xref: /illumos-gate/usr/src/lib/libkmf/include/kmftypes.h (revision c197cb9db36685d2808c057fdbe5700734483ab2)
1 /*
2  * Copyright (c) 1995-2000 Intel Corporation. All rights reserved.
3  */
4 /*
5  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
6  * Use is subject to license terms.
7  */
8 
9 #ifndef _KMFTYPES_H
10 #define	_KMFTYPES_H
11 
12 #pragma ident	"%Z%%M%	%I%	%E% SMI"
13 
14 #include <sys/types.h>
15 #include <stdlib.h>
16 #include <strings.h>
17 #include <pthread.h>
18 
19 #include <security/cryptoki.h>
20 
21 #ifdef __cplusplus
22 extern "C" {
23 #endif
24 
25 typedef uint32_t KMF_BOOL;
26 
27 #define	KMF_FALSE (0)
28 #define	KMF_TRUE  (1)
29 
30 /* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */
31 typedef struct _kmf_handle *KMF_HANDLE_T;
32 
33 /*
34  * KMF_DATA
35  * The KMF_DATA structure is used to associate a length, in bytes, with
36  * an arbitrary block of contiguous memory.
37  */
38 typedef struct kmf_data
39 {
40     size_t	Length; /* in bytes */
41     uchar_t	*Data;
42 } KMF_DATA;
43 
44 typedef struct {
45 	uchar_t		*val;
46 	size_t		len;
47 } KMF_BIGINT;
48 
49 /*
50  * KMF_OID
51  * The object identifier (OID) structure is used to hold a unique identifier for
52  * the atomic data fields and the compound substructure that comprise the fields
53  * of a certificate or CRL.
54  */
55 typedef KMF_DATA KMF_OID;
56 
57 typedef struct kmf_x509_private {
58 	int	keystore_type;
59 	int	flags;			/* see below */
60 	char	*label;
61 #define	KMF_FLAG_CERT_VALID	1	/* contains valid certificate */
62 #define	KMF_FLAG_CERT_SIGNED	2	/* this is a signed certificate */
63 } KMF_X509_PRIVATE, KMF_X509_PRIVATE_PTR;
64 
65 /*
66  * KMF_X509_DER_CERT
67  * This structure associates packed DER certificate data.
68  * Also, it contains the private information internal used
69  * by KMF layer.
70  */
71 typedef struct
72 {
73 	KMF_DATA		certificate;
74 	KMF_X509_PRIVATE	kmf_private;
75 } KMF_X509_DER_CERT;
76 
77 typedef enum {
78 	KMF_KEYSTORE_NSS = 1,
79 	KMF_KEYSTORE_OPENSSL = 2,
80 	KMF_KEYSTORE_PK11TOKEN = 3,
81 	KMF_KEYSTORE_DEFAULT	/* based on configuration */
82 } KMF_KEYSTORE_TYPE;
83 
84 #define	VALID_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\
85 	(t <= KMF_KEYSTORE_PK11TOKEN))
86 
87 typedef enum {
88 	KMF_FORMAT_UNDEF =	0,
89 	KMF_FORMAT_ASN1 =	1,	/* DER */
90 	KMF_FORMAT_PEM =	2,
91 	KMF_FORMAT_PKCS12 =	3,
92 	KMF_FORMAT_RAWKEY =	4,	/* For FindKey operation */
93 	KMF_FORMAT_PEM_KEYPAIR = 5
94 } KMF_ENCODE_FORMAT;
95 #define	KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF
96 
97 typedef enum {
98 	KMF_ALL_CERTS =		0,
99 	KMF_NONEXPIRED_CERTS =	1,
100 	KMF_EXPIRED_CERTS =	2
101 } KMF_CERT_VALIDITY;
102 
103 typedef enum {
104 	KMF_KU_SIGN_CERT	= 0,
105 	KMF_KU_SIGN_DATA	= 1,
106 	KMF_KU_ENCRYPT_DATA	= 2
107 } KMF_KU_PURPOSE;
108 
109 /*
110  * Algorithms
111  * This type defines a set of constants used to identify cryptographic
112  * algorithms.
113  */
114 typedef enum {
115 	KMF_ALGID_NONE	= 0,
116 	KMF_ALGID_CUSTOM,
117 	KMF_ALGID_SHA1,
118 	KMF_ALGID_RSA,
119 	KMF_ALGID_DSA,
120 	KMF_ALGID_MD5WithRSA,
121 	KMF_ALGID_MD2WithRSA,
122 	KMF_ALGID_SHA1WithRSA,
123 	KMF_ALGID_SHA1WithDSA
124 } KMF_ALGORITHM_INDEX;
125 
126 /* Keystore Configuration */
127 typedef struct {
128 	char    *configdir;
129 	char    *certPrefix;
130 	char    *keyPrefix;
131 	char    *secModName;
132 } KMF_NSS_CONFIG;
133 
134 typedef struct {
135 	char		*label;
136 	boolean_t	readonly;
137 } KMF_PKCS11_CONFIG;
138 
139 typedef struct {
140 	KMF_KEYSTORE_TYPE	kstype;
141 	union {
142 		KMF_NSS_CONFIG		nss_conf;
143 		KMF_PKCS11_CONFIG	pkcs11_conf;
144 	} ks_config_u;
145 } KMF_CONFIG_PARAMS;
146 
147 #define	nssconfig	ks_config_u.nss_conf
148 #define	pkcs11config	ks_config_u.pkcs11_conf
149 
150 /*
151  * Generic credential structure used by other structures below
152  * to convey authentication information to the underlying
153  * mechanisms.
154  */
155 typedef struct {
156 	char *cred;
157 	uint32_t credlen;
158 } KMF_CREDENTIAL;
159 
160 typedef struct
161 {
162 	char    *trustflag;
163 	char	*slotlabel;	/* "internal" by default */
164 	int	issuerId;
165 	int	subjectId;
166 	char	*crlfile;	/* for ImportCRL */
167 	boolean_t crl_check;	/* for ImportCRL */
168 
169 	/*
170 	 * The following 2 variables are for FindCertInCRL. The caller can
171 	 * either specify certLabel or provide the entire certificate in
172 	 * DER format as input.
173 	 */
174 	char	*certLabel;	/* for FindCertInCRL */
175 	KMF_DATA *certificate;  /* for FindCertInCRL */
176 
177 	/*
178 	 * crl_subjName and crl_issuerName are used as the CRL deletion
179 	 * criteria.  One should be non-NULL and the other one should be NULL.
180 	 * If crl_subjName is not NULL, then delete CRL by the subject name.
181 	 * Othewise, delete by the issuer name.
182 	 */
183 	char 	*crl_subjName;
184 	char	*crl_issuerName;
185 } KMF_NSS_PARAMS;
186 
187 typedef struct {
188 	char	*dirpath;
189 	char    *certfile;
190 	char	*crlfile;
191 	char    *keyfile;
192 	char	*outcrlfile;
193 	boolean_t crl_check;	/* CRL import check; default is true */
194 	KMF_ENCODE_FORMAT	format; /* output file format */
195 } KMF_OPENSSL_PARAMS;
196 
197 typedef struct {
198 	boolean_t	private; /* for finding CKA_PRIVATE objects */
199 	boolean_t	sensitive;
200 	boolean_t	not_extractable;
201 	boolean_t	token; /* true == token object, false == session */
202 } KMF_PKCS11_PARAMS;
203 
204 typedef struct {
205 	KMF_KEYSTORE_TYPE	kstype;
206 	char			*certLabel;
207 	char			*issuer;
208 	char			*subject;
209 	char			*idstr;
210 	KMF_BIGINT		*serial;
211 	KMF_CERT_VALIDITY	find_cert_validity;
212 
213 	union {
214 		KMF_NSS_PARAMS		nss_opts;
215 		KMF_OPENSSL_PARAMS	openssl_opts;
216 		KMF_PKCS11_PARAMS	pkcs11_opts;
217 	} ks_opt_u;
218 } KMF_FINDCERT_PARAMS, KMF_DELETECERT_PARAMS;
219 
220 typedef struct {
221 	KMF_KEYSTORE_TYPE	kstype;
222 	KMF_DATA		*certificate;
223 	KMF_DATA		*ocsp_response;
224 
225 	union {
226 		KMF_NSS_PARAMS		nss_opts;
227 		KMF_OPENSSL_PARAMS	openssl_opts;
228 		KMF_PKCS11_PARAMS	pkcs11_opts;
229 	} ks_opt_u;
230 } KMF_VALIDATECERT_PARAMS;
231 
232 typedef enum {
233 	KMF_KEYALG_NONE = 0,
234 	KMF_RSA = 1,
235 	KMF_DSA = 2,
236 	KMF_AES = 3,
237 	KMF_RC4 = 4,
238 	KMF_DES = 5,
239 	KMF_DES3 = 6,
240 	KMF_GENERIC_SECRET = 7
241 }KMF_KEY_ALG;
242 
243 typedef enum {
244 	KMF_KEYCLASS_NONE = 0,
245 	KMF_ASYM_PUB = 1,	/* public key of an asymmetric keypair */
246 	KMF_ASYM_PRI = 2,	/* private key of an asymmetric keypair */
247 	KMF_SYMMETRIC = 3	/* symmetric key */
248 }KMF_KEY_CLASS;
249 
250 typedef struct {
251 	KMF_KEYSTORE_TYPE	kstype;
252 	KMF_CREDENTIAL		cred;
253 	KMF_KEY_CLASS		keyclass;
254 	KMF_KEY_ALG		keytype;
255 	KMF_ENCODE_FORMAT	format; /* for key */
256 	char			*findLabel;
257 	char			*idstr;
258 	union {
259 		KMF_NSS_PARAMS		nss_opts;
260 		KMF_OPENSSL_PARAMS	openssl_opts;
261 		KMF_PKCS11_PARAMS	pkcs11_opts;
262 	} ks_opt_u;
263 } KMF_FINDKEY_PARAMS;
264 
265 typedef struct {
266 	KMF_KEYSTORE_TYPE	kstype;  /* all */
267 	char			*certLabel;
268 
269 	union {
270 		KMF_NSS_PARAMS		nss_opts;
271 		KMF_OPENSSL_PARAMS	openssl_opts;
272 	} ks_opt_u;
273 } KMF_STORECERT_PARAMS;
274 
275 typedef struct {
276 	KMF_KEYSTORE_TYPE	kstype;
277 	KMF_CREDENTIAL		cred;
278 	KMF_DATA		*certificate;
279 	char			*label;
280 	union {
281 		KMF_NSS_PARAMS		nss_opts;
282 		KMF_OPENSSL_PARAMS	openssl_opts;
283 	} ks_opt_u;
284 } KMF_STOREKEY_PARAMS;
285 
286 typedef struct {
287 	KMF_KEYSTORE_TYPE	kstype;
288 	KMF_CREDENTIAL		cred;
289 	union {
290 		KMF_NSS_PARAMS		nss_opts;
291 	} ks_opt_u;
292 } KMF_DELETEKEY_PARAMS;
293 
294 typedef struct {
295 	KMF_KEYSTORE_TYPE	kstype;
296 	char			*certfile;
297 	char			*certLabel;
298 
299 	union {
300 		KMF_NSS_PARAMS	nss_opts;
301 	} ks_opt_u;
302 } KMF_IMPORTCERT_PARAMS;
303 
304 typedef enum {
305 	KMF_CERT = 0,
306 	KMF_CSR = 1,
307 	KMF_CRL = 2
308 }KMF_OBJECT_TYPE;
309 
310 typedef struct {
311 	KMF_KEYSTORE_TYPE	kstype;
312 	KMF_KEY_ALG		keytype;
313 	uint32_t		keylength;
314 	char			*keylabel;
315 	KMF_CREDENTIAL		cred;
316 	KMF_BIGINT		rsa_exponent;
317 	union {
318 	    KMF_NSS_PARAMS	nss_opts;
319 	    KMF_OPENSSL_PARAMS	openssl_opts;
320 	}ks_opt_u;
321 } KMF_CREATEKEYPAIR_PARAMS;
322 
323 typedef struct {
324 	KMF_KEYSTORE_TYPE	kstype;
325 	union {
326 		KMF_NSS_PARAMS	nss_opts;
327 		KMF_OPENSSL_PARAMS	openssl_opts;
328 	} ks_opt_u;
329 } KMF_IMPORTCRL_PARAMS;
330 
331 typedef struct {
332 	KMF_KEYSTORE_TYPE	kstype;
333 	union {
334 		KMF_NSS_PARAMS	nss_opts;
335 		KMF_OPENSSL_PARAMS	openssl_opts;
336 	} ks_opt_u;
337 } KMF_DELETECRL_PARAMS;
338 
339 typedef struct {
340 	KMF_KEYSTORE_TYPE	kstype;
341 	union {
342 		KMF_NSS_PARAMS	nss_opts;
343 		KMF_OPENSSL_PARAMS	openssl_opts;
344 	} ks_opt_u;
345 } KMF_LISTCRL_PARAMS;
346 
347 typedef struct {
348 	KMF_KEYSTORE_TYPE	kstype;
349 	union {
350 		KMF_NSS_PARAMS	nss_opts;
351 	} ks_opt_u;
352 } KMF_FINDCRL_PARAMS;
353 
354 typedef struct {
355 	KMF_KEYSTORE_TYPE	kstype;
356 
357 	union {
358 		KMF_NSS_PARAMS	nss_opts;
359 		KMF_OPENSSL_PARAMS  openssl_opts;
360 	} ks_opt_u;
361 } KMF_FINDCERTINCRL_PARAMS;
362 
363 typedef struct {
364 	char			*crl_name;
365 	KMF_DATA		*tacert;
366 } KMF_VERIFYCRL_PARAMS;
367 
368 typedef struct {
369 	KMF_KEYSTORE_TYPE	kstype;
370 	KMF_CREDENTIAL		cred;
371 	KMF_ENCODE_FORMAT	format; /* for key  */
372 	char			*certLabel;
373 	KMF_ALGORITHM_INDEX	algid;
374 	union {
375 	    KMF_NSS_PARAMS	nss_opts;
376 	    KMF_OPENSSL_PARAMS	openssl_opts;
377 	}ks_opt_u;
378 } KMF_CRYPTOWITHCERT_PARAMS;
379 
380 typedef struct {
381 	char			*crl_name;
382 } KMF_CHECKCRLDATE_PARAMS;
383 
384 typedef struct {
385 	CK_SLOT_ID	slot;
386 } pk11_setpin_opts;
387 
388 typedef struct {
389 	KMF_KEYSTORE_TYPE	kstype;
390 	char			*tokenname;
391 	KMF_CREDENTIAL		cred;	/* current token PIN */
392 	union {
393 		KMF_NSS_PARAMS		nss_opts;
394 		pk11_setpin_opts	pkcs11_opts;
395 	}ks_opt_u;
396 } KMF_SETPIN_PARAMS;
397 
398 typedef struct {
399 	KMF_BIGINT	mod;
400 	KMF_BIGINT	pubexp;
401 	KMF_BIGINT	priexp;
402 	KMF_BIGINT	prime1;
403 	KMF_BIGINT	prime2;
404 	KMF_BIGINT	exp1;
405 	KMF_BIGINT	exp2;
406 	KMF_BIGINT	coef;
407 } KMF_RAW_RSA_KEY;
408 
409 typedef struct {
410 	KMF_BIGINT	prime;
411 	KMF_BIGINT	subprime;
412 	KMF_BIGINT	base;
413 	KMF_BIGINT	value;
414 } KMF_RAW_DSA_KEY;
415 
416 typedef struct {
417 	KMF_BIGINT	keydata;
418 } KMF_RAW_SYM_KEY;
419 
420 typedef struct {
421 	KMF_KEY_ALG keytype;
422 	union {
423 		KMF_RAW_RSA_KEY	rsa;
424 		KMF_RAW_DSA_KEY	dsa;
425 		KMF_RAW_SYM_KEY	sym;
426 	}rawdata;
427 } KMF_RAW_KEY_DATA;
428 
429 typedef struct {
430 	KMF_KEYSTORE_TYPE	kstype;
431 	char			*certLabel;
432 	char			*issuer;
433 	char			*subject;
434 	char			*idstr;
435 	KMF_BIGINT		*serial;
436 	KMF_CREDENTIAL		cred;	/* cred for accessing the token */
437 	KMF_CREDENTIAL		p12cred; /* cred used for securing the file */
438 
439 	union {
440 		KMF_NSS_PARAMS		nss_opts;
441 		KMF_OPENSSL_PARAMS	openssl_opts;
442 	}ks_opt_u;
443 } KMF_EXPORTP12_PARAMS;
444 
445 typedef struct {
446 	KMF_KEYSTORE_TYPE	kstype;
447 	KMF_KEY_ALG		keytype;
448 	uint32_t		keylength;
449 	char			*keylabel;
450 	KMF_CREDENTIAL		cred;
451 	union {
452 	    KMF_NSS_PARAMS	nss_opts;
453 	    KMF_OPENSSL_PARAMS	openssl_opts;
454 	    KMF_PKCS11_PARAMS	pkcs11_opts;
455 	}ks_opt_u;
456 } KMF_CREATESYMKEY_PARAMS;
457 
458 /* Data structures for OCSP support */
459 typedef struct {
460 	KMF_DATA *issuer_cert;
461 	KMF_DATA *user_cert;
462 } KMF_OCSPREQUEST_PARAMS;
463 
464 typedef struct {
465 	KMF_DATA *response;
466 	KMF_DATA *issuer_cert;
467 	KMF_DATA *user_cert;
468 	KMF_DATA *signer_cert;  /* can be NULL */
469 	boolean_t ignore_response_sign;	/* default is FALSE */
470 	uint32_t response_lifetime;	/* in seconds */
471 } KMF_OCSPRESPONSE_PARAMS_INPUT;
472 
473 typedef enum {
474 	OCSP_GOOD	= 0,
475 	OCSP_REVOKED	= 1,
476 	OCSP_UNKNOWN	= 2
477 } KMF_OCSP_CERT_STATUS;
478 
479 typedef struct {
480 	int  			response_status;
481 	int  			reason; /* if revoked */
482 	KMF_OCSP_CERT_STATUS	cert_status;
483 } KMF_OCSPRESPONSE_PARAMS_OUTPUT;
484 
485 #define	nssparms	ks_opt_u.nss_opts
486 #define	sslparms	ks_opt_u.openssl_opts
487 #define	pkcs11parms	ks_opt_u.pkcs11_opts
488 
489 typedef struct {
490 	KMF_KEYSTORE_TYPE	kstype;
491 	KMF_KEY_ALG		keyalg;
492 	KMF_KEY_CLASS		keyclass;
493 	boolean_t		israw;
494 	char			*keylabel;
495 	void			*keyp;
496 } KMF_KEY_HANDLE;
497 
498 typedef struct {
499 	KMF_KEYSTORE_TYPE	kstype;
500 	uint32_t		errcode;
501 } KMF_ERROR;
502 
503 /*
504  * Typenames to use with subjectAltName
505  */
506 typedef enum {
507 	GENNAME_OTHERNAME	= 0x00,
508 	GENNAME_RFC822NAME,
509 	GENNAME_DNSNAME,
510 	GENNAME_X400ADDRESS,
511 	GENNAME_DIRECTORYNAME,
512 	GENNAME_EDIPARTYNAME,
513 	GENNAME_URI,
514 	GENNAME_IPADDRESS,
515 	GENNAME_REGISTEREDID
516 } KMF_GENERALNAMECHOICES;
517 
518 /*
519  * KMF_FIELD
520  * This structure contains the OID/value pair for any item that can be
521  * identified by an OID.
522  */
523 typedef struct
524 {
525 	KMF_OID		FieldOid;
526 	KMF_DATA	FieldValue;
527 } KMF_FIELD;
528 
529 typedef enum {
530 	KMF_OK			= 0x00,
531 	KMF_ERR_BAD_PARAMETER	= 0x01,
532 	KMF_ERR_BAD_KEY_FORMAT	= 0x02,
533 	KMF_ERR_BAD_ALGORITHM	= 0x03,
534 	KMF_ERR_MEMORY		= 0x04,
535 	KMF_ERR_ENCODING	= 0x05,
536 	KMF_ERR_PLUGIN_INIT	= 0x06,
537 	KMF_ERR_PLUGIN_NOTFOUND	= 0x07,
538 	KMF_ERR_INTERNAL	= 0x0b,
539 	KMF_ERR_BAD_CERT_FORMAT	= 0x0c,
540 	KMF_ERR_KEYGEN_FAILED	= 0x0d,
541 	KMF_ERR_UNINITIALIZED	= 0x10,
542 	KMF_ERR_ISSUER		= 0x11,
543 	KMF_ERR_NOT_REVOKED	= 0x12,
544 	KMF_ERR_CERT_NOT_FOUND	= 0x13,
545 	KMF_ERR_CRL_NOT_FOUND	= 0x14,
546 	KMF_ERR_RDN_PARSER	= 0x15,
547 	KMF_ERR_RDN_ATTR	= 0x16,
548 	KMF_ERR_SLOTNAME	= 0x17,
549 	KMF_ERR_EMPTY_CRL	= 0x18,
550 	KMF_ERR_BUFFER_SIZE	= 0x19,
551 	KMF_ERR_AUTH_FAILED	= 0x1a,
552 	KMF_ERR_TOKEN_SELECTED	= 0x1b,
553 	KMF_ERR_NO_TOKEN_SELECTED	= 0x1c,
554 	KMF_ERR_TOKEN_NOT_PRESENT	= 0x1d,
555 	KMF_ERR_EXTENSION_NOT_FOUND	= 0x1e,
556 	KMF_ERR_POLICY_ENGINE		= 0x1f,
557 	KMF_ERR_POLICY_DB_FORMAT	= 0x20,
558 	KMF_ERR_POLICY_NOT_FOUND	= 0x21,
559 	KMF_ERR_POLICY_DB_FILE		= 0x22,
560 	KMF_ERR_POLICY_NAME		= 0x23,
561 	KMF_ERR_OCSP_POLICY		= 0x24,
562 	KMF_ERR_TA_POLICY		= 0x25,
563 	KMF_ERR_KEY_NOT_FOUND		= 0x26,
564 	KMF_ERR_OPEN_FILE		= 0x27,
565 	KMF_ERR_OCSP_BAD_ISSUER		= 0x28,
566 	KMF_ERR_OCSP_BAD_CERT		= 0x29,
567 	KMF_ERR_OCSP_CREATE_REQUEST	= 0x2a,
568 	KMF_ERR_CONNECT_SERVER		= 0x2b,
569 	KMF_ERR_SEND_REQUEST		= 0x2c,
570 	KMF_ERR_OCSP_CERTID		= 0x2d,
571 	KMF_ERR_OCSP_MALFORMED_RESPONSE	= 0x2e,
572 	KMF_ERR_OCSP_RESPONSE_STATUS	= 0x2f,
573 	KMF_ERR_OCSP_NO_BASIC_RESPONSE	= 0x30,
574 	KMF_ERR_OCSP_BAD_SIGNER		= 0x31,
575 	KMF_ERR_OCSP_RESPONSE_SIGNATURE	= 0x32,
576 	KMF_ERR_OCSP_UNKNOWN_CERT	= 0x33,
577 	KMF_ERR_OCSP_STATUS_TIME_INVALID	= 0x34,
578 	KMF_ERR_BAD_HTTP_RESPONSE	= 0x35,
579 	KMF_ERR_RECV_RESPONSE		= 0x36,
580 	KMF_ERR_RECV_TIMEOUT		= 0x37,
581 	KMF_ERR_DUPLICATE_KEYFILE	= 0x38,
582 	KMF_ERR_AMBIGUOUS_PATHNAME	= 0x39,
583 	KMF_ERR_FUNCTION_NOT_FOUND	= 0x3a,
584 	KMF_ERR_PKCS12_FORMAT		= 0x3b,
585 	KMF_ERR_BAD_KEY_TYPE		= 0x3c,
586 	KMF_ERR_BAD_KEY_CLASS		= 0x3d,
587 	KMF_ERR_BAD_KEY_SIZE		= 0x3e,
588 	KMF_ERR_BAD_HEX_STRING		= 0x3f,
589 	KMF_ERR_KEYUSAGE		= 0x40,
590 	KMF_ERR_VALIDITY_PERIOD		= 0x41,
591 	KMF_ERR_OCSP_REVOKED		= 0x42,
592 	KMF_ERR_CERT_MULTIPLE_FOUND	= 0x43,
593 	KMF_ERR_WRITE_FILE		= 0x44,
594 	KMF_ERR_BAD_URI			= 0x45,
595 	KMF_ERR_BAD_CRLFILE		= 0x46,
596 	KMF_ERR_BAD_CERTFILE		= 0x47,
597 	KMF_ERR_GETKEYVALUE_FAILED	= 0x48,
598 	KMF_ERR_BAD_KEYHANDLE		= 0x49,
599 	KMF_ERR_BAD_OBJECT_TYPE		= 0x4a,
600 	KMF_ERR_OCSP_RESPONSE_LIFETIME	= 0x4b,
601 	KMF_ERR_UNKNOWN_CSR_ATTRIBUTE	= 0x4c,
602 	KMF_ERR_UNINITIALIZED_TOKEN	= 0x4d,
603 	KMF_ERR_INCOMPLETE_TBS_CERT	= 0x4e,
604 	KMF_ERR_MISSING_ERRCODE		= 0x4f,
605 	KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50,
606 	KMF_ERR_SENSITIVE_KEY		= 0x51,
607 	KMF_ERR_UNEXTRACTABLE_KEY	= 0x52,
608 	KMF_ERR_KEY_MISMATCH		= 0x53
609 } KMF_RETURN;
610 
611 typedef enum {
612 	OCSP_SUCCESS 		= 0,
613 	OCSP_MALFORMED_REQUEST	= 1,
614 	OCSP_INTERNAL_ERROR	= 2,
615 	OCSP_TRYLATER		= 3,
616 	OCSP_SIGREQUIRED	= 4,
617 	OCSP_UNAUTHORIZED	= 5
618 } KMF_OCSP_RESPONSE_STATUS;
619 
620 typedef enum {
621 	OCSP_NOSTATUS		= -1,
622 	OCSP_UNSPECIFIED	= 0,
623 	OCSP_KEYCOMPROMISE	= 1,
624 	OCSP_CACOMPROMISE	= 2,
625 	OCSP_AFFILIATIONCHANGE	= 3,
626 	OCSP_SUPERCEDED		= 4,
627 	OCSP_CESSATIONOFOPERATION = 5,
628 	OCSP_CERTIFICATEHOLD	= 6,
629 	OCSP_REMOVEFROMCRL	= 7
630 } KMF_OCSP_REVOKED_STATUS;
631 
632 typedef enum {
633 	KMF_ALGCLASS_NONE 	= 0,
634 	KMF_ALGCLASS_CUSTOM,
635 	KMF_ALGCLASS_SIGNATURE,
636 	KMF_ALGCLASS_SYMMETRIC,
637 	KMF_ALGCLASS_DIGEST,
638 	KMF_ALGCLASS_RANDOMGEN,
639 	KMF_ALGCLASS_UNIQUEGEN,
640 	KMF_ALGCLASS_MAC,
641 	KMF_ALGCLASS_ASYMMETRIC,
642 	KMF_ALGCLASS_KEYGEN,
643 	KMF_ALGCLASS_DERIVEKEY
644 } KMF_ALGCLASS;
645 
646 typedef enum {
647 	KMF_CERT_ISSUER		= 1,
648 	KMF_CERT_SUBJECT,
649 	KMF_CERT_VERSION,
650 	KMF_CERT_SERIALNUM,
651 	KMF_CERT_NOTBEFORE,
652 	KMF_CERT_NOTAFTER,
653 	KMF_CERT_PUBKEY_ALG,
654 	KMF_CERT_SIGNATURE_ALG,
655 	KMF_CERT_EMAIL,
656 	KMF_CERT_PUBKEY_DATA,
657 	KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD,
658 	KMF_X509_EXT_CERT_POLICIES,
659 	KMF_X509_EXT_SUBJ_ALTNAME,
660 	KMF_X509_EXT_ISSUER_ALTNAME,
661 	KMF_X509_EXT_BASIC_CONSTRAINTS,
662 	KMF_X509_EXT_NAME_CONSTRAINTS,
663 	KMF_X509_EXT_POLICY_CONSTRAINTS,
664 	KMF_X509_EXT_EXT_KEY_USAGE,
665 	KMF_X509_EXT_INHIBIT_ANY_POLICY,
666 	KMF_X509_EXT_AUTH_KEY_ID,
667 	KMF_X509_EXT_SUBJ_KEY_ID,
668 	KMF_X509_EXT_POLICY_MAPPINGS,
669 	KMF_X509_EXT_CRL_DIST_POINTS,
670 	KMF_X509_EXT_FRESHEST_CRL,
671 	KMF_X509_EXT_KEY_USAGE
672 } KMF_PRINTABLE_ITEM;
673 
674 /*
675  * KMF_X509_ALGORITHM_IDENTIFIER
676  * This structure holds an object identifier naming a
677  * cryptographic algorithm and an optional set of
678  * parameters to be used as input to that algorithm.
679  */
680 typedef struct
681 {
682 	KMF_OID algorithm;
683 	KMF_DATA parameters;
684 } KMF_X509_ALGORITHM_IDENTIFIER;
685 
686 /*
687  * KMF_X509_TYPE_VALUE_PAIR
688  * This structure contain an type-value pair.
689  */
690 typedef struct
691 {
692 	KMF_OID type;
693 	uint8_t valueType; /* The Tag to use when BER encoded */
694 	KMF_DATA value;
695 } KMF_X509_TYPE_VALUE_PAIR;
696 
697 
698 /*
699  * KMF_X509_RDN
700  * This structure contains a Relative Distinguished Name
701  * composed of an ordered set of type-value pairs.
702  */
703 typedef struct
704 {
705 	uint32_t			numberOfPairs;
706 	KMF_X509_TYPE_VALUE_PAIR	*AttributeTypeAndValue;
707 } KMF_X509_RDN;
708 
709 /*
710  * KMF_X509_NAME
711  * This structure contains a set of Relative Distinguished Names.
712  */
713 typedef struct
714 {
715 	uint32_t numberOfRDNs;
716 	KMF_X509_RDN	*RelativeDistinguishedName;
717 } KMF_X509_NAME;
718 
719 /*
720  * KMF_X509_SPKI
721  * This structure contains the public key and the
722  * description of the verification algorithm
723  * appropriate for use with this key.
724  */
725 typedef struct
726 {
727 	KMF_X509_ALGORITHM_IDENTIFIER algorithm;
728 	KMF_DATA subjectPublicKey;
729 } KMF_X509_SPKI;
730 
731 /*
732  * KMF_X509_TIME
733  * Time is represented as a string according to the
734  * definitions of GeneralizedTime and UTCTime
735  * defined in RFC 2459.
736  */
737 typedef struct
738 {
739 	uint8_t timeType;
740 	KMF_DATA time;
741 } KMF_X509_TIME;
742 
743 /*
744  * KMF_X509_VALIDITY
745  */
746 typedef struct
747 {
748 	KMF_X509_TIME notBefore;
749 	KMF_X509_TIME notAfter;
750 } KMF_X509_VALIDITY;
751 
752 /*
753  *   KMF_X509EXT_BASICCONSTRAINTS
754  */
755 typedef struct
756 {
757 	KMF_BOOL cA;
758 	KMF_BOOL pathLenConstraintPresent;
759 	uint32_t pathLenConstraint;
760 } KMF_X509EXT_BASICCONSTRAINTS;
761 
762 /*
763  * KMF_X509EXT_DATA_FORMAT
764  * This list defines the valid formats for a certificate extension.
765  */
766 typedef enum
767 {
768 	KMF_X509_DATAFORMAT_ENCODED = 0,
769 	KMF_X509_DATAFORMAT_PARSED,
770 	KMF_X509_DATAFORMAT_PAIR
771 } KMF_X509EXT_DATA_FORMAT;
772 
773 
774 /*
775  * KMF_X509EXT_TAGandVALUE
776  * This structure contains a BER/DER encoded
777  * extension value and the type of that value.
778  */
779 typedef struct
780 {
781 	uint8_t type;
782 	KMF_DATA value;
783 } KMF_X509EXT_TAGandVALUE;
784 
785 
786 /*
787  * KMF_X509EXT_PAIR
788  * This structure aggregates two extension representations:
789  * a tag and value, and a parsed X509 extension representation.
790  */
791 typedef struct
792 {
793 	KMF_X509EXT_TAGandVALUE tagAndValue;
794 	void *parsedValue;
795 } KMF_X509EXT_PAIR;
796 
797 /*
798  * KMF_X509_EXTENSION
799  * This structure contains a complete certificate extension.
800  */
801 typedef struct
802 {
803 	KMF_OID extnId;
804 	KMF_BOOL critical;
805 	KMF_X509EXT_DATA_FORMAT format;
806 	union
807 	{
808 		KMF_X509EXT_TAGandVALUE *tagAndValue;
809 		void *parsedValue;
810 		KMF_X509EXT_PAIR *valuePair;
811 	} value;
812 	KMF_DATA BERvalue;
813 } KMF_X509_EXTENSION;
814 
815 
816 /*
817  * KMF_X509_EXTENSIONS
818  * This structure contains the set of all certificate
819  * extensions contained in a certificate.
820  */
821 typedef struct
822 {
823 	uint32_t numberOfExtensions;
824 	KMF_X509_EXTENSION *extensions;
825 } KMF_X509_EXTENSIONS;
826 
827 /*
828  * KMF_X509_TBS_CERT
829  * This structure contains a complete X.509 certificate.
830  */
831 typedef struct
832 {
833 	KMF_DATA version;
834 	KMF_BIGINT serialNumber;
835 	KMF_X509_ALGORITHM_IDENTIFIER signature;
836 	KMF_X509_NAME issuer;
837 	KMF_X509_VALIDITY validity;
838 	KMF_X509_NAME subject;
839 	KMF_X509_SPKI subjectPublicKeyInfo;
840 	KMF_DATA issuerUniqueIdentifier;
841 	KMF_DATA subjectUniqueIdentifier;
842 	KMF_X509_EXTENSIONS extensions;
843 } KMF_X509_TBS_CERT;
844 
845 /*
846  * KMF_X509_SIGNATURE
847  * This structure contains a cryptographic digital signature.
848  */
849 typedef struct
850 {
851 	KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier;
852 	KMF_DATA encrypted;
853 } KMF_X509_SIGNATURE;
854 
855 /*
856  * KMF_X509_CERTIFICATE
857  * This structure associates a set of decoded certificate
858  * values with the signature covering those values.
859  */
860 typedef struct
861 {
862 	KMF_X509_TBS_CERT certificate;
863 	KMF_X509_SIGNATURE signature;
864 } KMF_X509_CERTIFICATE;
865 
866 #define	CERT_ALG_OID(c) &c->certificate.signature.algorithm
867 #define	CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm
868 
869 /*
870  * KMF_TBS_CSR
871  * This structure contains a complete PKCS#10 certificate request
872  */
873 typedef struct
874 {
875 	KMF_DATA version;
876 	KMF_X509_NAME subject;
877 	KMF_X509_SPKI subjectPublicKeyInfo;
878 	KMF_X509_EXTENSIONS extensions;
879 } KMF_TBS_CSR;
880 
881 /*
882  * KMF_CSR_DATA
883  * This structure contains a complete PKCS#10 certificate signed request
884  */
885 typedef struct
886 {
887 	KMF_TBS_CSR csr;
888 	KMF_X509_SIGNATURE signature;
889 } KMF_CSR_DATA;
890 
891 /*
892  * KMF_X509EXT_POLICYQUALIFIERINFO
893  */
894 typedef struct
895 {
896 	KMF_OID policyQualifierId;
897 	KMF_DATA value;
898 } KMF_X509EXT_POLICYQUALIFIERINFO;
899 
900 /*
901  * KMF_X509EXT_POLICYQUALIFIERS
902  */
903 typedef struct
904 {
905 	uint32_t numberOfPolicyQualifiers;
906 	KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier;
907 } KMF_X509EXT_POLICYQUALIFIERS;
908 
909 /*
910  * KMF_X509EXT_POLICYINFO
911  */
912 typedef struct
913 {
914 	KMF_OID policyIdentifier;
915 	KMF_X509EXT_POLICYQUALIFIERS policyQualifiers;
916 } KMF_X509EXT_POLICYINFO;
917 
918 typedef struct
919 {
920 	uint32_t numberOfPolicyInfo;
921 	KMF_X509EXT_POLICYINFO *policyInfo;
922 } KMF_X509EXT_CERT_POLICIES;
923 
924 typedef struct
925 {
926 	uchar_t critical;
927 	uint16_t KeyUsageBits;
928 } KMF_X509EXT_KEY_USAGE;
929 
930 typedef struct
931 {
932 	uchar_t		critical;
933 	uint16_t	nEKUs;
934 	KMF_OID	*keyPurposeIdList;
935 } KMF_X509EXT_EKU;
936 
937 
938 /*
939  * X509 AuthorityInfoAccess extension
940  */
941 typedef struct
942 {
943 	KMF_OID AccessMethod;
944 	KMF_DATA AccessLocation;
945 } KMF_X509EXT_ACCESSDESC;
946 
947 typedef struct
948 {
949 	uint32_t numberOfAccessDescription;
950 	KMF_X509EXT_ACCESSDESC *AccessDesc;
951 } KMF_X509EXT_AUTHINFOACCESS;
952 
953 
954 /*
955  * X509 Crl Distribution Point extension
956  */
957 typedef struct {
958 	KMF_GENERALNAMECHOICES	choice;
959 	KMF_DATA		name;
960 } KMF_GENERALNAME;
961 
962 typedef struct {
963 	uint32_t	number;
964 	KMF_GENERALNAME *namelist;
965 } KMF_GENERALNAMES;
966 
967 typedef enum  {
968 	DP_GENERAL_NAME = 1,
969 	DP_RELATIVE_NAME = 2
970 } KMF_CRL_DIST_POINT_TYPE;
971 
972 typedef struct {
973 	KMF_CRL_DIST_POINT_TYPE type;
974 	union {
975 		KMF_GENERALNAMES full_name;
976 		KMF_DATA relative_name;
977 	} name;
978 	KMF_DATA reasons;
979 	KMF_GENERALNAMES crl_issuer;
980 } KMF_CRL_DIST_POINT;
981 
982 typedef struct {
983 	uint32_t number;
984 	KMF_CRL_DIST_POINT *dplist;
985 } KMF_X509EXT_CRLDISTPOINTS;
986 
987 
988 /*
989  * Definitions for common X.509v3 certificate attribute OIDs
990  */
991 #define	OID_ISO_MEMBER	42	/* Also in PKCS */
992 #define	OID_US	OID_ISO_MEMBER, 134, 72 /* Also in PKCS */
993 #define	OID_CA	OID_ISO_MEMBER, 124
994 
995 #define	OID_ISO_IDENTIFIED_ORG 43
996 #define	OID_OSINET	OID_ISO_IDENTIFIED_ORG, 4
997 #define	OID_GOSIP	OID_ISO_IDENTIFIED_ORG, 5
998 #define	OID_DOD	OID_ISO_IDENTIFIED_ORG, 6
999 #define	OID_OIW	OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */
1000 
1001 #define	OID_ISO_CCITT_DIR_SERVICE 85
1002 #define	OID_ISO_CCITT_COUNTRY	96
1003 #define	OID_COUNTRY_US	OID_ISO_CCITT_COUNTRY, 134, 72
1004 #define	OID_COUNTRY_CA	OID_ISO_CCITT_COUNTRY, 124
1005 #define	OID_COUNTRY_US_ORG	OID_COUNTRY_US, 1
1006 #define	OID_COUNTRY_US_MHS_MD	OID_COUNTRY_US, 2
1007 #define	OID_COUNTRY_US_STATE	OID_COUNTRY_US, 3
1008 
1009 /* From the PKCS Standards */
1010 #define	OID_ISO_MEMBER_LENGTH 1
1011 #define	OID_US_LENGTH	(OID_ISO_MEMBER_LENGTH + 2)
1012 
1013 #define	OID_RSA	OID_US, 134, 247, 13
1014 #define	OID_RSA_LENGTH	(OID_US_LENGTH + 3)
1015 
1016 #define	OID_RSA_HASH	OID_RSA, 2
1017 #define	OID_RSA_HASH_LENGTH   (OID_RSA_LENGTH + 1)
1018 
1019 #define	OID_RSA_ENCRYPT	OID_RSA, 3
1020 #define	OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1)
1021 
1022 #define	OID_PKCS	OID_RSA, 1
1023 #define	OID_PKCS_LENGTH	(OID_RSA_LENGTH + 1)
1024 
1025 #define	OID_PKCS_1	OID_PKCS, 1
1026 #define	OID_PKCS_1_LENGTH	(OID_PKCS_LENGTH + 1)
1027 
1028 #define	OID_PKCS_2	OID_PKCS, 2
1029 #define	OID_PKCS_3	OID_PKCS, 3
1030 #define	OID_PKCS_3_LENGTH	(OID_PKCS_LENGTH + 1)
1031 
1032 #define	OID_PKCS_4	OID_PKCS, 4
1033 #define	OID_PKCS_5	OID_PKCS, 5
1034 #define	OID_PKCS_5_LENGTH	(OID_PKCS_LENGTH + 1)
1035 #define	OID_PKCS_6	OID_PKCS, 6
1036 #define	OID_PKCS_7	OID_PKCS, 7
1037 #define	OID_PKCS_7_LENGTH	(OID_PKCS_LENGTH + 1)
1038 
1039 #define	OID_PKCS_7_Data			OID_PKCS_7, 1
1040 #define	OID_PKCS_7_SignedData		OID_PKCS_7, 2
1041 #define	OID_PKCS_7_EnvelopedData	OID_PKCS_7, 3
1042 #define	OID_PKCS_7_SignedAndEnvelopedData	OID_PKCS_7, 4
1043 #define	OID_PKCS_7_DigestedData		OID_PKCS_7, 5
1044 #define	OID_PKCS_7_EncryptedData	OID_PKCS_7, 6
1045 
1046 #define	OID_PKCS_8	OID_PKCS, 8
1047 #define	OID_PKCS_9	OID_PKCS, 9
1048 #define	OID_PKCS_9_LENGTH	(OID_PKCS_LENGTH + 1)
1049 
1050 #define	OID_PKCS_9_CONTENT_TYPE		OID_PKCS_9, 3
1051 #define	OID_PKCS_9_MESSAGE_DIGEST	OID_PKCS_9, 4
1052 #define	OID_PKCS_9_SIGNING_TIME		OID_PKCS_9, 5
1053 #define	OID_PKCS_9_COUNTER_SIGNATURE	OID_PKCS_9, 6
1054 #define	OID_PKCS_9_EXTENSION_REQUEST	OID_PKCS_9, 14
1055 
1056 #define	OID_PKCS_10	OID_PKCS, 10
1057 
1058 #define	OID_PKCS_12	OID_PKCS, 12
1059 #define	OID_PKCS_12_LENGTH	(OID_PKCS_LENGTH + 1)
1060 
1061 #define	PBEWithSHAAnd128BitRC4	OID_PKCS_12, 1, 1
1062 #define	PBEWithSHAAnd40BitRC4	OID_PKCS_12, 1, 2
1063 #define	PBEWithSHAAnd3KeyTripleDES_CBC	OID_PKCS_12, 1, 3
1064 #define	PBEWithSHAAnd2KeyTripleDES_CBC	OID_PKCS_12, 1, 4
1065 #define	PBEWithSHAAnd128BitRC2_CBC	OID_PKCS_12, 1, 5
1066 #define	PBEWithSHAAnd40BitRC2_CBC	OID_PKCS_12, 1, 6
1067 
1068 #define	OID_BAG_TYPES		OID_PKCS_12, 10, 1
1069 #define	OID_KeyBag		OID_BAG_TYPES, 1
1070 #define	OID_PKCS8ShroudedKeyBag	OID_BAG_TYPES, 2
1071 #define	OID_CertBag		OID_BAG_TYPES, 3
1072 #define	OID_CrlBag		OID_BAG_TYPES, 4
1073 #define	OID_SecretBag		OID_BAG_TYPES, 5
1074 #define	OID_SafeContentsBag	OID_BAG_TYPES, 6
1075 
1076 #define	OID_ContentInfo		OID_PKCS_7, 0, 1
1077 
1078 #define	OID_CERT_TYPES		OID_PKCS_9, 22
1079 #define	OID_x509Certificate	OID_CERT_TYPES, 1
1080 #define	OID_sdsiCertificate	OID_CERT_TYPES, 2
1081 
1082 #define	OID_CRL_TYPES		OID_PKCS_9, 23
1083 #define	OID_x509Crl		OID_CRL_TYPES, 1
1084 
1085 #define	OID_DS	OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */
1086 #define	OID_DS_LENGTH	1
1087 
1088 #define	OID_ATTR_TYPE	OID_DS, 4	/* Also in X.501 */
1089 #define	OID_ATTR_TYPE_LENGTH  (OID_DS_LENGTH + 1)
1090 
1091 #define	OID_DSALG	OID_DS, 8	/* Also in X.501 */
1092 #define	OID_DSALG_LENGTH	(OID_DS_LENGTH + 1)
1093 
1094 #define	OID_EXTENSION	OID_DS, 29	/* Also in X.501 */
1095 #define	OID_EXTENSION_LENGTH  (OID_DS_LENGTH + 1)
1096 
1097 /*
1098  * From RFC 1274:
1099  * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) }
1100  */
1101 #define	OID_PILOT	0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
1102 #define	OID_PILOT_LENGTH	9
1103 
1104 #define	OID_USERID		OID_PILOT 1
1105 #define	OID_USERID_LENGTH	(OID_PILOT_LENGTH + 1)
1106 
1107 /*
1108  * From PKIX part1
1109  * { iso(1) identified-organization(3) dod(6) internet(1)
1110  *   security(5) mechanisms(5) pkix(7) }
1111  */
1112 #define	OID_PKIX	43, 6, 1, 5, 5, 7
1113 #define	OID_PKIX_LENGTH	6
1114 
1115 /* private certificate extensions, { id-pkix 1 } */
1116 #define	OID_PKIX_PE	OID_PKIX, 1
1117 #define	OID_PKIX_PE_LENGTH   (OID_PKIX_LENGTH + 1)
1118 
1119 /* policy qualifier types {id-pkix 2 } */
1120 #define	OID_PKIX_QT	OID_PKIX, 2
1121 #define	OID_PKIX_QT_LENGTH   (OID_PKIX_LENGTH + 1)
1122 
1123 /* CPS qualifier, { id-qt 1 } */
1124 #define	OID_PKIX_QT_CPS	OID_PKIX_QT, 1
1125 #define	OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1)
1126 /* user notice qualifier, { id-qt 2 } */
1127 #define	OID_PKIX_QT_UNOTICE  OID_PKIX_QT, 2
1128 #define	OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1)
1129 
1130 /* extended key purpose OIDs {id-pkix 3 } */
1131 #define	OID_PKIX_KP	OID_PKIX, 3
1132 #define	OID_PKIX_KP_LENGTH   (OID_PKIX_LENGTH + 1)
1133 
1134 /* access descriptors {id-pkix 4 } */
1135 #define	OID_PKIX_AD	OID_PKIX, 48
1136 #define	OID_PKIX_AD_LENGTH   (OID_PKIX_LENGTH + 1)
1137 
1138 /* access descriptors */
1139 /* OCSP */
1140 #define	OID_PKIX_AD_OCSP	OID_PKIX_AD, 1
1141 #define	OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1)
1142 
1143 /* cAIssuers */
1144 #define	OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2
1145 #define	OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1)
1146 
1147 /* end PKIX part1 */
1148 #define	OID_APPL_TCP_PROTO   43, 6, 1, 2, 1, 27, 4
1149 #define	OID_APPL_TCP_PROTO_LENGTH   8
1150 
1151 #define	OID_DAP	OID_DS, 3, 1
1152 #define	OID_DAP_LENGTH	(OID_DS_LENGTH + 2)
1153 
1154 /* From x9.57 */
1155 #define	OID_OIW_LENGTH	2
1156 
1157 #define	OID_OIW_SECSIG	OID_OIW, 3
1158 #define	OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1)
1159 
1160 #define	OID_OIW_ALGORITHM	OID_OIW_SECSIG, 2
1161 #define	OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1)
1162 
1163 #define	OID_OIWDIR	OID_OIW, 7, 2
1164 #define	OID_OIWDIR_LENGTH    (OID_OIW_LENGTH + 2)
1165 
1166 #define	OID_OIWDIR_CRPT	OID_OIWDIR, 1
1167 
1168 #define	OID_OIWDIR_HASH	OID_OIWDIR, 2
1169 #define	OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1)
1170 
1171 #define	OID_OIWDIR_SIGN	OID_OIWDIR, 3
1172 #define	OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1)
1173 
1174 #define	OID_X9CM	OID_US, 206, 56
1175 #define	OID_X9CM_MODULE	OID_X9CM, 1
1176 #define	OID_X9CM_INSTRUCTION OID_X9CM, 2
1177 #define	OID_X9CM_ATTR	OID_X9CM, 3
1178 #define	OID_X9CM_X9ALGORITHM OID_X9CM, 4
1179 #define	OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1)
1180 
1181 #define	INTEL	96, 134, 72, 1, 134, 248, 77
1182 #define	INTEL_LENGTH 7
1183 
1184 #define	INTEL_SEC_FORMATS	INTEL_CDSASECURITY, 1
1185 #define	INTEL_SEC_FORMATS_LENGTH	(INTEL_CDSASECURITY_LENGTH + 1)
1186 
1187 #define	INTEL_SEC_ALGS	INTEL_CDSASECURITY, 2, 5
1188 #define	INTEL_SEC_ALGS_LENGTH	(INTEL_CDSASECURITY_LENGTH + 2)
1189 
1190 extern const KMF_OID
1191 KMFOID_AliasedEntryName,
1192 KMFOID_AuthorityRevocationList,
1193 KMFOID_BusinessCategory,
1194 KMFOID_CACertificate,
1195 KMFOID_CertificateRevocationList,
1196 KMFOID_ChallengePassword,
1197 KMFOID_CollectiveFacsimileTelephoneNumber,
1198 KMFOID_CollectiveInternationalISDNNumber,
1199 KMFOID_CollectiveOrganizationName,
1200 KMFOID_CollectiveOrganizationalUnitName,
1201 KMFOID_CollectivePhysicalDeliveryOfficeName,
1202 KMFOID_CollectivePostOfficeBox,
1203 KMFOID_CollectivePostalAddress,
1204 KMFOID_CollectivePostalCode,
1205 KMFOID_CollectiveStateProvinceName,
1206 KMFOID_CollectiveStreetAddress,
1207 KMFOID_CollectiveTelephoneNumber,
1208 KMFOID_CollectiveTelexNumber,
1209 KMFOID_CollectiveTelexTerminalIdentifier,
1210 KMFOID_CommonName,
1211 KMFOID_ContentType,
1212 KMFOID_CounterSignature,
1213 KMFOID_CountryName,
1214 KMFOID_CrossCertificatePair,
1215 KMFOID_DNQualifier,
1216 KMFOID_Description,
1217 KMFOID_DestinationIndicator,
1218 KMFOID_DistinguishedName,
1219 KMFOID_EmailAddress,
1220 KMFOID_EnhancedSearchGuide,
1221 KMFOID_ExtendedCertificateAttributes,
1222 KMFOID_ExtensionRequest,
1223 KMFOID_FacsimileTelephoneNumber,
1224 KMFOID_GenerationQualifier,
1225 KMFOID_GivenName,
1226 KMFOID_HouseIdentifier,
1227 KMFOID_Initials,
1228 KMFOID_InternationalISDNNumber,
1229 KMFOID_KnowledgeInformation,
1230 KMFOID_LocalityName,
1231 KMFOID_Member,
1232 KMFOID_MessageDigest,
1233 KMFOID_Name,
1234 KMFOID_ObjectClass,
1235 KMFOID_OrganizationName,
1236 KMFOID_OrganizationalUnitName,
1237 KMFOID_Owner,
1238 KMFOID_PhysicalDeliveryOfficeName,
1239 KMFOID_PostOfficeBox,
1240 KMFOID_PostalAddress,
1241 KMFOID_PostalCode,
1242 KMFOID_PreferredDeliveryMethod,
1243 KMFOID_PresentationAddress,
1244 KMFOID_ProtocolInformation,
1245 KMFOID_RFC822mailbox,
1246 KMFOID_RegisteredAddress,
1247 KMFOID_RoleOccupant,
1248 KMFOID_SearchGuide,
1249 KMFOID_SeeAlso,
1250 KMFOID_SerialNumber,
1251 KMFOID_SigningTime,
1252 KMFOID_StateProvinceName,
1253 KMFOID_StreetAddress,
1254 KMFOID_SupportedApplicationContext,
1255 KMFOID_Surname,
1256 KMFOID_TelephoneNumber,
1257 KMFOID_TelexNumber,
1258 KMFOID_TelexTerminalIdentifier,
1259 KMFOID_Title,
1260 KMFOID_UniqueIdentifier,
1261 KMFOID_UniqueMember,
1262 KMFOID_UnstructuredAddress,
1263 KMFOID_UnstructuredName,
1264 KMFOID_UserCertificate,
1265 KMFOID_UserPassword,
1266 KMFOID_X_121Address,
1267 KMFOID_domainComponent,
1268 KMFOID_userid;
1269 
1270 extern const KMF_OID
1271 KMFOID_AuthorityKeyID,
1272 KMFOID_AuthorityInfoAccess,
1273 KMFOID_VerisignCertificatePolicy,
1274 KMFOID_KeyUsageRestriction,
1275 KMFOID_SubjectDirectoryAttributes,
1276 KMFOID_SubjectKeyIdentifier,
1277 KMFOID_KeyUsage,
1278 KMFOID_PrivateKeyUsagePeriod,
1279 KMFOID_SubjectAltName,
1280 KMFOID_IssuerAltName,
1281 KMFOID_BasicConstraints,
1282 KMFOID_CrlNumber,
1283 KMFOID_CrlReason,
1284 KMFOID_HoldInstructionCode,
1285 KMFOID_InvalidityDate,
1286 KMFOID_DeltaCrlIndicator,
1287 KMFOID_IssuingDistributionPoints,
1288 KMFOID_NameConstraints,
1289 KMFOID_CrlDistributionPoints,
1290 KMFOID_CertificatePolicies,
1291 KMFOID_PolicyMappings,
1292 KMFOID_PolicyConstraints,
1293 KMFOID_AuthorityKeyIdentifier,
1294 KMFOID_ExtendedKeyUsage,
1295 KMFOID_PkixAdOcsp,
1296 KMFOID_PkixAdCaIssuers,
1297 KMFOID_PKIX_PQ_CPSuri,
1298 KMFOID_PKIX_PQ_Unotice,
1299 KMFOID_PKIX_KP_ServerAuth,
1300 KMFOID_PKIX_KP_ClientAuth,
1301 KMFOID_PKIX_KP_CodeSigning,
1302 KMFOID_PKIX_KP_EmailProtection,
1303 KMFOID_PKIX_KP_IPSecEndSystem,
1304 KMFOID_PKIX_KP_IPSecTunnel,
1305 KMFOID_PKIX_KP_IPSecUser,
1306 KMFOID_PKIX_KP_TimeStamping,
1307 KMFOID_PKIX_KP_OCSPSigning,
1308 KMFOID_SHA1,
1309 KMFOID_RSA,
1310 KMFOID_DSA,
1311 KMFOID_MD5WithRSA,
1312 KMFOID_MD2WithRSA,
1313 KMFOID_SHA1WithRSA,
1314 KMFOID_SHA1WithDSA,
1315 KMFOID_OIW_DSAWithSHA1,
1316 KMFOID_X9CM_DSA,
1317 KMFOID_X9CM_DSAWithSHA1;
1318 
1319 /*
1320  * KMF Certificate validation codes.  These may be masked together.
1321  */
1322 #define	KMF_CERT_VALIDATE_OK		0x00
1323 #define	KMF_CERT_VALIDATE_ERR_TA	0x01
1324 #define	KMF_CERT_VALIDATE_ERR_USER	0x02
1325 #define	KMF_CERT_VALIDATE_ERR_SIGNATURE	0x04
1326 #define	KMF_CERT_VALIDATE_ERR_KEYUSAGE	0x08
1327 #define	KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE	0x10
1328 #define	KMF_CERT_VALIDATE_ERR_TIME	0x20
1329 #define	KMF_CERT_VALIDATE_ERR_CRL	0x40
1330 #define	KMF_CERT_VALIDATE_ERR_OCSP	0x80
1331 #define	KMF_CERT_VALIDATE_ERR_ISSUER	0x100
1332 
1333 /*
1334  * KMF Key Usage bitmasks
1335  */
1336 #define	KMF_digitalSignature	0x8000
1337 #define	KMF_nonRepudiation	0x4000
1338 #define	KMF_keyEncipherment	0x2000
1339 #define	KMF_dataEncipherment	0x1000
1340 #define	KMF_keyAgreement	0x0800
1341 #define	KMF_keyCertSign		0x0400
1342 #define	KMF_cRLSign		0x0200
1343 #define	KMF_encipherOnly	0x0100
1344 #define	KMF_decipherOnly	0x0080
1345 
1346 #define	KMF_KUBITMASK 0xFF80
1347 
1348 /*
1349  * KMF Extended KeyUsage OID definitions
1350  */
1351 #define	KMF_EKU_SERVERAUTH			0x01
1352 #define	KMF_EKU_CLIENTAUTH			0x02
1353 #define	KMF_EKU_CODESIGNING			0x04
1354 #define	KMF_EKU_EMAIL				0x08
1355 #define	KMF_EKU_TIMESTAMP			0x10
1356 #define	KMF_EKU_OCSPSIGNING			0x20
1357 
1358 
1359 #ifdef __cplusplus
1360 }
1361 #endif
1362 #endif /* _KMFTYPES_H */
1363