kmfapiP.h revision 6669:bc95c5ad177e 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 */
25#ifndef _KMFAPIP_H
26#define	_KMFAPIP_H
27
28#pragma ident	"%Z%%M%	%I%	%E% SMI"
29
30#include <kmfapi.h>
31#include <kmfpolicy.h>
32
33#ifdef __cplusplus
34extern "C" {
35#endif
36
37/* Plugin function table */
38typedef struct {
39	ushort_t	version;
40	KMF_RETURN	(*ConfigureKeystore) (
41			KMF_HANDLE_T,
42			int,
43			KMF_ATTRIBUTE *);
44
45	KMF_RETURN	(*FindCert) (
46			KMF_HANDLE_T,
47			int,
48			KMF_ATTRIBUTE *);
49
50	void		(*FreeKMFCert) (
51			KMF_HANDLE_T,
52			KMF_X509_DER_CERT *);
53
54	KMF_RETURN	(*StoreCert) (
55			KMF_HANDLE_T,
56			int, KMF_ATTRIBUTE *);
57
58	KMF_RETURN	(*ImportCert) (
59			KMF_HANDLE_T,
60			int, KMF_ATTRIBUTE *);
61
62	KMF_RETURN	(*ImportCRL) (
63			KMF_HANDLE_T,
64			int, KMF_ATTRIBUTE *);
65
66	KMF_RETURN	(*DeleteCert) (
67			KMF_HANDLE_T,
68			int, KMF_ATTRIBUTE *);
69
70	KMF_RETURN	(*DeleteCRL) (
71			KMF_HANDLE_T,
72			int, KMF_ATTRIBUTE *);
73
74	KMF_RETURN	(*CreateKeypair) (
75			KMF_HANDLE_T,
76			int,
77			KMF_ATTRIBUTE *);
78
79	KMF_RETURN	(*FindKey) (
80			KMF_HANDLE_T,
81			int,
82			KMF_ATTRIBUTE *);
83
84	KMF_RETURN	(*EncodePubkeyData) (
85			KMF_HANDLE_T,
86			KMF_KEY_HANDLE *,
87			KMF_DATA *);
88
89	KMF_RETURN	(*SignData) (
90			KMF_HANDLE_T,
91			KMF_KEY_HANDLE *,
92			KMF_OID *,
93			KMF_DATA *,
94			KMF_DATA *);
95
96	KMF_RETURN	(*DeleteKey) (
97			KMF_HANDLE_T,
98			int,
99			KMF_ATTRIBUTE *);
100
101	KMF_RETURN	(*ListCRL) (
102			KMF_HANDLE_T,
103			int, KMF_ATTRIBUTE *);
104
105	KMF_RETURN	(*FindCRL) (
106			KMF_HANDLE_T,
107			int, KMF_ATTRIBUTE *);
108
109	KMF_RETURN	(*FindCertInCRL) (
110			KMF_HANDLE_T,
111			int, KMF_ATTRIBUTE *);
112
113	KMF_RETURN	(*GetErrorString) (
114			KMF_HANDLE_T,
115			char **);
116
117	KMF_RETURN	(*FindPrikeyByCert) (
118			KMF_HANDLE_T,
119			int,
120			KMF_ATTRIBUTE *);
121
122	KMF_RETURN	(*DecryptData) (
123			KMF_HANDLE_T,
124			KMF_KEY_HANDLE *,
125			KMF_OID *,
126			KMF_DATA *,
127			KMF_DATA *);
128
129	KMF_RETURN	(*ExportPK12)(
130			KMF_HANDLE_T,
131			int,
132			KMF_ATTRIBUTE *);
133
134	KMF_RETURN	(*CreateSymKey) (
135			KMF_HANDLE_T,
136			int,
137			KMF_ATTRIBUTE *);
138
139	KMF_RETURN	(*GetSymKeyValue) (
140			KMF_HANDLE_T,
141			KMF_KEY_HANDLE *,
142			KMF_RAW_SYM_KEY *);
143
144	KMF_RETURN	(*SetTokenPin) (
145			KMF_HANDLE_T,
146			int, KMF_ATTRIBUTE *);
147
148	KMF_RETURN	(*VerifyDataWithCert) (
149			KMF_HANDLE_T,
150			KMF_ALGORITHM_INDEX,
151			KMF_DATA *,
152			KMF_DATA *,
153			KMF_DATA *);
154
155	KMF_RETURN	(*StoreKey) (
156			KMF_HANDLE_T,
157			int,
158			KMF_ATTRIBUTE *);
159
160	void		(*Finalize) ();
161
162} KMF_PLUGIN_FUNCLIST;
163
164typedef struct {
165	KMF_ATTR_TYPE	type;
166	boolean_t	null_value_ok; /* Is the pValue required */
167	uint32_t	minlen;
168	uint32_t	maxlen;
169} KMF_ATTRIBUTE_TESTER;
170
171typedef struct {
172	KMF_KEYSTORE_TYPE	type;
173	char			*applications;
174	char 			*path;
175	void 			*dldesc;
176	KMF_PLUGIN_FUNCLIST	*funclist;
177} KMF_PLUGIN;
178
179typedef struct _KMF_PLUGIN_LIST {
180	KMF_PLUGIN		*plugin;
181	struct _KMF_PLUGIN_LIST *next;
182} KMF_PLUGIN_LIST;
183
184typedef struct _kmf_handle {
185	/*
186	 * session handle opened by kmf_select_token() to talk
187	 * to a specific slot in Crypto framework. It is used
188	 * by pkcs11 plugin module.
189	 */
190	CK_SESSION_HANDLE	pk11handle;
191	KMF_ERROR		lasterr;
192	KMF_POLICY_RECORD	*policy;
193	KMF_PLUGIN_LIST		*plugins;
194} KMF_HANDLE;
195
196#define	CLEAR_ERROR(h, rv) { \
197	if (h == NULL) { \
198		rv = KMF_ERR_BAD_PARAMETER; \
199	} else { \
200		h->lasterr.errcode = 0; \
201		h->lasterr.kstype = 0; \
202		rv = KMF_OK; \
203	} \
204}
205
206#define	KMF_PLUGIN_INIT_SYMBOL	"KMF_Plugin_Initialize"
207
208#ifndef KMF_PLUGIN_PATH
209#if defined(__sparcv9)
210#define	KMF_PLUGIN_PATH "/usr/lib/security/sparcv9/"
211#elif defined(__sparc)
212#define	KMF_PLUGIN_PATH "/usr/lib/security/"
213#elif defined(__i386)
214#define	KMF_PLUGIN_PATH "/usr/lib/security/"
215#elif defined(__amd64)
216#define	KMF_PLUGIN_PATH "/usr/lib/security/amd64/"
217#endif
218#endif /* !KMF_PLUGIN_PATH */
219
220KMF_PLUGIN_FUNCLIST *KMF_Plugin_Initialize();
221
222extern KMF_RETURN
223VerifyDataWithKey(KMF_HANDLE_T, KMF_DATA *, KMF_ALGORITHM_INDEX,
224    KMF_DATA *, KMF_DATA *);
225
226extern KMF_BOOL pkcs_algid_to_keytype(
227    KMF_ALGORITHM_INDEX, CK_KEY_TYPE *);
228
229extern KMF_RETURN PKCS_VerifyData(
230    KMF_HANDLE *,
231    KMF_ALGORITHM_INDEX,
232    KMF_X509_SPKI *,
233    KMF_DATA *, KMF_DATA *);
234
235extern KMF_RETURN PKCS_EncryptData(
236    KMF_HANDLE *,
237    KMF_ALGORITHM_INDEX,
238    KMF_X509_SPKI *,
239    KMF_DATA *,
240    KMF_DATA *);
241
242extern KMF_PLUGIN *FindPlugin(KMF_HANDLE_T, KMF_KEYSTORE_TYPE);
243
244extern KMF_BOOL IsEqualOid(KMF_OID *, KMF_OID *);
245
246extern KMF_RETURN copy_algoid(KMF_X509_ALGORITHM_IDENTIFIER *destid,
247    KMF_X509_ALGORITHM_IDENTIFIER *srcid);
248
249extern KMF_OID *x509_algid_to_algoid(KMF_ALGORITHM_INDEX);
250extern KMF_ALGORITHM_INDEX x509_algoid_to_algid(KMF_OID *);
251
252extern KMF_RETURN PKCS_AcquirePublicKeyHandle(CK_SESSION_HANDLE ckSession,
253    const KMF_X509_SPKI *, CK_KEY_TYPE, CK_OBJECT_HANDLE *,
254    KMF_BOOL *);
255
256extern KMF_RETURN GetIDFromSPKI(KMF_X509_SPKI *, KMF_DATA *);
257extern KMF_RETURN kmf_select_token(KMF_HANDLE_T, char *, int);
258extern KMF_RETURN kmf_set_altname(KMF_X509_EXTENSIONS *,
259    KMF_OID *, int, KMF_GENERALNAMECHOICES, char *);
260extern KMF_RETURN GetSequenceContents(char *, size_t, char **, size_t *);
261extern KMF_X509_EXTENSION *FindExtn(KMF_X509_EXTENSIONS *, KMF_OID *);
262extern KMF_RETURN add_an_extension(KMF_X509_EXTENSIONS *exts,
263    KMF_X509_EXTENSION *newextn);
264extern KMF_RETURN set_integer(KMF_DATA *, void *, int);
265extern void free_keyidlist(KMF_OID *, int);
266extern KMF_RETURN copy_data(KMF_DATA *, KMF_DATA *);
267extern void Cleanup_PK11_Session(KMF_HANDLE_T handle);
268extern void free_dp_name(KMF_CRL_DIST_POINT *);
269extern void free_dp(KMF_CRL_DIST_POINT *);
270extern KMF_RETURN set_key_usage_extension(KMF_X509_EXTENSIONS *,
271    int, uint32_t);
272extern KMF_RETURN init_pk11();
273extern KMF_RETURN test_attributes(int, KMF_ATTRIBUTE_TESTER *,
274    int, KMF_ATTRIBUTE_TESTER *, int, KMF_ATTRIBUTE *);
275
276/* Indexes into the key parts array for RSA keys */
277#define	KMF_RSA_MODULUS			(0)
278#define	KMF_RSA_PUBLIC_EXPONENT		(1)
279#define	KMF_RSA_PRIVATE_EXPONENT	(2)
280#define	KMF_RSA_PRIME1			(3)
281#define	KMF_RSA_PRIME2			(4)
282#define	KMF_RSA_EXPONENT1		(5)
283#define	KMF_RSA_EXPONENT2		(6)
284#define	KMF_RSA_COEFFICIENT		(7)
285
286/* Key part counts for RSA keys */
287#define	KMF_NUMBER_RSA_PUBLIC_KEY_PARTS		(2)
288#define	KMF_NUMBER_RSA_PRIVATE_KEY_PARTS	(8)
289
290/* Key part counts for DSA keys */
291#define	KMF_NUMBER_DSA_PUBLIC_KEY_PARTS		(4)
292#define	KMF_NUMBER_DSA_PRIVATE_KEY_PARTS	(4)
293
294/* Indexes into the key parts array for DSA keys */
295#define	KMF_DSA_PRIME		(0)
296#define	KMF_DSA_SUB_PRIME	(1)
297#define	KMF_DSA_BASE		(2)
298#define	KMF_DSA_PUBLIC_VALUE	(3)
299
300#ifndef max
301#define	max(a, b) ((a) < (b) ? (b) : (a))
302#endif
303
304/* Maximum key parts for all algorithms */
305#define	KMF_MAX_PUBLIC_KEY_PARTS \
306	(max(KMF_NUMBER_RSA_PUBLIC_KEY_PARTS, \
307	KMF_NUMBER_DSA_PUBLIC_KEY_PARTS))
308
309#define	KMF_MAX_PRIVATE_KEY_PARTS \
310	(max(KMF_NUMBER_RSA_PRIVATE_KEY_PARTS, \
311	KMF_NUMBER_DSA_PRIVATE_KEY_PARTS))
312
313#define	KMF_MAX_KEY_PARTS \
314	(max(KMF_MAX_PUBLIC_KEY_PARTS, KMF_MAX_PRIVATE_KEY_PARTS))
315
316typedef enum {
317	KMF_ALGMODE_NONE	= 0,
318	KMF_ALGMODE_CUSTOM,
319	KMF_ALGMODE_PUBLIC_KEY,
320	KMF_ALGMODE_PRIVATE_KEY,
321	KMF_ALGMODE_PKCS1_EMSA_V15
322} KMF_SIGNATURE_MODE;
323
324#define	KMF_CERT_PRINTABLE_LEN	1024
325#define	SHA1_HASH_LENGTH 20
326
327#define	OCSPREQ_TEMPNAME	"/tmp/ocsp.reqXXXXXX"
328#define	OCSPRESP_TEMPNAME	"/tmp/ocsp.respXXXXXX"
329
330#define	_PATH_KMF_CONF	"/etc/crypto/kmf.conf"
331#define	CONF_MODULEPATH	"modulepath="
332#define	CONF_OPTION	"option="
333
334typedef struct {
335	char			*keystore;
336	char			*modulepath;
337	char 			*option;
338	KMF_KEYSTORE_TYPE	kstype;
339} conf_entry_t;
340
341typedef struct conf_entrylist {
342	conf_entry_t		*entry;
343	struct conf_entrylist 	*next;
344} conf_entrylist_t;
345
346
347extern KMF_RETURN get_entrylist(conf_entrylist_t **);
348extern void free_entrylist(conf_entrylist_t *);
349extern void free_entry(conf_entry_t *);
350extern conf_entry_t *dup_entry(conf_entry_t *);
351extern boolean_t is_valid_keystore_type(KMF_KEYSTORE_TYPE);
352extern KMF_BOOL is_eku_present(KMF_X509EXT_EKU *, KMF_OID *);
353extern KMF_RETURN parse_eku_data(const KMF_DATA *, KMF_X509EXT_EKU *);
354extern KMF_RETURN
355copy_extension_data(KMF_X509_EXTENSION *, KMF_X509_EXTENSION *);
356
357#ifdef __cplusplus
358}
359#endif
360#endif /* _KMFAPIP_H */
361