247 char *issuer; 1248 char *subject; 1249 char *idstr; 1250 KMF_BIGINT *serial; 1251 KMF_CERT_VALIDITY find_cert_validity; 1252 1253 union { 1254 KMF_NSS_PARAMS nss_opts; 1255 KMF_OPENSSL_PARAMS openssl_opts; 1256 KMF_PKCS11_PARAMS pkcs11_opts; 1257 } ks_opt_u; 1258 } KMF_FINDCERT_PARAMS, KMF_DELETECERT_PARAMS; 1259 1260 typedef struct { 1261 KMF_KEYSTORE_TYPE kstype; 1262 KMF_CREDENTIAL cred; 1263 KMF_KEY_CLASS keyclass; 1264 KMF_KEY_ALG keytype; 1265 KMF_ENCODE_FORMAT format; /* for key */ 1266 char *findLabel; 1267 char *idstr; 1268 union { 1269 KMF_NSS_PARAMS nss_opts; 1270 KMF_OPENSSL_PARAMS openssl_opts; 1271 KMF_PKCS11_PARAMS pkcs11_opts; 1272 } ks_opt_u; 1273 } KMF_FINDKEY_PARAMS; 1274 1275 typedef struct { 1276 KMF_KEYSTORE_TYPE kstype; 1277 KMF_KEY_ALG keytype; 1278 uint32_t keylength; 1279 char *keylabel; 1280 KMF_CREDENTIAL cred; 1281 KMF_BIGINT rsa_exponent; 1282 union { 1283 KMF_NSS_PARAMS nss_opts; 1284 KMF_OPENSSL_PARAMS openssl_opts; 1285 }ks_opt_u; 1286 } KMF_CREATEKEYPAIR_PARAMS; 1287 1288 1289 typedef struct { 1290 KMF_KEYSTORE_TYPE kstype; 1291 KMF_CREDENTIAL cred; 1292 KMF_ENCODE_FORMAT format; /* for key */ 1293 char *certLabel; 1294 KMF_ALGORITHM_INDEX algid; 1295 union { 1296 KMF_NSS_PARAMS nss_opts; 1297 KMF_OPENSSL_PARAMS openssl_opts; 1298 }ks_opt_u; 1299 } KMF_CRYPTOWITHCERT_PARAMS; 1300 1301 typedef struct { 1302 char *crl_name; 1303 } KMF_CHECKCRLDATE_PARAMS; 1304 1305 #define nssparms ks_opt_u.nss_opts 1306 #define sslparms ks_opt_u.openssl_opts 1307 #define pkcs11parms ks_opt_u.pkcs11_opts 1308 1309 #ifdef __cplusplus 1310 } 1311 #endif 1312 #endif /* _KMFTYPES_H */ 1313