1/* 2 * The contents of this file are subject to the Mozilla Public 3 * License Version 1.1 (the "License"); you may not use this file 4 * except in compliance with the License. You may obtain a copy of 5 * the License at http://www.mozilla.org/MPL/ 6 * 7 * Software distributed under the License is distributed on an "AS 8 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or 9 * implied. See the License for the specific language governing 10 * rights and limitations under the License. 11 * 12 * The Original Code is the Netscape security libraries. 13 * 14 * The Initial Developer of the Original Code is Netscape 15 * Communications Corporation. Portions created by Netscape are 16 * Copyright (C) 1994-2000 Netscape Communications Corporation. All 17 * Rights Reserved. 18 * 19 * Contributor(s): 20 * 21 * Alternatively, the contents of this file may be used under the 22 * terms of the GNU General Public License Version 2 or later (the 23 * "GPL"), in which case the provisions of the GPL are applicable 24 * instead of those above. If you wish to allow use of your 25 * version of this file only under the terms of the GPL and not to 26 * allow others to use your version of this file under the MPL, 27 * indicate your decision by deleting the provisions above and 28 * replace them with the notice and other provisions required by 29 * the GPL. If you do not delete the provisions above, a recipient 30 * may use your version of this file under either the MPL or the 31 * GPL. 32 */ 33 34#include "secoid.h" 35#include "secitem.h" 36#include "plhash.h" 37 38#include <security_asn1/secerr.h> 39#include <Security/cssmapple.h> 40#include <pthread.h> 41 42#pragma clang diagnostic push 43#pragma clang diagnostic ignored "-Wunused-const-variable" 44 45/* MISSI Mosaic Object ID space */ 46#define USGOV 0x60, 0x86, 0x48, 0x01, 0x65 47#define MISSI USGOV, 0x02, 0x01, 0x01 48#define MISSI_OLD_KEA_DSS MISSI, 0x0c 49#define MISSI_OLD_DSS MISSI, 0x02 50#define MISSI_KEA_DSS MISSI, 0x14 51#define MISSI_DSS MISSI, 0x13 52#define MISSI_KEA MISSI, 0x0a 53#define MISSI_ALT_KEA MISSI, 0x16 54 55#define NISTALGS USGOV, 3, 4 56#define AES NISTALGS, 1 57#define SHAXXX NISTALGS, 2 58 59/** 60 ** The Netscape OID space is allocated by Terry Hayes. If you need 61 ** a piece of the space, contact him at thayes@netscape.com. 62 **/ 63 64/* Netscape Communications Corporation Object ID space */ 65/* { 2 16 840 1 113730 } */ 66#define NETSCAPE_OID 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42 67#define NETSCAPE_CERT_EXT NETSCAPE_OID, 0x01 68#define NETSCAPE_DATA_TYPE NETSCAPE_OID, 0x02 69/* netscape directory oid - owned by Mark Smith (mcs@netscape.com) */ 70#define NETSCAPE_DIRECTORY NETSCAPE_OID, 0x03 71#define NETSCAPE_POLICY NETSCAPE_OID, 0x04 72#define NETSCAPE_CERT_SERVER NETSCAPE_OID, 0x05 73#define NETSCAPE_ALGS NETSCAPE_OID, 0x06 /* algorithm OIDs */ 74#define NETSCAPE_NAME_COMPONENTS NETSCAPE_OID, 0x07 75 76#define NETSCAPE_CERT_EXT_AIA NETSCAPE_CERT_EXT, 0x10 77#define NETSCAPE_CERT_SERVER_CRMF NETSCAPE_CERT_SERVER, 0x01 78 79/* these are old and should go away soon */ 80#define OLD_NETSCAPE 0x60, 0x86, 0x48, 0xd8, 0x6a 81#define NS_CERT_EXT OLD_NETSCAPE, 0x01 82#define NS_FILE_TYPE OLD_NETSCAPE, 0x02 83#define NS_IMAGE_TYPE OLD_NETSCAPE, 0x03 84 85/* RSA OID name space */ 86#define RSADSI 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d 87#define PKCS RSADSI, 0x01 88#define DIGEST RSADSI, 0x02 89#define CIPHER RSADSI, 0x03 90#define PKCS1 PKCS, 0x01 91#define PKCS5 PKCS, 0x05 92#define PKCS7 PKCS, 0x07 93#define PKCS9 PKCS, 0x09 94#define PKCS12 PKCS, 0x0c 95 96/* Fortezza algorithm OID space: { 2 16 840 1 101 2 1 1 } */ 97/* ### mwelch -- Is this just for algorithms, or all of Fortezza? */ 98#define FORTEZZA_ALG 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01 99 100/* Other OID name spaces */ 101#define ALGORITHM 0x2b, 0x0e, 0x03, 0x02 102#define X500 0x55 103#define X520_ATTRIBUTE_TYPE X500, 0x04 104#define X500_ALG X500, 0x08 105#define X500_ALG_ENCRYPTION X500_ALG, 0x01 106 107/** X.509 v3 Extension OID 108 ** {joint-iso-ccitt (2) ds(5) 29} 109 **/ 110#define ID_CE_OID X500, 0x1d 111 112#define RFC1274_ATTR_TYPE 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1 113/* #define RFC2247_ATTR_TYPE 0x09, 0x92, 0x26, 0xf5, 0x98, 0x1e, 0x64, 0x1 this is WRONG! */ 114 115/* PKCS #12 name spaces */ 116#define PKCS12_MODE_IDS PKCS12, 0x01 117#define PKCS12_ESPVK_IDS PKCS12, 0x02 118#define PKCS12_BAG_IDS PKCS12, 0x03 119#define PKCS12_CERT_BAG_IDS PKCS12, 0x04 120#define PKCS12_OIDS PKCS12, 0x05 121#define PKCS12_PBE_IDS PKCS12_OIDS, 0x01 122#define PKCS12_ENVELOPING_IDS PKCS12_OIDS, 0x02 123#define PKCS12_SIGNATURE_IDS PKCS12_OIDS, 0x03 124#define PKCS12_V2_PBE_IDS PKCS12, 0x01 125#define PKCS9_CERT_TYPES PKCS9, 0x16 126#define PKCS9_CRL_TYPES PKCS9, 0x17 127#define PKCS9_SMIME_IDS PKCS9, 0x10 128#define PKCS9_SMIME_CTYPE PKCS9_SMIME_IDS, 1 129#define PKCS9_SMIME_ATTRS PKCS9_SMIME_IDS, 2 130#define PKCS9_SMIME_ALGS PKCS9_SMIME_IDS, 3 131#define PKCS12_VERSION1 PKCS12, 0x0a 132#define PKCS12_V1_BAG_IDS PKCS12_VERSION1, 1 133 134/* for DSA algorithm */ 135/* { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) } */ 136#define ANSI_X9_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x38, 0x4 137 138/* for DH algorithm */ 139/* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */ 140/* need real OID person to look at this, copied the above line 141 * and added 6 to second to last value (and changed '4' to '2' */ 142#define ANSI_X942_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2 143 144#define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45 145 146#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07 147#define PKIX_CERT_EXTENSIONS PKIX, 1 148#define PKIX_POLICY_QUALIFIERS PKIX, 2 149#define PKIX_KEY_USAGE PKIX, 3 150#define PKIX_ACCESS_DESCRIPTION PKIX, 0x30 151#define PKIX_OCSP PKIX_ACCESS_DESCRIPTION, 1 152 153#define PKIX_ID_PKIP PKIX, 5 154#define PKIX_ID_REGCTRL PKIX_ID_PKIP, 1 155#define PKIX_ID_REGINFO PKIX_ID_PKIP, 2 156 157/* Microsoft Object ID space */ 158/* { 1.3.6.1.4.1.311 } */ 159#define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 160 161/* ECDSA OIDs from X9.62 */ 162#define ANSI_X9_62 0x2A, 0x86, 0x48, 0xCE, 0x3D 163#define ANSI_X9_62_FIELD_TYPE ANSI_X9_62, 1 164#define ANSI_X9_62_PUBKEY_TYPE ANSI_X9_62, 2 165#define ANSI_X9_62_SIG_TYPE ANSI_X9_62, 4 166 167/* X9.63 schemes */ 168#define ANSI_X9_63 0x2B, 0x81, 0x05, 0x10, 0x86, 0x48, 0x3F 169#define ANSI_X9_63_SCHEME ANSI_X9_63, 0 170 171/* ECDH curves */ 172#define CERTICOM_ELL_CURVE 0x2B, 0x81, 0x04, 0x00 173 174#define CONST_OID static const unsigned char 175 176CONST_OID md2[] = { DIGEST, 0x02 }; 177CONST_OID md4[] = { DIGEST, 0x04 }; 178CONST_OID md5[] = { DIGEST, 0x05 }; 179 180CONST_OID rc2cbc[] = { CIPHER, 0x02 }; 181CONST_OID rc4[] = { CIPHER, 0x04 }; 182CONST_OID desede3cbc[] = { CIPHER, 0x07 }; 183CONST_OID rc5cbcpad[] = { CIPHER, 0x09 }; 184 185CONST_OID desecb[] = { ALGORITHM, 0x06 }; 186CONST_OID descbc[] = { ALGORITHM, 0x07 }; 187CONST_OID desofb[] = { ALGORITHM, 0x08 }; 188CONST_OID descfb[] = { ALGORITHM, 0x09 }; 189CONST_OID desmac[] = { ALGORITHM, 0x0a }; 190CONST_OID sdn702DSASignature[] = { ALGORITHM, 0x0c }; 191CONST_OID isoSHAWithRSASignature[] = { ALGORITHM, 0x0f }; 192CONST_OID desede[] = { ALGORITHM, 0x11 }; 193CONST_OID sha1[] = { ALGORITHM, 0x1a }; 194CONST_OID bogusDSASignaturewithSHA1Digest[] = { ALGORITHM, 0x1b }; 195 196CONST_OID pkcs1RSAEncryption[] = { PKCS1, 0x01 }; 197CONST_OID pkcs1MD2WithRSAEncryption[] = { PKCS1, 0x02 }; 198CONST_OID pkcs1MD4WithRSAEncryption[] = { PKCS1, 0x03 }; 199CONST_OID pkcs1MD5WithRSAEncryption[] = { PKCS1, 0x04 }; 200CONST_OID pkcs1SHA1WithRSAEncryption[] = { PKCS1, 0x05 }; 201CONST_OID pkcs1SHA256WithRSAEncryption[] = { PKCS1, 11 }; 202CONST_OID pkcs1SHA384WithRSAEncryption[] = { PKCS1, 12 }; 203CONST_OID pkcs1SHA512WithRSAEncryption[] = { PKCS1, 13 }; 204 205CONST_OID pkcs5PbeWithMD2AndDEScbc[] = { PKCS5, 0x01 }; 206CONST_OID pkcs5PbeWithMD5AndDEScbc[] = { PKCS5, 0x03 }; 207CONST_OID pkcs5PbeWithSha1AndDEScbc[] = { PKCS5, 0x0a }; 208 209CONST_OID pkcs7[] = { PKCS7 }; 210CONST_OID pkcs7Data[] = { PKCS7, 0x01 }; 211CONST_OID pkcs7SignedData[] = { PKCS7, 0x02 }; 212CONST_OID pkcs7EnvelopedData[] = { PKCS7, 0x03 }; 213CONST_OID pkcs7SignedEnvelopedData[] = { PKCS7, 0x04 }; 214CONST_OID pkcs7DigestedData[] = { PKCS7, 0x05 }; 215CONST_OID pkcs7EncryptedData[] = { PKCS7, 0x06 }; 216 217CONST_OID pkcs9EmailAddress[] = { PKCS9, 0x01 }; 218CONST_OID pkcs9UnstructuredName[] = { PKCS9, 0x02 }; 219CONST_OID pkcs9ContentType[] = { PKCS9, 0x03 }; 220CONST_OID pkcs9MessageDigest[] = { PKCS9, 0x04 }; 221CONST_OID pkcs9SigningTime[] = { PKCS9, 0x05 }; 222CONST_OID pkcs9CounterSignature[] = { PKCS9, 0x06 }; 223CONST_OID pkcs9ChallengePassword[] = { PKCS9, 0x07 }; 224CONST_OID pkcs9UnstructuredAddress[] = { PKCS9, 0x08 }; 225CONST_OID pkcs9ExtendedCertificateAttributes[] = { PKCS9, 0x09 }; 226CONST_OID pkcs9SMIMECapabilities[] = { PKCS9, 15 }; 227CONST_OID pkcs9FriendlyName[] = { PKCS9, 20 }; 228CONST_OID pkcs9LocalKeyID[] = { PKCS9, 21 }; 229 230CONST_OID pkcs9X509Certificate[] = { PKCS9_CERT_TYPES, 1 }; 231CONST_OID pkcs9SDSICertificate[] = { PKCS9_CERT_TYPES, 2 }; 232CONST_OID pkcs9X509CRL[] = { PKCS9_CRL_TYPES, 1 }; 233 234/* RFC2630 (CMS) OIDs */ 235CONST_OID cmsESDH[] = { PKCS9_SMIME_ALGS, 5 }; 236CONST_OID cms3DESwrap[] = { PKCS9_SMIME_ALGS, 6 }; 237CONST_OID cmsRC2wrap[] = { PKCS9_SMIME_ALGS, 7 }; 238 239/* RFC2633 SMIME message attributes */ 240CONST_OID smimeEncryptionKeyPreference[] = { PKCS9_SMIME_ATTRS, 11 }; 241CONST_OID ms_smimeEncryptionKeyPreference[] = { MICROSOFT_OID, 0x10, 0x4 }; 242 243CONST_OID smimeSigningCertificate[] = { PKCS9_SMIME_ATTRS, 12 }; 244CONST_OID smimeTimeStampToken[] = { PKCS9_SMIME_ATTRS, 14 }; 245CONST_OID smimeTimeStampTokenInfo[] = { PKCS9_SMIME_CTYPE, 0x04 }; 246 247CONST_OID x520CommonName[] = { X520_ATTRIBUTE_TYPE, 3 }; 248CONST_OID x520CountryName[] = { X520_ATTRIBUTE_TYPE, 6 }; 249CONST_OID x520LocalityName[] = { X520_ATTRIBUTE_TYPE, 7 }; 250CONST_OID x520StateOrProvinceName[] = { X520_ATTRIBUTE_TYPE, 8 }; 251CONST_OID x520OrgName[] = { X520_ATTRIBUTE_TYPE, 10 }; 252CONST_OID x520OrgUnitName[] = { X520_ATTRIBUTE_TYPE, 11 }; 253CONST_OID x520DnQualifier[] = { X520_ATTRIBUTE_TYPE, 46 }; 254 255CONST_OID nsTypeGIF[] = { NETSCAPE_DATA_TYPE, 0x01 }; 256CONST_OID nsTypeJPEG[] = { NETSCAPE_DATA_TYPE, 0x02 }; 257CONST_OID nsTypeURL[] = { NETSCAPE_DATA_TYPE, 0x03 }; 258CONST_OID nsTypeHTML[] = { NETSCAPE_DATA_TYPE, 0x04 }; 259CONST_OID nsTypeCertSeq[] = { NETSCAPE_DATA_TYPE, 0x05 }; 260 261CONST_OID missiCertKEADSSOld[] = { MISSI_OLD_KEA_DSS }; 262CONST_OID missiCertDSSOld[] = { MISSI_OLD_DSS }; 263CONST_OID missiCertKEADSS[] = { MISSI_KEA_DSS }; 264CONST_OID missiCertDSS[] = { MISSI_DSS }; 265CONST_OID missiCertKEA[] = { MISSI_KEA }; 266CONST_OID missiCertAltKEA[] = { MISSI_ALT_KEA }; 267CONST_OID x500RSAEncryption[] = { X500_ALG_ENCRYPTION, 0x01 }; 268 269/* added for alg 1485 */ 270CONST_OID rfc1274Uid[] = { RFC1274_ATTR_TYPE, 1 }; 271CONST_OID rfc1274Mail[] = { RFC1274_ATTR_TYPE, 3 }; 272CONST_OID rfc2247DomainComponent[] = { RFC1274_ATTR_TYPE, 25 }; 273 274/* Netscape private certificate extensions */ 275CONST_OID nsCertExtNetscapeOK[] = { NS_CERT_EXT, 1 }; 276CONST_OID nsCertExtIssuerLogo[] = { NS_CERT_EXT, 2 }; 277CONST_OID nsCertExtSubjectLogo[] = { NS_CERT_EXT, 3 }; 278CONST_OID nsExtCertType[] = { NETSCAPE_CERT_EXT, 0x01 }; 279CONST_OID nsExtBaseURL[] = { NETSCAPE_CERT_EXT, 0x02 }; 280CONST_OID nsExtRevocationURL[] = { NETSCAPE_CERT_EXT, 0x03 }; 281CONST_OID nsExtCARevocationURL[] = { NETSCAPE_CERT_EXT, 0x04 }; 282CONST_OID nsExtCACRLURL[] = { NETSCAPE_CERT_EXT, 0x05 }; 283CONST_OID nsExtCACertURL[] = { NETSCAPE_CERT_EXT, 0x06 }; 284CONST_OID nsExtCertRenewalURL[] = { NETSCAPE_CERT_EXT, 0x07 }; 285CONST_OID nsExtCAPolicyURL[] = { NETSCAPE_CERT_EXT, 0x08 }; 286CONST_OID nsExtHomepageURL[] = { NETSCAPE_CERT_EXT, 0x09 }; 287CONST_OID nsExtEntityLogo[] = { NETSCAPE_CERT_EXT, 0x0a }; 288CONST_OID nsExtUserPicture[] = { NETSCAPE_CERT_EXT, 0x0b }; 289CONST_OID nsExtSSLServerName[] = { NETSCAPE_CERT_EXT, 0x0c }; 290CONST_OID nsExtComment[] = { NETSCAPE_CERT_EXT, 0x0d }; 291 292/* the following 2 extensions are defined for and used by Cartman(NSM) */ 293CONST_OID nsExtLostPasswordURL[] = { NETSCAPE_CERT_EXT, 0x0e }; 294CONST_OID nsExtCertRenewalTime[] = { NETSCAPE_CERT_EXT, 0x0f }; 295 296CONST_OID nsExtAIACertRenewal[] = { NETSCAPE_CERT_EXT_AIA, 0x01 }; 297CONST_OID nsExtCertScopeOfUse[] = { NETSCAPE_CERT_EXT, 0x11 }; 298/* Reserved Netscape (2 16 840 1 113730 1 18) = { NETSCAPE_CERT_EXT, 0x12 }; */ 299 300/* Netscape policy values */ 301CONST_OID nsKeyUsageGovtApproved[] = { NETSCAPE_POLICY, 0x01 }; 302 303/* Netscape other name types */ 304CONST_OID netscapeNickname[] = { NETSCAPE_NAME_COMPONENTS, 0x01}; 305/* Reserved Netscape REF605437 306 (2 16 840 1 113730 7 2) = { NETSCAPE_NAME_COMPONENTS, 0x02 }; */ 307 308/* OIDs needed for cert server */ 309CONST_OID netscapeRecoveryRequest[] = { NETSCAPE_CERT_SERVER_CRMF, 0x01 }; 310 311 312/* Standard x.509 v3 Certificate Extensions */ 313CONST_OID x509SubjectDirectoryAttr[] = { ID_CE_OID, 9 }; 314CONST_OID x509SubjectKeyID[] = { ID_CE_OID, 14 }; 315CONST_OID x509KeyUsage[] = { ID_CE_OID, 15 }; 316CONST_OID x509PrivateKeyUsagePeriod[] = { ID_CE_OID, 16 }; 317CONST_OID x509SubjectAltName[] = { ID_CE_OID, 17 }; 318CONST_OID x509IssuerAltName[] = { ID_CE_OID, 18 }; 319CONST_OID x509BasicConstraints[] = { ID_CE_OID, 19 }; 320CONST_OID x509NameConstraints[] = { ID_CE_OID, 30 }; 321CONST_OID x509CRLDistPoints[] = { ID_CE_OID, 31 }; 322CONST_OID x509CertificatePolicies[] = { ID_CE_OID, 32 }; 323CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 }; 324CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 34 }; 325CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 }; 326CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 }; 327CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 }; 328 329/* Standard x.509 v3 CRL Extensions */ 330CONST_OID x509CrlNumber[] = { ID_CE_OID, 20}; 331CONST_OID x509ReasonCode[] = { ID_CE_OID, 21}; 332CONST_OID x509InvalidDate[] = { ID_CE_OID, 24}; 333 334/* pkcs 12 additions */ 335CONST_OID pkcs12[] = { PKCS12 }; 336CONST_OID pkcs12ModeIDs[] = { PKCS12_MODE_IDS }; 337CONST_OID pkcs12ESPVKIDs[] = { PKCS12_ESPVK_IDS }; 338CONST_OID pkcs12BagIDs[] = { PKCS12_BAG_IDS }; 339CONST_OID pkcs12CertBagIDs[] = { PKCS12_CERT_BAG_IDS }; 340CONST_OID pkcs12OIDs[] = { PKCS12_OIDS }; 341CONST_OID pkcs12PBEIDs[] = { PKCS12_PBE_IDS }; 342CONST_OID pkcs12EnvelopingIDs[] = { PKCS12_ENVELOPING_IDS }; 343CONST_OID pkcs12SignatureIDs[] = { PKCS12_SIGNATURE_IDS }; 344CONST_OID pkcs12PKCS8KeyShrouding[] = { PKCS12_ESPVK_IDS, 0x01 }; 345CONST_OID pkcs12KeyBagID[] = { PKCS12_BAG_IDS, 0x01 }; 346CONST_OID pkcs12CertAndCRLBagID[] = { PKCS12_BAG_IDS, 0x02 }; 347CONST_OID pkcs12SecretBagID[] = { PKCS12_BAG_IDS, 0x03 }; 348CONST_OID pkcs12X509CertCRLBag[] = { PKCS12_CERT_BAG_IDS, 0x01 }; 349CONST_OID pkcs12SDSICertBag[] = { PKCS12_CERT_BAG_IDS, 0x02 }; 350CONST_OID pkcs12PBEWithSha1And128BitRC4[] = { PKCS12_PBE_IDS, 0x01 }; 351CONST_OID pkcs12PBEWithSha1And40BitRC4[] = { PKCS12_PBE_IDS, 0x02 }; 352CONST_OID pkcs12PBEWithSha1AndTripleDESCBC[] = { PKCS12_PBE_IDS, 0x03 }; 353CONST_OID pkcs12PBEWithSha1And128BitRC2CBC[] = { PKCS12_PBE_IDS, 0x04 }; 354CONST_OID pkcs12PBEWithSha1And40BitRC2CBC[] = { PKCS12_PBE_IDS, 0x05 }; 355CONST_OID pkcs12RSAEncryptionWith128BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x01 }; 356CONST_OID pkcs12RSAEncryptionWith40BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x02 }; 357CONST_OID pkcs12RSAEncryptionWithTripleDES[] = { PKCS12_ENVELOPING_IDS, 0x03 }; 358CONST_OID pkcs12RSASignatureWithSHA1Digest[] = { PKCS12_SIGNATURE_IDS, 0x01 }; 359 360/* pkcs 12 version 1.0 ids */ 361CONST_OID pkcs12V2PBEWithSha1And128BitRC4[] = { PKCS12_V2_PBE_IDS, 0x01 }; 362CONST_OID pkcs12V2PBEWithSha1And40BitRC4[] = { PKCS12_V2_PBE_IDS, 0x02 }; 363CONST_OID pkcs12V2PBEWithSha1And3KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x03 }; 364CONST_OID pkcs12V2PBEWithSha1And2KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x04 }; 365CONST_OID pkcs12V2PBEWithSha1And128BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x05 }; 366CONST_OID pkcs12V2PBEWithSha1And40BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x06 }; 367 368CONST_OID pkcs12SafeContentsID[] = { PKCS12_BAG_IDS, 0x04 }; 369CONST_OID pkcs12PKCS8ShroudedKeyBagID[] = { PKCS12_BAG_IDS, 0x05 }; 370 371CONST_OID pkcs12V1KeyBag[] = { PKCS12_V1_BAG_IDS, 0x01 }; 372CONST_OID pkcs12V1PKCS8ShroudedKeyBag[] = { PKCS12_V1_BAG_IDS, 0x02 }; 373CONST_OID pkcs12V1CertBag[] = { PKCS12_V1_BAG_IDS, 0x03 }; 374CONST_OID pkcs12V1CRLBag[] = { PKCS12_V1_BAG_IDS, 0x04 }; 375CONST_OID pkcs12V1SecretBag[] = { PKCS12_V1_BAG_IDS, 0x05 }; 376CONST_OID pkcs12V1SafeContentsBag[] = { PKCS12_V1_BAG_IDS, 0x06 }; 377 378CONST_OID pkcs12KeyUsageAttr[] = { 2, 5, 29, 15 }; 379 380CONST_OID ansix9DSASignature[] = { ANSI_X9_ALGORITHM, 0x01 }; 381CONST_OID ansix9DSASignaturewithSHA1Digest[] = { ANSI_X9_ALGORITHM, 0x03 }; 382 383/* verisign OIDs */ 384CONST_OID verisignUserNotices[] = { VERISIGN, 1, 7, 1, 1 }; 385 386/* pkix OIDs */ 387CONST_OID pkixCPSPointerQualifier[] = { PKIX_POLICY_QUALIFIERS, 1 }; 388CONST_OID pkixUserNoticeQualifier[] = { PKIX_POLICY_QUALIFIERS, 2 }; 389 390CONST_OID pkixOCSP[] = { PKIX_OCSP }; 391CONST_OID pkixOCSPBasicResponse[] = { PKIX_OCSP, 1 }; 392CONST_OID pkixOCSPNonce[] = { PKIX_OCSP, 2 }; 393CONST_OID pkixOCSPCRL[] = { PKIX_OCSP, 3 }; 394CONST_OID pkixOCSPResponse[] = { PKIX_OCSP, 4 }; 395CONST_OID pkixOCSPNoCheck[] = { PKIX_OCSP, 5 }; 396CONST_OID pkixOCSPArchiveCutoff[] = { PKIX_OCSP, 6 }; 397CONST_OID pkixOCSPServiceLocator[] = { PKIX_OCSP, 7 }; 398 399CONST_OID pkixRegCtrlRegToken[] = { PKIX_ID_REGCTRL, 1}; 400CONST_OID pkixRegCtrlAuthenticator[] = { PKIX_ID_REGCTRL, 2}; 401CONST_OID pkixRegCtrlPKIPubInfo[] = { PKIX_ID_REGCTRL, 3}; 402CONST_OID pkixRegCtrlPKIArchOptions[] = { PKIX_ID_REGCTRL, 4}; 403CONST_OID pkixRegCtrlOldCertID[] = { PKIX_ID_REGCTRL, 5}; 404CONST_OID pkixRegCtrlProtEncKey[] = { PKIX_ID_REGCTRL, 6}; 405CONST_OID pkixRegInfoUTF8Pairs[] = { PKIX_ID_REGINFO, 1}; 406CONST_OID pkixRegInfoCertReq[] = { PKIX_ID_REGINFO, 2}; 407 408CONST_OID pkixExtendedKeyUsageServerAuth[] = { PKIX_KEY_USAGE, 1 }; 409CONST_OID pkixExtendedKeyUsageClientAuth[] = { PKIX_KEY_USAGE, 2 }; 410CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 }; 411CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 }; 412CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 }; 413CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 }; 414 415/* OIDs for Netscape defined algorithms */ 416CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 }; 417 418/* Fortezza algorithm OIDs */ 419CONST_OID skipjackCBC[] = { FORTEZZA_ALG, 0x04 }; 420CONST_OID dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 }; 421 422CONST_OID aes128_ECB[] = { AES, 1 }; 423CONST_OID aes128_CBC[] = { AES, 2 }; 424#ifdef DEFINE_ALL_AES_CIPHERS 425CONST_OID aes128_OFB[] = { AES, 3 }; 426CONST_OID aes128_CFB[] = { AES, 4 }; 427#endif 428CONST_OID aes128_KEY_WRAP[] = { AES, 5 }; 429 430CONST_OID aes192_ECB[] = { AES, 21 }; 431CONST_OID aes192_CBC[] = { AES, 22 }; 432#ifdef DEFINE_ALL_AES_CIPHERS 433CONST_OID aes192_OFB[] = { AES, 23 }; 434CONST_OID aes192_CFB[] = { AES, 24 }; 435#endif 436CONST_OID aes192_KEY_WRAP[] = { AES, 25 }; 437 438CONST_OID aes256_ECB[] = { AES, 41 }; 439CONST_OID aes256_CBC[] = { AES, 42 }; 440#ifdef DEFINE_ALL_AES_CIPHERS 441CONST_OID aes256_OFB[] = { AES, 43 }; 442CONST_OID aes256_CFB[] = { AES, 44 }; 443#endif 444CONST_OID aes256_KEY_WRAP[] = { AES, 45 }; 445 446CONST_OID sha256[] = { SHAXXX, 1 }; 447CONST_OID sha384[] = { SHAXXX, 2 }; 448CONST_OID sha512[] = { SHAXXX, 3 }; 449 450CONST_OID ecdsaWithSHA1[] = { ANSI_X9_62_SIG_TYPE, 1 }; 451CONST_OID ecPublicKey[] = { ANSI_X9_62_PUBKEY_TYPE, 1 }; 452/* This OID doesn't appear in a CMS msg */ 453CONST_OID ecdsaSig[] = { ANSI_X9_62_SIG_TYPE }; 454 455/* ECDH curves */ 456CONST_OID secp256r1[] = { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07 }; 457CONST_OID secp384r1[] = { CERTICOM_ELL_CURVE, 0x22 }; 458CONST_OID secp521r1[] = { CERTICOM_ELL_CURVE, 0x23 }; 459 460/* RFC 3278 */ 461CONST_OID dhSinglePassStdDHsha1kdf[] = {ANSI_X9_63_SCHEME, 2 }; 462CONST_OID dhSinglePassCofactorDHsha1kdf[] = {ANSI_X9_63_SCHEME, 3 }; 463CONST_OID mqvSinglePassSha1kdf[] = {ANSI_X9_63_SCHEME, 4 }; 464 465/* a special case: always associated with a caller-specified OID */ 466CONST_OID noOid[] = { 0 }; 467 468#define OI(x) { sizeof x, (uint8 *)x } 469#ifndef SECOID_NO_STRINGS 470#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext } 471#else 472#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, 0, mech, ext } 473#endif 474 475/* 476 * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h! 477 */ 478const static SECOidData oids[] = { 479 { { 0, NULL }, SEC_OID_UNKNOWN, 480 "Unknown OID", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION }, 481 OD( md2, SEC_OID_MD2, "MD2", CSSM_ALGID_MD2, INVALID_CERT_EXTENSION ), 482 OD( md4, SEC_OID_MD4, 483 "MD4", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 484 OD( md5, SEC_OID_MD5, "MD5", CSSM_ALGID_MD5, INVALID_CERT_EXTENSION ), 485 OD( sha1, SEC_OID_SHA1, "SHA-1", CSSM_ALGID_SHA1, INVALID_CERT_EXTENSION ), 486 OD( rc2cbc, SEC_OID_RC2_CBC, 487 "RC2-CBC", CSSM_ALGID_RC2, INVALID_CERT_EXTENSION ), 488 OD( rc4, SEC_OID_RC4, "RC4", CSSM_ALGID_RC4, INVALID_CERT_EXTENSION ), 489 OD( desede3cbc, SEC_OID_DES_EDE3_CBC, 490 "DES-EDE3-CBC", CSSM_ALGID_3DES_3KEY_EDE, INVALID_CERT_EXTENSION ), 491 OD( rc5cbcpad, SEC_OID_RC5_CBC_PAD, 492 "RC5-CBCPad", CSSM_ALGID_RC5, INVALID_CERT_EXTENSION ), 493 OD( desecb, SEC_OID_DES_ECB, 494 "DES-ECB", CSSM_ALGID_DES, INVALID_CERT_EXTENSION ), 495 OD( descbc, SEC_OID_DES_CBC, 496 "DES-CBC", CSSM_ALGID_DES, INVALID_CERT_EXTENSION ), 497 OD( desofb, SEC_OID_DES_OFB, 498 "DES-OFB", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 499 OD( descfb, SEC_OID_DES_CFB, 500 "DES-CFB", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 501 OD( desmac, SEC_OID_DES_MAC, 502 "DES-MAC", CSSM_ALGID_DES, INVALID_CERT_EXTENSION ), 503 OD( desede, SEC_OID_DES_EDE, 504 "DES-EDE", CSSM_ALGID_3DES_3KEY_EDE, INVALID_CERT_EXTENSION ), 505 OD( isoSHAWithRSASignature, SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE, 506 "ISO SHA with RSA Signature", 507 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 508 OD( pkcs1RSAEncryption, SEC_OID_PKCS1_RSA_ENCRYPTION, 509 "PKCS #1 RSA Encryption", CSSM_ALGID_RSA, INVALID_CERT_EXTENSION ), 510 511 /* the following Signing CSSM_ALGORITHMS should get new CKM_ values when 512 * values for CKM_RSA_WITH_MDX and CKM_RSA_WITH_SHA_1 get defined in 513 * PKCS #11. 514 */ 515 OD( pkcs1MD2WithRSAEncryption, SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, 516 "PKCS #1 MD2 With RSA Encryption", CSSM_ALGID_MD2WithRSA, 517 INVALID_CERT_EXTENSION ), 518 OD( pkcs1MD4WithRSAEncryption, SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION, 519 "PKCS #1 MD4 With RSA Encryption", 520 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 521 OD( pkcs1MD5WithRSAEncryption, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, 522 "PKCS #1 MD5 With RSA Encryption", CSSM_ALGID_MD5WithRSA, 523 INVALID_CERT_EXTENSION ), 524 OD( pkcs1SHA1WithRSAEncryption, SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, 525 "PKCS #1 SHA-1 With RSA Encryption", CSSM_ALGID_SHA1WithRSA, 526 INVALID_CERT_EXTENSION ), 527 528 OD( pkcs5PbeWithMD2AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC, 529 "PKCS #5 Password Based Encryption with MD2 and DES CBC", 530 CSSM_ALGID_PKCS5_PBKDF1_MD2, INVALID_CERT_EXTENSION ), 531 OD( pkcs5PbeWithMD5AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC, 532 "PKCS #5 Password Based Encryption with MD5 and DES CBC", 533 CSSM_ALGID_PKCS5_PBKDF1_MD5, INVALID_CERT_EXTENSION ), 534 OD( pkcs5PbeWithSha1AndDEScbc, SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC, 535 "PKCS #5 Password Based Encryption with SHA1 and DES CBC", 536 CSSM_ALGID_PKCS5_PBKDF1_SHA1, INVALID_CERT_EXTENSION ), 537 OD( pkcs7, SEC_OID_PKCS7, 538 "PKCS #7", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 539 OD( pkcs7Data, SEC_OID_PKCS7_DATA, 540 "PKCS #7 Data", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 541 OD( pkcs7SignedData, SEC_OID_PKCS7_SIGNED_DATA, 542 "PKCS #7 Signed Data", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 543 OD( pkcs7EnvelopedData, SEC_OID_PKCS7_ENVELOPED_DATA, 544 "PKCS #7 Enveloped Data", 545 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 546 OD( pkcs7SignedEnvelopedData, SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA, 547 "PKCS #7 Signed And Enveloped Data", 548 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 549 OD( pkcs7DigestedData, SEC_OID_PKCS7_DIGESTED_DATA, 550 "PKCS #7 Digested Data", 551 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 552 OD( pkcs7EncryptedData, SEC_OID_PKCS7_ENCRYPTED_DATA, 553 "PKCS #7 Encrypted Data", 554 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 555 OD( pkcs9EmailAddress, SEC_OID_PKCS9_EMAIL_ADDRESS, 556 "PKCS #9 Email Address", 557 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 558 OD( pkcs9UnstructuredName, SEC_OID_PKCS9_UNSTRUCTURED_NAME, 559 "PKCS #9 Unstructured Name", 560 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 561 OD( pkcs9ContentType, SEC_OID_PKCS9_CONTENT_TYPE, 562 "PKCS #9 Content Type", 563 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 564 OD( pkcs9MessageDigest, SEC_OID_PKCS9_MESSAGE_DIGEST, 565 "PKCS #9 Message Digest", 566 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 567 OD( pkcs9SigningTime, SEC_OID_PKCS9_SIGNING_TIME, 568 "PKCS #9 Signing Time", 569 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 570 OD( pkcs9CounterSignature, SEC_OID_PKCS9_COUNTER_SIGNATURE, 571 "PKCS #9 Counter Signature", 572 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 573 OD( pkcs9ChallengePassword, SEC_OID_PKCS9_CHALLENGE_PASSWORD, 574 "PKCS #9 Challenge Password", 575 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 576 OD( pkcs9UnstructuredAddress, SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS, 577 "PKCS #9 Unstructured Address", 578 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 579 OD( pkcs9ExtendedCertificateAttributes, 580 SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES, 581 "PKCS #9 Extended Certificate Attributes", 582 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 583 OD( pkcs9SMIMECapabilities, SEC_OID_PKCS9_SMIME_CAPABILITIES, 584 "PKCS #9 S/MIME Capabilities", 585 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 586 OD( x520CommonName, SEC_OID_AVA_COMMON_NAME, 587 "X520 Common Name", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 588 OD( x520CountryName, SEC_OID_AVA_COUNTRY_NAME, 589 "X520 Country Name", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 590 OD( x520LocalityName, SEC_OID_AVA_LOCALITY, 591 "X520 Locality Name", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 592 OD( x520StateOrProvinceName, SEC_OID_AVA_STATE_OR_PROVINCE, 593 "X520 State Or Province Name", 594 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 595 OD( x520OrgName, SEC_OID_AVA_ORGANIZATION_NAME, 596 "X520 Organization Name", 597 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 598 OD( x520OrgUnitName, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, 599 "X520 Organizational Unit Name", 600 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 601 OD( x520DnQualifier, SEC_OID_AVA_DN_QUALIFIER, 602 "X520 DN Qualifier", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 603 OD( rfc2247DomainComponent, SEC_OID_AVA_DC, 604 "RFC 2247 Domain Component", 605 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 606 607 OD( nsTypeGIF, SEC_OID_NS_TYPE_GIF, 608 "GIF", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 609 OD( nsTypeJPEG, SEC_OID_NS_TYPE_JPEG, 610 "JPEG", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 611 OD( nsTypeURL, SEC_OID_NS_TYPE_URL, 612 "URL", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 613 OD( nsTypeHTML, SEC_OID_NS_TYPE_HTML, 614 "HTML", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 615 OD( nsTypeCertSeq, SEC_OID_NS_TYPE_CERT_SEQUENCE, 616 "Certificate Sequence", 617 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 618 OD( missiCertKEADSSOld, SEC_OID_MISSI_KEA_DSS_OLD, 619 "MISSI KEA and DSS Algorithm (Old)", 620 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 621 OD( missiCertDSSOld, SEC_OID_MISSI_DSS_OLD, 622 "MISSI DSS Algorithm (Old)", 623 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 624 OD( missiCertKEADSS, SEC_OID_MISSI_KEA_DSS, 625 "MISSI KEA and DSS Algorithm", 626 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 627 OD( missiCertDSS, SEC_OID_MISSI_DSS, 628 "MISSI DSS Algorithm", 629 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 630 OD( missiCertKEA, SEC_OID_MISSI_KEA, 631 "MISSI KEA Algorithm", 632 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 633 OD( missiCertAltKEA, SEC_OID_MISSI_ALT_KEA, 634 "MISSI Alternate KEA Algorithm", 635 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 636 637 /* Netscape private extensions */ 638 OD( nsCertExtNetscapeOK, SEC_OID_NS_CERT_EXT_NETSCAPE_OK, 639 "Netscape says this cert is OK", 640 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 641 OD( nsCertExtIssuerLogo, SEC_OID_NS_CERT_EXT_ISSUER_LOGO, 642 "Certificate Issuer Logo", 643 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 644 OD( nsCertExtSubjectLogo, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO, 645 "Certificate Subject Logo", 646 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 647 OD( nsExtCertType, SEC_OID_NS_CERT_EXT_CERT_TYPE, 648 "Certificate Type", 649 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 650 OD( nsExtBaseURL, SEC_OID_NS_CERT_EXT_BASE_URL, 651 "Certificate Extension Base URL", 652 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 653 OD( nsExtRevocationURL, SEC_OID_NS_CERT_EXT_REVOCATION_URL, 654 "Certificate Revocation URL", 655 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 656 OD( nsExtCARevocationURL, SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL, 657 "Certificate Authority Revocation URL", 658 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 659 OD( nsExtCACRLURL, SEC_OID_NS_CERT_EXT_CA_CRL_URL, 660 "Certificate Authority CRL Download URL", 661 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 662 OD( nsExtCACertURL, SEC_OID_NS_CERT_EXT_CA_CERT_URL, 663 "Certificate Authority Certificate Download URL", 664 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 665 OD( nsExtCertRenewalURL, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL, 666 "Certificate Renewal URL", 667 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 668 OD( nsExtCAPolicyURL, SEC_OID_NS_CERT_EXT_CA_POLICY_URL, 669 "Certificate Authority Policy URL", 670 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 671 OD( nsExtHomepageURL, SEC_OID_NS_CERT_EXT_HOMEPAGE_URL, 672 "Certificate Homepage URL", 673 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 674 OD( nsExtEntityLogo, SEC_OID_NS_CERT_EXT_ENTITY_LOGO, 675 "Certificate Entity Logo", 676 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 677 OD( nsExtUserPicture, SEC_OID_NS_CERT_EXT_USER_PICTURE, 678 "Certificate User Picture", 679 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 680 OD( nsExtSSLServerName, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME, 681 "Certificate SSL Server Name", 682 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 683 OD( nsExtComment, SEC_OID_NS_CERT_EXT_COMMENT, 684 "Certificate Comment", 685 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 686 OD( nsExtLostPasswordURL, SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL, 687 "Lost Password URL", 688 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 689 OD( nsExtCertRenewalTime, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME, 690 "Certificate Renewal Time", 691 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 692 OD( nsKeyUsageGovtApproved, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED, 693 "Strong Crypto Export Approved", 694 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 695 696 697 /* x.509 v3 certificate extensions */ 698 OD( x509SubjectDirectoryAttr, SEC_OID_X509_SUBJECT_DIRECTORY_ATTR, 699 "Certificate Subject Directory Attributes", 700 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION), 701 OD( x509SubjectKeyID, SEC_OID_X509_SUBJECT_KEY_ID, 702 "Certificate Subject Key ID", 703 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 704 OD( x509KeyUsage, SEC_OID_X509_KEY_USAGE, 705 "Certificate Key Usage", 706 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 707 OD( x509PrivateKeyUsagePeriod, SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD, 708 "Certificate Private Key Usage Period", 709 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 710 OD( x509SubjectAltName, SEC_OID_X509_SUBJECT_ALT_NAME, 711 "Certificate Subject Alt Name", 712 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 713 OD( x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME, 714 "Certificate Issuer Alt Name", 715 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 716 OD( x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS, 717 "Certificate Basic Constraints", 718 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 719 OD( x509NameConstraints, SEC_OID_X509_NAME_CONSTRAINTS, 720 "Certificate Name Constraints", 721 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 722 OD( x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS, 723 "CRL Distribution Points", 724 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 725 OD( x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES, 726 "Certificate Policies", 727 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 728 OD( x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS, 729 "Certificate Policy Mappings", 730 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 731 OD( x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS, 732 "Certificate Policy Constraints", 733 CSSM_ALGID_NONE, UNSUPPORTED_CERT_EXTENSION ), 734 OD( x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID, 735 "Certificate Authority Key Identifier", 736 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 737 OD( x509ExtKeyUsage, SEC_OID_X509_EXT_KEY_USAGE, 738 "Extended Key Usage", 739 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 740 OD( x509AuthInfoAccess, SEC_OID_X509_AUTH_INFO_ACCESS, 741 "Authority Information Access", 742 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 743 744 /* x.509 v3 CRL extensions */ 745 OD( x509CrlNumber, SEC_OID_X509_CRL_NUMBER, 746 "CRL Number", CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 747 OD( x509ReasonCode, SEC_OID_X509_REASON_CODE, 748 "CRL reason code", CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 749 OD( x509InvalidDate, SEC_OID_X509_INVALID_DATE, 750 "Invalid Date", CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 751 752 OD( x500RSAEncryption, SEC_OID_X500_RSA_ENCRYPTION, 753 "X500 RSA Encryption", CSSM_ALGID_RSA, INVALID_CERT_EXTENSION ), 754 755 /* added for alg 1485 */ 756 OD( rfc1274Uid, SEC_OID_RFC1274_UID, 757 "RFC1274 User Id", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 758 OD( rfc1274Mail, SEC_OID_RFC1274_MAIL, 759 "RFC1274 E-mail Address", 760 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 761 762 /* pkcs 12 additions */ 763 OD( pkcs12, SEC_OID_PKCS12, 764 "PKCS #12", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 765 OD( pkcs12ModeIDs, SEC_OID_PKCS12_MODE_IDS, 766 "PKCS #12 Mode IDs", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 767 OD( pkcs12ESPVKIDs, SEC_OID_PKCS12_ESPVK_IDS, 768 "PKCS #12 ESPVK IDs", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 769 OD( pkcs12BagIDs, SEC_OID_PKCS12_BAG_IDS, 770 "PKCS #12 Bag IDs", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 771 OD( pkcs12CertBagIDs, SEC_OID_PKCS12_CERT_BAG_IDS, 772 "PKCS #12 Cert Bag IDs", 773 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 774 OD( pkcs12OIDs, SEC_OID_PKCS12_OIDS, 775 "PKCS #12 OIDs", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 776 OD( pkcs12PBEIDs, SEC_OID_PKCS12_PBE_IDS, 777 "PKCS #12 PBE IDs", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 778 OD( pkcs12SignatureIDs, SEC_OID_PKCS12_SIGNATURE_IDS, 779 "PKCS #12 Signature IDs", 780 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 781 OD( pkcs12EnvelopingIDs, SEC_OID_PKCS12_ENVELOPING_IDS, 782 "PKCS #12 Enveloping IDs", 783 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 784 OD( pkcs12PKCS8KeyShrouding, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING, 785 "PKCS #12 Key Shrouding", 786 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 787 OD( pkcs12KeyBagID, SEC_OID_PKCS12_KEY_BAG_ID, 788 "PKCS #12 Key Bag ID", 789 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 790 OD( pkcs12CertAndCRLBagID, SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID, 791 "PKCS #12 Cert And CRL Bag ID", 792 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 793 OD( pkcs12SecretBagID, SEC_OID_PKCS12_SECRET_BAG_ID, 794 "PKCS #12 Secret Bag ID", 795 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 796 OD( pkcs12X509CertCRLBag, SEC_OID_PKCS12_X509_CERT_CRL_BAG, 797 "PKCS #12 X509 Cert CRL Bag", 798 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 799 OD( pkcs12SDSICertBag, SEC_OID_PKCS12_SDSI_CERT_BAG, 800 "PKCS #12 SDSI Cert Bag", 801 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 802 OD( pkcs12PBEWithSha1And128BitRC4, 803 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4, 804 "PKCS #12 PBE With Sha1 and 128 Bit RC4", 805 CSSM_ALGID_PKCS12_SHA1_PBE, INVALID_CERT_EXTENSION ), 806 OD( pkcs12PBEWithSha1And40BitRC4, 807 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4, 808 "PKCS #12 PBE With Sha1 and 40 Bit RC4", 809 CSSM_ALGID_PKCS12_SHA1_PBE, INVALID_CERT_EXTENSION ), 810 OD( pkcs12PBEWithSha1AndTripleDESCBC, 811 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC, 812 "PKCS #12 PBE With Sha1 and Triple DES CBC", 813 CSSM_ALGID_PKCS12_SHA1_PBE, INVALID_CERT_EXTENSION ), 814 OD( pkcs12PBEWithSha1And128BitRC2CBC, 815 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC, 816 "PKCS #12 PBE With Sha1 and 128 Bit RC2 CBC", 817 CSSM_ALGID_PKCS12_SHA1_PBE, INVALID_CERT_EXTENSION ), 818 OD( pkcs12PBEWithSha1And40BitRC2CBC, 819 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC, 820 "PKCS #12 PBE With Sha1 and 40 Bit RC2 CBC", 821 CSSM_ALGID_PKCS12_SHA1_PBE, INVALID_CERT_EXTENSION ), 822 OD( pkcs12RSAEncryptionWith128BitRC4, 823 SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4, 824 "PKCS #12 RSA Encryption with 128 Bit RC4", 825 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 826 OD( pkcs12RSAEncryptionWith40BitRC4, 827 SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4, 828 "PKCS #12 RSA Encryption with 40 Bit RC4", 829 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 830 OD( pkcs12RSAEncryptionWithTripleDES, 831 SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES, 832 "PKCS #12 RSA Encryption with Triple DES", 833 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 834 OD( pkcs12RSASignatureWithSHA1Digest, 835 SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST, 836 "PKCS #12 RSA Encryption with Triple DES", 837 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 838 839 /* DSA signatures */ 840 OD( ansix9DSASignature, SEC_OID_ANSIX9_DSA_SIGNATURE, 841 "ANSI X9.57 DSA Signature", CSSM_ALGID_DSA, INVALID_CERT_EXTENSION ), 842 OD( ansix9DSASignaturewithSHA1Digest, 843 SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, 844 "ANSI X9.57 DSA Signature with SHA1 Digest", 845 CSSM_ALGID_SHA1WithDSA, INVALID_CERT_EXTENSION ), 846 OD( bogusDSASignaturewithSHA1Digest, 847 SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST, 848 "FORTEZZA DSA Signature with SHA1 Digest", 849 CSSM_ALGID_SHA1WithDSA, INVALID_CERT_EXTENSION ), 850 851 /* verisign oids */ 852 OD( verisignUserNotices, SEC_OID_VERISIGN_USER_NOTICES, 853 "Verisign User Notices", 854 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 855 856 /* pkix oids */ 857 OD( pkixCPSPointerQualifier, SEC_OID_PKIX_CPS_POINTER_QUALIFIER, 858 "PKIX CPS Pointer Qualifier", 859 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 860 OD( pkixUserNoticeQualifier, SEC_OID_PKIX_USER_NOTICE_QUALIFIER, 861 "PKIX User Notice Qualifier", 862 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 863 864 OD( pkixOCSP, SEC_OID_PKIX_OCSP, 865 "PKIX Online Certificate Status Protocol", 866 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 867 OD( pkixOCSPBasicResponse, SEC_OID_PKIX_OCSP_BASIC_RESPONSE, 868 "OCSP Basic Response", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 869 OD( pkixOCSPNonce, SEC_OID_PKIX_OCSP_NONCE, 870 "OCSP Nonce Extension", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 871 OD( pkixOCSPCRL, SEC_OID_PKIX_OCSP_CRL, 872 "OCSP CRL Reference Extension", 873 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 874 OD( pkixOCSPResponse, SEC_OID_PKIX_OCSP_RESPONSE, 875 "OCSP Response Types Extension", 876 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 877 OD( pkixOCSPNoCheck, SEC_OID_PKIX_OCSP_NO_CHECK, 878 "OCSP No Check Extension", 879 CSSM_ALGID_NONE, SUPPORTED_CERT_EXTENSION ), 880 OD( pkixOCSPArchiveCutoff, SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF, 881 "OCSP Archive Cutoff Extension", 882 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 883 OD( pkixOCSPServiceLocator, SEC_OID_PKIX_OCSP_SERVICE_LOCATOR, 884 "OCSP Service Locator Extension", 885 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 886 887 OD( pkixRegCtrlRegToken, SEC_OID_PKIX_REGCTRL_REGTOKEN, 888 "PKIX CRMF Registration Control, Registration Token", 889 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 890 OD( pkixRegCtrlAuthenticator, SEC_OID_PKIX_REGCTRL_AUTHENTICATOR, 891 "PKIX CRMF Registration Control, Registration Authenticator", 892 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 893 OD( pkixRegCtrlPKIPubInfo, SEC_OID_PKIX_REGCTRL_PKIPUBINFO, 894 "PKIX CRMF Registration Control, PKI Publication Info", 895 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 896 OD( pkixRegCtrlPKIArchOptions, 897 SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS, 898 "PKIX CRMF Registration Control, PKI Archive Options", 899 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 900 OD( pkixRegCtrlOldCertID, SEC_OID_PKIX_REGCTRL_OLD_CERT_ID, 901 "PKIX CRMF Registration Control, Old Certificate ID", 902 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 903 OD( pkixRegCtrlProtEncKey, SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY, 904 "PKIX CRMF Registration Control, Protocol Encryption Key", 905 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 906 OD( pkixRegInfoUTF8Pairs, SEC_OID_PKIX_REGINFO_UTF8_PAIRS, 907 "PKIX CRMF Registration Info, UTF8 Pairs", 908 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 909 OD( pkixRegInfoCertReq, SEC_OID_PKIX_REGINFO_CERT_REQUEST, 910 "PKIX CRMF Registration Info, Certificate Request", 911 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 912 OD( pkixExtendedKeyUsageServerAuth, 913 SEC_OID_EXT_KEY_USAGE_SERVER_AUTH, 914 "TLS Web Server Authentication Certificate", 915 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 916 OD( pkixExtendedKeyUsageClientAuth, 917 SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH, 918 "TLS Web Client Authentication Certificate", 919 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 920 OD( pkixExtendedKeyUsageCodeSign, SEC_OID_EXT_KEY_USAGE_CODE_SIGN, 921 "Code Signing Certificate", 922 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 923 OD( pkixExtendedKeyUsageEMailProtect, 924 SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT, 925 "E-Mail Protection Certificate", 926 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 927 OD( pkixExtendedKeyUsageTimeStamp, 928 SEC_OID_EXT_KEY_USAGE_TIME_STAMP, 929 "Time Stamping Certifcate", 930 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 931 OD( pkixOCSPResponderExtendedKeyUsage, SEC_OID_OCSP_RESPONDER, 932 "OCSP Responder Certificate", 933 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 934 935 /* Netscape Algorithm OIDs */ 936 937 OD( netscapeSMimeKEA, SEC_OID_NETSCAPE_SMIME_KEA, 938 "Netscape S/MIME KEA", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 939 940 /* Skipjack OID -- ### mwelch temporary */ 941 OD( skipjackCBC, SEC_OID_FORTEZZA_SKIPJACK, 942 "Skipjack CBC64", CSSM_ALGID_SKIPJACK, INVALID_CERT_EXTENSION ), 943 944 /* pkcs12 v2 oids */ 945 OD( pkcs12V2PBEWithSha1And128BitRC4, 946 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4, 947 "PKCS12 V2 PBE With SHA1 And 128 Bit RC4", 948 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 949 OD( pkcs12V2PBEWithSha1And40BitRC4, 950 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4, 951 "PKCS12 V2 PBE With SHA1 And 40 Bit RC4", 952 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 953 OD( pkcs12V2PBEWithSha1And3KeyTripleDEScbc, 954 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC, 955 "PKCS12 V2 PBE With SHA1 And 3KEY Triple DES-cbc", 956 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 957 OD( pkcs12V2PBEWithSha1And2KeyTripleDEScbc, 958 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC, 959 "PKCS12 V2 PBE With SHA1 And 2KEY Triple DES-cbc", 960 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 961 OD( pkcs12V2PBEWithSha1And128BitRC2cbc, 962 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC, 963 "PKCS12 V2 PBE With SHA1 And 128 Bit RC2 CBC", 964 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 965 OD( pkcs12V2PBEWithSha1And40BitRC2cbc, 966 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC, 967 "PKCS12 V2 PBE With SHA1 And 40 Bit RC2 CBC", 968 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 969 OD( pkcs12SafeContentsID, SEC_OID_PKCS12_SAFE_CONTENTS_ID, 970 "PKCS #12 Safe Contents ID", 971 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 972 OD( pkcs12PKCS8ShroudedKeyBagID, 973 SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID, 974 "PKCS #12 Safe Contents ID", 975 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 976 OD( pkcs12V1KeyBag, SEC_OID_PKCS12_V1_KEY_BAG_ID, 977 "PKCS #12 V1 Key Bag", 978 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 979 OD( pkcs12V1PKCS8ShroudedKeyBag, 980 SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID, 981 "PKCS #12 V1 PKCS8 Shrouded Key Bag", 982 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 983 OD( pkcs12V1CertBag, SEC_OID_PKCS12_V1_CERT_BAG_ID, 984 "PKCS #12 V1 Cert Bag", 985 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 986 OD( pkcs12V1CRLBag, SEC_OID_PKCS12_V1_CRL_BAG_ID, 987 "PKCS #12 V1 CRL Bag", 988 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 989 OD( pkcs12V1SecretBag, SEC_OID_PKCS12_V1_SECRET_BAG_ID, 990 "PKCS #12 V1 Secret Bag", 991 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 992 OD( pkcs12V1SafeContentsBag, SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID, 993 "PKCS #12 V1 Safe Contents Bag", 994 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 995 996 OD( pkcs9X509Certificate, SEC_OID_PKCS9_X509_CERT, 997 "PKCS #9 X509 Certificate", 998 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 999 OD( pkcs9SDSICertificate, SEC_OID_PKCS9_SDSI_CERT, 1000 "PKCS #9 SDSI Certificate", 1001 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 1002 OD( pkcs9X509CRL, SEC_OID_PKCS9_X509_CRL, 1003 "PKCS #9 X509 CRL", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 1004 OD( pkcs9FriendlyName, SEC_OID_PKCS9_FRIENDLY_NAME, 1005 "PKCS #9 Friendly Name", 1006 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 1007 OD( pkcs9LocalKeyID, SEC_OID_PKCS9_LOCAL_KEY_ID, 1008 "PKCS #9 Local Key ID", 1009 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 1010 OD( pkcs12KeyUsageAttr, SEC_OID_PKCS12_KEY_USAGE, 1011 "PKCS 12 Key Usage", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 1012 OD( dhPublicKey, SEC_OID_X942_DIFFIE_HELMAN_KEY, 1013 "Diffie-Helman Public Key", CSSM_ALGID_DH, 1014 INVALID_CERT_EXTENSION ), 1015 OD( netscapeNickname, SEC_OID_NETSCAPE_NICKNAME, 1016 "Netscape Nickname", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 1017 1018 /* Cert Server specific OIDs */ 1019 OD( netscapeRecoveryRequest, SEC_OID_NETSCAPE_RECOVERY_REQUEST, 1020 "Recovery Request OID", 1021 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 1022 1023 OD( nsExtAIACertRenewal, SEC_OID_CERT_RENEWAL_LOCATOR, 1024 "Certificate Renewal Locator OID", CSSM_ALGID_NONE, 1025 INVALID_CERT_EXTENSION ), 1026 1027 OD( nsExtCertScopeOfUse, SEC_OID_NS_CERT_EXT_SCOPE_OF_USE, 1028 "Certificate Scope-of-Use Extension", CSSM_ALGID_NONE, 1029 SUPPORTED_CERT_EXTENSION ), 1030 1031 /* CMS stuff */ 1032 OD( cmsESDH, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, 1033 "Ephemeral-Static Diffie-Hellman", CSSM_ALGID_NONE /* XXX */, 1034 INVALID_CERT_EXTENSION ), 1035 OD( cms3DESwrap, SEC_OID_CMS_3DES_KEY_WRAP, 1036 "CMS 3DES Key Wrap", CSSM_ALGID_NONE /* XXX */, 1037 INVALID_CERT_EXTENSION ), 1038 OD( cmsRC2wrap, SEC_OID_CMS_RC2_KEY_WRAP, 1039 "CMS RC2 Key Wrap", CSSM_ALGID_NONE /* XXX */, 1040 INVALID_CERT_EXTENSION ), 1041 OD( smimeEncryptionKeyPreference, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, 1042 "S/MIME Encryption Key Preference", 1043 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 1044 1045 /* AES algorithm OIDs */ 1046 OD( aes128_ECB, SEC_OID_AES_128_ECB, 1047 "AES-128-ECB", CSSM_ALGID_AES, INVALID_CERT_EXTENSION ), 1048 OD( aes128_CBC, SEC_OID_AES_128_CBC, 1049 "AES-128-CBC", CSSM_ALGID_AES, INVALID_CERT_EXTENSION ), 1050 OD( aes192_ECB, SEC_OID_AES_192_ECB, 1051 "AES-192-ECB", CSSM_ALGID_AES, INVALID_CERT_EXTENSION ), 1052 OD( aes192_CBC, SEC_OID_AES_192_CBC, 1053 "AES-192-CBC", CSSM_ALGID_AES, INVALID_CERT_EXTENSION ), 1054 OD( aes256_ECB, SEC_OID_AES_256_ECB, 1055 "AES-256-ECB", CSSM_ALGID_AES, INVALID_CERT_EXTENSION ), 1056 OD( aes256_CBC, SEC_OID_AES_256_CBC, 1057 "AES-256-CBC", CSSM_ALGID_AES, INVALID_CERT_EXTENSION ), 1058 1059 /* More bogus DSA OIDs */ 1060 OD( sdn702DSASignature, SEC_OID_SDN702_DSA_SIGNATURE, 1061 "SDN.702 DSA Signature", CSSM_ALGID_SHA1WithDSA, INVALID_CERT_EXTENSION ), 1062 1063 OD( ms_smimeEncryptionKeyPreference, 1064 SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, 1065 "Microsoft S/MIME Encryption Key Preference", 1066 CSSM_ALGID_NONE, INVALID_CERT_EXTENSION ), 1067 1068 OD( sha256, SEC_OID_SHA256, "SHA-256", CSSM_ALGID_SHA256, INVALID_CERT_EXTENSION), 1069 OD( sha384, SEC_OID_SHA384, "SHA-384", CSSM_ALGID_SHA384, INVALID_CERT_EXTENSION), 1070 OD( sha512, SEC_OID_SHA512, "SHA-512", CSSM_ALGID_SHA512, INVALID_CERT_EXTENSION), 1071 1072 OD( pkcs1SHA256WithRSAEncryption, SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION, 1073 "PKCS #1 SHA-256 With RSA Encryption", CSSM_ALGID_SHA256WithRSA, 1074 INVALID_CERT_EXTENSION ), 1075 OD( pkcs1SHA384WithRSAEncryption, SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION, 1076 "PKCS #1 SHA-384 With RSA Encryption", CSSM_ALGID_SHA384WithRSA, 1077 INVALID_CERT_EXTENSION ), 1078 OD( pkcs1SHA512WithRSAEncryption, SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION, 1079 "PKCS #1 SHA-512 With RSA Encryption", CSSM_ALGID_SHA512WithRSA, 1080 INVALID_CERT_EXTENSION ), 1081 1082 OD( aes128_KEY_WRAP, SEC_OID_AES_128_KEY_WRAP, 1083 "AES-128 Key Wrap", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 1084 OD( aes192_KEY_WRAP, SEC_OID_AES_192_KEY_WRAP, 1085 "AES-192 Key Wrap", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 1086 OD( aes256_KEY_WRAP, SEC_OID_AES_256_KEY_WRAP, 1087 "AES-256 Key Wrap", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 1088 1089 /* caller-specified OID for eContentType */ 1090 OD( noOid, SEC_OID_OTHER, 1091 "Caller-specified eContentType", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), 1092 1093 OD( ecPublicKey, SEC_OID_EC_PUBLIC_KEY, 1094 "ECDSA Public Key", CSSM_ALGID_ECDSA, 1095 INVALID_CERT_EXTENSION ), 1096 OD( ecdsaWithSHA1, SEC_OID_ECDSA_WithSHA1, 1097 "SHA-1 With ECDSA", CSSM_ALGID_SHA1WithECDSA, 1098 INVALID_CERT_EXTENSION ), 1099 OD( dhSinglePassStdDHsha1kdf, SEC_OID_DH_SINGLE_STD_SHA1KDF, 1100 "ECDH With SHA1 KDF", CSSM_ALGID_ECDH_X963_KDF, 1101 INVALID_CERT_EXTENSION ), 1102 OD( secp256r1, SEC_OID_SECP_256_R1, 1103 "secp256r1", CSSM_ALGID_NONE, 1104 INVALID_CERT_EXTENSION ), 1105 OD( secp384r1, SEC_OID_SECP_384_R1, 1106 "secp384r1", CSSM_ALGID_NONE, 1107 INVALID_CERT_EXTENSION ), 1108 OD( secp521r1, SEC_OID_SECP_521_R1, 1109 "secp521r1", CSSM_ALGID_NONE, 1110 INVALID_CERT_EXTENSION ), 1111 1112 OD( smimeTimeStampTokenInfo, SEC_OID_PKCS9_ID_CT_TSTInfo, 1113 "id-ct-TSTInfo", CSSM_ALGID_NONE, 1114 INVALID_CERT_EXTENSION ), 1115 1116 OD( smimeTimeStampToken, SEC_OID_PKCS9_TIMESTAMP_TOKEN, 1117 "id-aa-timeStampToken", CSSM_ALGID_NONE, 1118 INVALID_CERT_EXTENSION ), 1119 1120 OD( smimeSigningCertificate, SEC_OID_PKCS9_SIGNING_CERTIFICATE, 1121 "id-aa-signing-certificate", CSSM_ALGID_NONE, 1122 INVALID_CERT_EXTENSION ), 1123 1124}; 1125 1126/* 1127 * now the dynamic table. The dynamic table gets build at init time. 1128 * and gets modified if the user loads new crypto modules. 1129 */ 1130 1131static PLHashTable *oid_d_hash = 0; 1132static SECOidData **secoidDynamicTable = NULL; 1133static int secoidDynamicTableSize = 0; 1134static int secoidLastDynamicEntry = 0; 1135static int secoidLastHashEntry = 0; 1136 1137/* 1138 * A mutex to protect creation and writing of all three hash tables in 1139 * this module, and reading of the dynamic table. 1140 */ 1141static pthread_mutex_t oid_hash_mutex = PTHREAD_MUTEX_INITIALIZER; 1142 1143/* caller holds oid_hash_mutex */ 1144static SECStatus 1145secoid_DynamicRehash(void) 1146{ 1147 SECOidData *oid; 1148 PLHashEntry *entry; 1149 int i; 1150 int last = secoidLastDynamicEntry; 1151 1152 if (!oid_d_hash) { 1153 oid_d_hash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare, 1154 PL_CompareValues, NULL, NULL); 1155 } 1156 1157 1158 if ( !oid_d_hash ) { 1159 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1160 return(SECFailure); 1161 } 1162 1163 for ( i = secoidLastHashEntry; i < last; i++ ) { 1164 oid = secoidDynamicTable[i]; 1165 1166 entry = PL_HashTableAdd( oid_d_hash, &oid->oid, oid ); 1167 if ( entry == NULL ) { 1168 return(SECFailure); 1169 } 1170 } 1171 secoidLastHashEntry = last; 1172 return(SECSuccess); 1173} 1174 1175 1176 1177/* 1178 * Lookup a Dynamic OID. Dynamic OID's still change slowly, so it's 1179 * cheaper to rehash the table when it changes than it is to do the loop 1180 * each time. 1181 */ 1182static SECOidData * 1183secoid_FindDynamic(const SECItem *key) { 1184 SECOidData *ret = NULL; 1185 1186 pthread_mutex_lock(&oid_hash_mutex); 1187 /* subsequent errors to loser: */ 1188 if (secoidDynamicTable == NULL) { 1189 /* PORT_SetError! */ 1190 goto loser; 1191 } 1192 if (secoidLastHashEntry != secoidLastDynamicEntry) { 1193 SECStatus rv = secoid_DynamicRehash(); 1194 if ( rv != SECSuccess ) { 1195 goto loser; 1196 } 1197 } 1198 ret = (SECOidData *)PL_HashTableLookup (oid_d_hash, key); 1199loser: 1200 pthread_mutex_unlock(&oid_hash_mutex); 1201 return ret; 1202 1203} 1204 1205static SECOidData * 1206secoid_FindDynamicByTag(SECOidTag tagnum) 1207{ 1208 int tagNumDiff; 1209 SECOidData *rtn = NULL; 1210 1211 if (tagnum < SEC_OID_TOTAL) { 1212 return NULL; 1213 } 1214 1215 pthread_mutex_lock(&oid_hash_mutex); 1216 /* subsequent errors to loser: */ 1217 1218 if (secoidDynamicTable == NULL) { 1219 goto loser; 1220 } 1221 1222 tagNumDiff = tagnum - SEC_OID_TOTAL; 1223 if (tagNumDiff >= secoidLastDynamicEntry) { 1224 goto loser; 1225 } 1226 1227 rtn = secoidDynamicTable[tagNumDiff]; 1228loser: 1229 pthread_mutex_unlock(&oid_hash_mutex); 1230 return rtn; 1231} 1232 1233#if 0 1234SECStatus 1235SECOID_AddEntry(SECItem *oid, char *description, CSSM_ALGORITHMS cssmAlgorithm) { 1236 SECOidData *oiddp; 1237 int last; 1238 int tableSize; 1239 int next; 1240 SECOidData **newTable; 1241 SECOidData **oldTable = NULL; 1242 SECStatus srtn = SECFailure; 1243 1244 if (oid == NULL) { 1245 return SECFailure; 1246 } 1247 1248 pthread_mutex_lock(&oid_hash_mutex); 1249 /* subsequent errors to loser: */ 1250 1251 oiddp = (SECOidData *)PORT_Alloc(sizeof(SECOidData)); 1252 last = secoidLastDynamicEntry; 1253 tableSize = secoidDynamicTableSize; 1254 next = last++; 1255 newTable = secoidDynamicTable; 1256 1257 /* fill in oid structure */ 1258 if (SECITEM_CopyItem(NULL,&oiddp->oid,oid) != SECSuccess) { 1259 PORT_Free(oiddp); 1260 goto loser; 1261 } 1262 oiddp->offset = (SECOidTag)(next + SEC_OID_TOTAL); 1263 /* may we should just reference the copy passed to us? */ 1264 oiddp->desc = PORT_Strdup(description); 1265 oiddp->cssmAlgorithm = cssmAlgorithm; 1266 1267 1268 if (last > tableSize) { 1269 int oldTableSize = tableSize; 1270 tableSize += 10; 1271 oldTable = newTable; 1272 newTable = (SECOidData **)PORT_ZAlloc(sizeof(SECOidData *)*tableSize); 1273 if (newTable == NULL) { 1274 PORT_Free(oiddp->oid.Data); 1275 PORT_Free(oiddp); 1276 goto loser; 1277 } 1278 PORT_Memcpy(newTable,oldTable,sizeof(SECOidData *)*oldTableSize); 1279 PORT_Free(oldTable); 1280 } 1281 1282 newTable[next] = oiddp; 1283 secoidDynamicTable = newTable; 1284 secoidDynamicTableSize = tableSize; 1285 secoidLastDynamicEntry = last; 1286 srtn = SECSuccess; 1287loser: 1288 pthread_mutex_unlock(&oid_hash_mutex); 1289 return srtn; 1290} 1291#endif 1292 1293 1294/* normal static table processing */ 1295 1296/* creation and writes to these hash tables is protected by oid_hash_mutex */ 1297static PLHashTable *oidhash = NULL; 1298static PLHashTable *oidmechhash = NULL; 1299 1300static PLHashNumber 1301secoid_HashNumber(const void *key) 1302{ 1303 intptr_t keyint = (intptr_t)key; 1304 // XXX/gh revisit this 1305 keyint ^= (keyint >> 8); 1306 keyint ^= (keyint << 8); 1307 return (PLHashNumber) keyint; 1308} 1309 1310/* caller holds oid_hash_mutex */ 1311static SECStatus 1312InitOIDHash(void) 1313{ 1314 PLHashEntry *entry; 1315 const SECOidData *oid; 1316 int i; 1317 1318 oidhash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare, 1319 PL_CompareValues, NULL, NULL); 1320 oidmechhash = PL_NewHashTable(0, secoid_HashNumber, PL_CompareValues, 1321 PL_CompareValues, NULL, NULL); 1322 1323 if ( !oidhash || !oidmechhash) { 1324 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1325 PORT_Assert(0); /*This function should never fail. */ 1326 return(SECFailure); 1327 } 1328 1329 for ( i = 0; i < ( sizeof(oids) / sizeof(SECOidData) ); i++ ) { 1330 oid = &oids[i]; 1331 1332 PORT_Assert ( oid->offset == i ); 1333 1334 entry = PL_HashTableAdd( oidhash, &oid->oid, (void *)oid ); 1335 if ( entry == NULL ) { 1336 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1337 PORT_Assert(0); /*This function should never fail. */ 1338 return(SECFailure); 1339 } 1340 1341 if ( oid->cssmAlgorithm != CSSM_ALGID_NONE ) { 1342 intptr_t algorithm = oid->cssmAlgorithm; 1343 entry = PL_HashTableAdd( oidmechhash, 1344 (void *)algorithm, (void *)oid ); 1345 if ( entry == NULL ) { 1346 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1347 PORT_Assert(0); /* This function should never fail. */ 1348 return(SECFailure); 1349 } 1350 } 1351 } 1352 1353 PORT_Assert (i == SEC_OID_TOTAL); 1354 1355 return(SECSuccess); 1356} 1357 1358SECOidData * 1359SECOID_FindOIDByCssmAlgorithm(CSSM_ALGORITHMS cssmAlgorithm) 1360{ 1361 SECOidData *ret; 1362 int rv; 1363 1364 pthread_mutex_lock(&oid_hash_mutex); 1365 if ( !oidhash ) { 1366 rv = InitOIDHash(); 1367 if ( rv != SECSuccess ) { 1368 pthread_mutex_unlock(&oid_hash_mutex); 1369 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1370 return NULL; 1371 } 1372 } 1373 pthread_mutex_unlock(&oid_hash_mutex); 1374 intptr_t algorithm = cssmAlgorithm; 1375 ret = PL_HashTableLookupConst ( oidmechhash, (void *)algorithm); 1376 if ( ret == NULL ) { 1377 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1378 } 1379 1380 return (ret); 1381} 1382 1383SECOidData * 1384SECOID_FindOID(const SECItem *oid) 1385{ 1386 SECOidData *ret; 1387 int rv; 1388 1389 pthread_mutex_lock(&oid_hash_mutex); 1390 if ( !oidhash ) { 1391 rv = InitOIDHash(); 1392 if ( rv != SECSuccess ) { 1393 pthread_mutex_unlock(&oid_hash_mutex); 1394 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1395 return NULL; 1396 } 1397 } 1398 pthread_mutex_unlock(&oid_hash_mutex); 1399 1400 ret = PL_HashTableLookupConst ( oidhash, oid ); 1401 if ( ret == NULL ) { 1402 ret = secoid_FindDynamic(oid); 1403 if (ret == NULL) { 1404 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1405 } 1406 } 1407 1408 return(ret); 1409} 1410 1411SECOidTag 1412SECOID_FindOIDTag(const SECItem *oid) 1413{ 1414 SECOidData *oiddata; 1415 1416 oiddata = SECOID_FindOID (oid); 1417 if (oiddata == NULL) 1418 return SEC_OID_UNKNOWN; 1419 1420 return oiddata->offset; 1421} 1422 1423/* This really should return const. */ 1424SECOidData * 1425SECOID_FindOIDByTag(SECOidTag tagnum) 1426{ 1427 1428 if (tagnum >= SEC_OID_TOTAL) { 1429 return secoid_FindDynamicByTag(tagnum); 1430 } 1431 1432 PORT_Assert((unsigned int)tagnum < (sizeof(oids) / sizeof(SECOidData))); 1433 return (SECOidData *)(&oids[tagnum]); 1434} 1435 1436Boolean SECOID_KnownCertExtenOID (const SECItem *extenOid) 1437{ 1438 SECOidData * oidData; 1439 1440 oidData = SECOID_FindOID (extenOid); 1441 if (oidData == (SECOidData *)NULL) 1442 return (PR_FALSE); 1443 return ((oidData->supportedExtension == SUPPORTED_CERT_EXTENSION) ? 1444 PR_TRUE : PR_FALSE); 1445} 1446 1447 1448const char * 1449SECOID_FindOIDTagDescription(SECOidTag tagnum) 1450{ 1451 const SECOidData *oidData = SECOID_FindOIDByTag(tagnum); 1452 return oidData ? oidData->desc : 0; 1453} 1454 1455/* 1456 * free up the oid tables. 1457 */ 1458SECStatus 1459SECOID_Shutdown(void) 1460{ 1461 int i; 1462 1463 pthread_mutex_lock(&oid_hash_mutex); 1464 if (oidhash) { 1465 PL_HashTableDestroy(oidhash); 1466 oidhash = NULL; 1467 } 1468 if (oidmechhash) { 1469 PL_HashTableDestroy(oidmechhash); 1470 oidmechhash = NULL; 1471 } 1472 if (oid_d_hash) { 1473 PL_HashTableDestroy(oid_d_hash); 1474 oid_d_hash = NULL; 1475 } 1476 if (secoidDynamicTable) { 1477 for (i=0; i < secoidLastDynamicEntry; i++) { 1478 PORT_Free(secoidDynamicTable[i]); 1479 } 1480 PORT_Free(secoidDynamicTable); 1481 secoidDynamicTable = NULL; 1482 secoidDynamicTableSize = 0; 1483 secoidLastDynamicEntry = 0; 1484 secoidLastHashEntry = 0; 1485 } 1486 pthread_mutex_unlock(&oid_hash_mutex); 1487 return SECSuccess; 1488} 1489 1490#pragma clang diagnostic pop 1491