kmftypes.h revision 5051:cbbb7c8b40a9
1/* 2 * Copyright (c) 1995-2000 Intel Corporation. All rights reserved. 3 */ 4/* 5 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 6 * Use is subject to license terms. 7 */ 8 9#ifndef _KMFTYPES_H 10#define _KMFTYPES_H 11 12#pragma ident "%Z%%M% %I% %E% SMI" 13 14#include <sys/types.h> 15#include <stdlib.h> 16#include <strings.h> 17#include <pthread.h> 18 19#include <security/cryptoki.h> 20 21#ifdef __cplusplus 22extern "C" { 23#endif 24 25typedef uint32_t KMF_BOOL; 26 27#define KMF_FALSE (0) 28#define KMF_TRUE (1) 29 30/* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */ 31typedef struct _kmf_handle *KMF_HANDLE_T; 32 33/* 34 * KMF_DATA 35 * The KMF_DATA structure is used to associate a length, in bytes, with 36 * an arbitrary block of contiguous memory. 37 */ 38typedef struct kmf_data 39{ 40 size_t Length; /* in bytes */ 41 uchar_t *Data; 42} KMF_DATA; 43 44typedef struct { 45 uchar_t *val; 46 size_t len; 47} KMF_BIGINT; 48 49/* 50 * KMF_OID 51 * The object identifier (OID) structure is used to hold a unique identifier for 52 * the atomic data fields and the compound substructure that comprise the fields 53 * of a certificate or CRL. 54 */ 55typedef KMF_DATA KMF_OID; 56 57typedef struct kmf_x509_private { 58 int keystore_type; 59 int flags; /* see below */ 60 char *label; 61#define KMF_FLAG_CERT_VALID 1 /* contains valid certificate */ 62#define KMF_FLAG_CERT_SIGNED 2 /* this is a signed certificate */ 63} KMF_X509_PRIVATE; 64 65/* 66 * KMF_X509_DER_CERT 67 * This structure associates packed DER certificate data. 68 * Also, it contains the private information internal used 69 * by KMF layer. 70 */ 71typedef struct 72{ 73 KMF_DATA certificate; 74 KMF_X509_PRIVATE kmf_private; 75} KMF_X509_DER_CERT; 76 77typedef enum { 78 KMF_KEYSTORE_NSS = 1, 79 KMF_KEYSTORE_OPENSSL = 2, 80 KMF_KEYSTORE_PK11TOKEN = 3, 81 KMF_KEYSTORE_DEFAULT /* based on configuration */ 82} KMF_KEYSTORE_TYPE; 83 84#define VALID_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\ 85 (t <= KMF_KEYSTORE_PK11TOKEN)) 86 87typedef enum { 88 KMF_FORMAT_UNDEF = 0, 89 KMF_FORMAT_ASN1 = 1, /* DER */ 90 KMF_FORMAT_PEM = 2, 91 KMF_FORMAT_PKCS12 = 3, 92 KMF_FORMAT_RAWKEY = 4, /* For FindKey operation */ 93 KMF_FORMAT_PEM_KEYPAIR = 5 94} KMF_ENCODE_FORMAT; 95 96#define KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF 97 98typedef enum { 99 KMF_ALL_CERTS = 0, 100 KMF_NONEXPIRED_CERTS = 1, 101 KMF_EXPIRED_CERTS = 2 102} KMF_CERT_VALIDITY; 103 104 105typedef enum { 106 KMF_ALL_EXTNS = 0, 107 KMF_CRITICAL_EXTNS = 1, 108 KMF_NONCRITICAL_EXTNS = 2 109} KMF_FLAG_CERT_EXTN; 110 111 112typedef enum { 113 KMF_KU_SIGN_CERT = 0, 114 KMF_KU_SIGN_DATA = 1, 115 KMF_KU_ENCRYPT_DATA = 2 116} KMF_KU_PURPOSE; 117 118/* 119 * Algorithms 120 * This type defines a set of constants used to identify cryptographic 121 * algorithms. 122 */ 123typedef enum { 124 KMF_ALGID_NONE = 0, 125 KMF_ALGID_CUSTOM, 126 KMF_ALGID_SHA1, 127 KMF_ALGID_RSA, 128 KMF_ALGID_DSA, 129 KMF_ALGID_MD5WithRSA, 130 KMF_ALGID_MD2WithRSA, 131 KMF_ALGID_SHA1WithRSA, 132 KMF_ALGID_SHA1WithDSA 133} KMF_ALGORITHM_INDEX; 134 135 136/* 137 * Generic credential structure used by other structures below 138 * to convey authentication information to the underlying 139 * mechanisms. 140 */ 141typedef struct { 142 char *cred; 143 uint32_t credlen; 144} KMF_CREDENTIAL; 145 146typedef enum { 147 KMF_KEYALG_NONE = 0, 148 KMF_RSA = 1, 149 KMF_DSA = 2, 150 KMF_AES = 3, 151 KMF_RC4 = 4, 152 KMF_DES = 5, 153 KMF_DES3 = 6, 154 KMF_GENERIC_SECRET = 7 155}KMF_KEY_ALG; 156 157typedef enum { 158 KMF_KEYCLASS_NONE = 0, 159 KMF_ASYM_PUB = 1, /* public key of an asymmetric keypair */ 160 KMF_ASYM_PRI = 2, /* private key of an asymmetric keypair */ 161 KMF_SYMMETRIC = 3 /* symmetric key */ 162}KMF_KEY_CLASS; 163 164 165typedef enum { 166 KMF_CERT = 0, 167 KMF_CSR = 1, 168 KMF_CRL = 2 169}KMF_OBJECT_TYPE; 170 171 172typedef struct { 173 KMF_BIGINT mod; 174 KMF_BIGINT pubexp; 175 KMF_BIGINT priexp; 176 KMF_BIGINT prime1; 177 KMF_BIGINT prime2; 178 KMF_BIGINT exp1; 179 KMF_BIGINT exp2; 180 KMF_BIGINT coef; 181} KMF_RAW_RSA_KEY; 182 183typedef struct { 184 KMF_BIGINT prime; 185 KMF_BIGINT subprime; 186 KMF_BIGINT base; 187 KMF_BIGINT value; 188 KMF_BIGINT pubvalue; 189} KMF_RAW_DSA_KEY; 190 191typedef struct { 192 KMF_BIGINT keydata; 193} KMF_RAW_SYM_KEY; 194 195typedef struct { 196 KMF_KEY_ALG keytype; 197 boolean_t sensitive; 198 boolean_t not_extractable; 199 union { 200 KMF_RAW_RSA_KEY rsa; 201 KMF_RAW_DSA_KEY dsa; 202 KMF_RAW_SYM_KEY sym; 203 }rawdata; 204} KMF_RAW_KEY_DATA; 205 206 207typedef struct { 208 KMF_KEYSTORE_TYPE kstype; 209 KMF_KEY_ALG keyalg; 210 KMF_KEY_CLASS keyclass; 211 boolean_t israw; 212 char *keylabel; 213 void *keyp; 214} KMF_KEY_HANDLE; 215 216typedef struct { 217 KMF_KEYSTORE_TYPE kstype; 218 uint32_t errcode; 219} KMF_ERROR; 220 221/* 222 * Typenames to use with subjectAltName 223 */ 224typedef enum { 225 GENNAME_OTHERNAME = 0x00, 226 GENNAME_RFC822NAME, 227 GENNAME_DNSNAME, 228 GENNAME_X400ADDRESS, 229 GENNAME_DIRECTORYNAME, 230 GENNAME_EDIPARTYNAME, 231 GENNAME_URI, 232 GENNAME_IPADDRESS, 233 GENNAME_REGISTEREDID 234} KMF_GENERALNAMECHOICES; 235 236/* 237 * KMF_FIELD 238 * This structure contains the OID/value pair for any item that can be 239 * identified by an OID. 240 */ 241typedef struct 242{ 243 KMF_OID FieldOid; 244 KMF_DATA FieldValue; 245} KMF_FIELD; 246 247typedef enum { 248 KMF_OK = 0x00, 249 KMF_ERR_BAD_PARAMETER = 0x01, 250 KMF_ERR_BAD_KEY_FORMAT = 0x02, 251 KMF_ERR_BAD_ALGORITHM = 0x03, 252 KMF_ERR_MEMORY = 0x04, 253 KMF_ERR_ENCODING = 0x05, 254 KMF_ERR_PLUGIN_INIT = 0x06, 255 KMF_ERR_PLUGIN_NOTFOUND = 0x07, 256 KMF_ERR_INTERNAL = 0x0b, 257 KMF_ERR_BAD_CERT_FORMAT = 0x0c, 258 KMF_ERR_KEYGEN_FAILED = 0x0d, 259 KMF_ERR_UNINITIALIZED = 0x10, 260 KMF_ERR_ISSUER = 0x11, 261 KMF_ERR_NOT_REVOKED = 0x12, 262 KMF_ERR_CERT_NOT_FOUND = 0x13, 263 KMF_ERR_CRL_NOT_FOUND = 0x14, 264 KMF_ERR_RDN_PARSER = 0x15, 265 KMF_ERR_RDN_ATTR = 0x16, 266 KMF_ERR_SLOTNAME = 0x17, 267 KMF_ERR_EMPTY_CRL = 0x18, 268 KMF_ERR_BUFFER_SIZE = 0x19, 269 KMF_ERR_AUTH_FAILED = 0x1a, 270 KMF_ERR_TOKEN_SELECTED = 0x1b, 271 KMF_ERR_NO_TOKEN_SELECTED = 0x1c, 272 KMF_ERR_TOKEN_NOT_PRESENT = 0x1d, 273 KMF_ERR_EXTENSION_NOT_FOUND = 0x1e, 274 KMF_ERR_POLICY_ENGINE = 0x1f, 275 KMF_ERR_POLICY_DB_FORMAT = 0x20, 276 KMF_ERR_POLICY_NOT_FOUND = 0x21, 277 KMF_ERR_POLICY_DB_FILE = 0x22, 278 KMF_ERR_POLICY_NAME = 0x23, 279 KMF_ERR_OCSP_POLICY = 0x24, 280 KMF_ERR_TA_POLICY = 0x25, 281 KMF_ERR_KEY_NOT_FOUND = 0x26, 282 KMF_ERR_OPEN_FILE = 0x27, 283 KMF_ERR_OCSP_BAD_ISSUER = 0x28, 284 KMF_ERR_OCSP_BAD_CERT = 0x29, 285 KMF_ERR_OCSP_CREATE_REQUEST = 0x2a, 286 KMF_ERR_CONNECT_SERVER = 0x2b, 287 KMF_ERR_SEND_REQUEST = 0x2c, 288 KMF_ERR_OCSP_CERTID = 0x2d, 289 KMF_ERR_OCSP_MALFORMED_RESPONSE = 0x2e, 290 KMF_ERR_OCSP_RESPONSE_STATUS = 0x2f, 291 KMF_ERR_OCSP_NO_BASIC_RESPONSE = 0x30, 292 KMF_ERR_OCSP_BAD_SIGNER = 0x31, 293 KMF_ERR_OCSP_RESPONSE_SIGNATURE = 0x32, 294 KMF_ERR_OCSP_UNKNOWN_CERT = 0x33, 295 KMF_ERR_OCSP_STATUS_TIME_INVALID = 0x34, 296 KMF_ERR_BAD_HTTP_RESPONSE = 0x35, 297 KMF_ERR_RECV_RESPONSE = 0x36, 298 KMF_ERR_RECV_TIMEOUT = 0x37, 299 KMF_ERR_DUPLICATE_KEYFILE = 0x38, 300 KMF_ERR_AMBIGUOUS_PATHNAME = 0x39, 301 KMF_ERR_FUNCTION_NOT_FOUND = 0x3a, 302 KMF_ERR_PKCS12_FORMAT = 0x3b, 303 KMF_ERR_BAD_KEY_TYPE = 0x3c, 304 KMF_ERR_BAD_KEY_CLASS = 0x3d, 305 KMF_ERR_BAD_KEY_SIZE = 0x3e, 306 KMF_ERR_BAD_HEX_STRING = 0x3f, 307 KMF_ERR_KEYUSAGE = 0x40, 308 KMF_ERR_VALIDITY_PERIOD = 0x41, 309 KMF_ERR_OCSP_REVOKED = 0x42, 310 KMF_ERR_CERT_MULTIPLE_FOUND = 0x43, 311 KMF_ERR_WRITE_FILE = 0x44, 312 KMF_ERR_BAD_URI = 0x45, 313 KMF_ERR_BAD_CRLFILE = 0x46, 314 KMF_ERR_BAD_CERTFILE = 0x47, 315 KMF_ERR_GETKEYVALUE_FAILED = 0x48, 316 KMF_ERR_BAD_KEYHANDLE = 0x49, 317 KMF_ERR_BAD_OBJECT_TYPE = 0x4a, 318 KMF_ERR_OCSP_RESPONSE_LIFETIME = 0x4b, 319 KMF_ERR_UNKNOWN_CSR_ATTRIBUTE = 0x4c, 320 KMF_ERR_UNINITIALIZED_TOKEN = 0x4d, 321 KMF_ERR_INCOMPLETE_TBS_CERT = 0x4e, 322 KMF_ERR_MISSING_ERRCODE = 0x4f, 323 KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50, 324 KMF_ERR_SENSITIVE_KEY = 0x51, 325 KMF_ERR_UNEXTRACTABLE_KEY = 0x52, 326 KMF_ERR_KEY_MISMATCH = 0x53, 327 KMF_ERR_ATTR_NOT_FOUND = 0x54 328} KMF_RETURN; 329 330/* Data structures for OCSP support */ 331typedef enum { 332 OCSP_GOOD = 0, 333 OCSP_REVOKED = 1, 334 OCSP_UNKNOWN = 2 335} KMF_OCSP_CERT_STATUS; 336 337typedef enum { 338 OCSP_SUCCESS = 0, 339 OCSP_MALFORMED_REQUEST = 1, 340 OCSP_INTERNAL_ERROR = 2, 341 OCSP_TRYLATER = 3, 342 OCSP_SIGREQUIRED = 4, 343 OCSP_UNAUTHORIZED = 5 344} KMF_OCSP_RESPONSE_STATUS; 345 346typedef enum { 347 OCSP_NOSTATUS = -1, 348 OCSP_UNSPECIFIED = 0, 349 OCSP_KEYCOMPROMISE = 1, 350 OCSP_CACOMPROMISE = 2, 351 OCSP_AFFILIATIONCHANGE = 3, 352 OCSP_SUPERCEDED = 4, 353 OCSP_CESSATIONOFOPERATION = 5, 354 OCSP_CERTIFICATEHOLD = 6, 355 OCSP_REMOVEFROMCRL = 7 356} KMF_OCSP_REVOKED_STATUS; 357 358typedef enum { 359 KMF_ALGCLASS_NONE = 0, 360 KMF_ALGCLASS_CUSTOM, 361 KMF_ALGCLASS_SIGNATURE, 362 KMF_ALGCLASS_SYMMETRIC, 363 KMF_ALGCLASS_DIGEST, 364 KMF_ALGCLASS_RANDOMGEN, 365 KMF_ALGCLASS_UNIQUEGEN, 366 KMF_ALGCLASS_MAC, 367 KMF_ALGCLASS_ASYMMETRIC, 368 KMF_ALGCLASS_KEYGEN, 369 KMF_ALGCLASS_DERIVEKEY 370} KMF_ALGCLASS; 371 372typedef enum { 373 KMF_CERT_ISSUER = 1, 374 KMF_CERT_SUBJECT, 375 KMF_CERT_VERSION, 376 KMF_CERT_SERIALNUM, 377 KMF_CERT_NOTBEFORE, 378 KMF_CERT_NOTAFTER, 379 KMF_CERT_PUBKEY_ALG, 380 KMF_CERT_SIGNATURE_ALG, 381 KMF_CERT_EMAIL, 382 KMF_CERT_PUBKEY_DATA, 383 KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD, 384 KMF_X509_EXT_CERT_POLICIES, 385 KMF_X509_EXT_SUBJ_ALTNAME, 386 KMF_X509_EXT_ISSUER_ALTNAME, 387 KMF_X509_EXT_BASIC_CONSTRAINTS, 388 KMF_X509_EXT_NAME_CONSTRAINTS, 389 KMF_X509_EXT_POLICY_CONSTRAINTS, 390 KMF_X509_EXT_EXT_KEY_USAGE, 391 KMF_X509_EXT_INHIBIT_ANY_POLICY, 392 KMF_X509_EXT_AUTH_KEY_ID, 393 KMF_X509_EXT_SUBJ_KEY_ID, 394 KMF_X509_EXT_POLICY_MAPPINGS, 395 KMF_X509_EXT_CRL_DIST_POINTS, 396 KMF_X509_EXT_FRESHEST_CRL, 397 KMF_X509_EXT_KEY_USAGE 398} KMF_PRINTABLE_ITEM; 399 400/* 401 * KMF_X509_ALGORITHM_IDENTIFIER 402 * This structure holds an object identifier naming a 403 * cryptographic algorithm and an optional set of 404 * parameters to be used as input to that algorithm. 405 */ 406typedef struct 407{ 408 KMF_OID algorithm; 409 KMF_DATA parameters; 410} KMF_X509_ALGORITHM_IDENTIFIER; 411 412/* 413 * KMF_X509_TYPE_VALUE_PAIR 414 * This structure contain an type-value pair. 415 */ 416typedef struct 417{ 418 KMF_OID type; 419 uint8_t valueType; /* The Tag to use when BER encoded */ 420 KMF_DATA value; 421} KMF_X509_TYPE_VALUE_PAIR; 422 423 424/* 425 * KMF_X509_RDN 426 * This structure contains a Relative Distinguished Name 427 * composed of an ordered set of type-value pairs. 428 */ 429typedef struct 430{ 431 uint32_t numberOfPairs; 432 KMF_X509_TYPE_VALUE_PAIR *AttributeTypeAndValue; 433} KMF_X509_RDN; 434 435/* 436 * KMF_X509_NAME 437 * This structure contains a set of Relative Distinguished Names. 438 */ 439typedef struct 440{ 441 uint32_t numberOfRDNs; 442 KMF_X509_RDN *RelativeDistinguishedName; 443} KMF_X509_NAME; 444 445/* 446 * KMF_X509_SPKI 447 * This structure contains the public key and the 448 * description of the verification algorithm 449 * appropriate for use with this key. 450 */ 451typedef struct 452{ 453 KMF_X509_ALGORITHM_IDENTIFIER algorithm; 454 KMF_DATA subjectPublicKey; 455} KMF_X509_SPKI; 456 457/* 458 * KMF_X509_TIME 459 * Time is represented as a string according to the 460 * definitions of GeneralizedTime and UTCTime 461 * defined in RFC 2459. 462 */ 463typedef struct 464{ 465 uint8_t timeType; 466 KMF_DATA time; 467} KMF_X509_TIME; 468 469/* 470 * KMF_X509_VALIDITY 471 */ 472typedef struct 473{ 474 KMF_X509_TIME notBefore; 475 KMF_X509_TIME notAfter; 476} KMF_X509_VALIDITY; 477 478/* 479 * KMF_X509EXT_BASICCONSTRAINTS 480 */ 481typedef struct 482{ 483 KMF_BOOL cA; 484 KMF_BOOL pathLenConstraintPresent; 485 uint32_t pathLenConstraint; 486} KMF_X509EXT_BASICCONSTRAINTS; 487 488/* 489 * KMF_X509EXT_DATA_FORMAT 490 * This list defines the valid formats for a certificate extension. 491 */ 492typedef enum 493{ 494 KMF_X509_DATAFORMAT_ENCODED = 0, 495 KMF_X509_DATAFORMAT_PARSED, 496 KMF_X509_DATAFORMAT_PAIR 497} KMF_X509EXT_DATA_FORMAT; 498 499 500/* 501 * KMF_X509EXT_TAGandVALUE 502 * This structure contains a BER/DER encoded 503 * extension value and the type of that value. 504 */ 505typedef struct 506{ 507 uint8_t type; 508 KMF_DATA value; 509} KMF_X509EXT_TAGandVALUE; 510 511 512/* 513 * KMF_X509EXT_PAIR 514 * This structure aggregates two extension representations: 515 * a tag and value, and a parsed X509 extension representation. 516 */ 517typedef struct 518{ 519 KMF_X509EXT_TAGandVALUE tagAndValue; 520 void *parsedValue; 521} KMF_X509EXT_PAIR; 522 523/* 524 * KMF_X509_EXTENSION 525 * This structure contains a complete certificate extension. 526 */ 527typedef struct 528{ 529 KMF_OID extnId; 530 KMF_BOOL critical; 531 KMF_X509EXT_DATA_FORMAT format; 532 union 533 { 534 KMF_X509EXT_TAGandVALUE *tagAndValue; 535 void *parsedValue; 536 KMF_X509EXT_PAIR *valuePair; 537 } value; 538 KMF_DATA BERvalue; 539} KMF_X509_EXTENSION; 540 541 542/* 543 * KMF_X509_EXTENSIONS 544 * This structure contains the set of all certificate 545 * extensions contained in a certificate. 546 */ 547typedef struct 548{ 549 uint32_t numberOfExtensions; 550 KMF_X509_EXTENSION *extensions; 551} KMF_X509_EXTENSIONS; 552 553/* 554 * KMF_X509_TBS_CERT 555 * This structure contains a complete X.509 certificate. 556 */ 557typedef struct 558{ 559 KMF_DATA version; 560 KMF_BIGINT serialNumber; 561 KMF_X509_ALGORITHM_IDENTIFIER signature; 562 KMF_X509_NAME issuer; 563 KMF_X509_VALIDITY validity; 564 KMF_X509_NAME subject; 565 KMF_X509_SPKI subjectPublicKeyInfo; 566 KMF_DATA issuerUniqueIdentifier; 567 KMF_DATA subjectUniqueIdentifier; 568 KMF_X509_EXTENSIONS extensions; 569} KMF_X509_TBS_CERT; 570 571/* 572 * KMF_X509_SIGNATURE 573 * This structure contains a cryptographic digital signature. 574 */ 575typedef struct 576{ 577 KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier; 578 KMF_DATA encrypted; 579} KMF_X509_SIGNATURE; 580 581/* 582 * KMF_X509_CERTIFICATE 583 * This structure associates a set of decoded certificate 584 * values with the signature covering those values. 585 */ 586typedef struct 587{ 588 KMF_X509_TBS_CERT certificate; 589 KMF_X509_SIGNATURE signature; 590} KMF_X509_CERTIFICATE; 591 592#define CERT_ALG_OID(c) &c->certificate.signature.algorithm 593#define CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm 594 595/* 596 * KMF_TBS_CSR 597 * This structure contains a complete PKCS#10 certificate request 598 */ 599typedef struct 600{ 601 KMF_DATA version; 602 KMF_X509_NAME subject; 603 KMF_X509_SPKI subjectPublicKeyInfo; 604 KMF_X509_EXTENSIONS extensions; 605} KMF_TBS_CSR; 606 607/* 608 * KMF_CSR_DATA 609 * This structure contains a complete PKCS#10 certificate signed request 610 */ 611typedef struct 612{ 613 KMF_TBS_CSR csr; 614 KMF_X509_SIGNATURE signature; 615} KMF_CSR_DATA; 616 617/* 618 * KMF_X509EXT_POLICYQUALIFIERINFO 619 */ 620typedef struct 621{ 622 KMF_OID policyQualifierId; 623 KMF_DATA value; 624} KMF_X509EXT_POLICYQUALIFIERINFO; 625 626/* 627 * KMF_X509EXT_POLICYQUALIFIERS 628 */ 629typedef struct 630{ 631 uint32_t numberOfPolicyQualifiers; 632 KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier; 633} KMF_X509EXT_POLICYQUALIFIERS; 634 635/* 636 * KMF_X509EXT_POLICYINFO 637 */ 638typedef struct 639{ 640 KMF_OID policyIdentifier; 641 KMF_X509EXT_POLICYQUALIFIERS policyQualifiers; 642} KMF_X509EXT_POLICYINFO; 643 644typedef struct 645{ 646 uint32_t numberOfPolicyInfo; 647 KMF_X509EXT_POLICYINFO *policyInfo; 648} KMF_X509EXT_CERT_POLICIES; 649 650typedef struct 651{ 652 uchar_t critical; 653 uint16_t KeyUsageBits; 654} KMF_X509EXT_KEY_USAGE; 655 656typedef struct 657{ 658 uchar_t critical; 659 uint16_t nEKUs; 660 KMF_OID *keyPurposeIdList; 661} KMF_X509EXT_EKU; 662 663 664/* 665 * X509 AuthorityInfoAccess extension 666 */ 667typedef struct 668{ 669 KMF_OID AccessMethod; 670 KMF_DATA AccessLocation; 671} KMF_X509EXT_ACCESSDESC; 672 673typedef struct 674{ 675 uint32_t numberOfAccessDescription; 676 KMF_X509EXT_ACCESSDESC *AccessDesc; 677} KMF_X509EXT_AUTHINFOACCESS; 678 679 680/* 681 * X509 Crl Distribution Point extension 682 */ 683typedef struct { 684 KMF_GENERALNAMECHOICES choice; 685 KMF_DATA name; 686} KMF_GENERALNAME; 687 688typedef struct { 689 uint32_t number; 690 KMF_GENERALNAME *namelist; 691} KMF_GENERALNAMES; 692 693typedef enum { 694 DP_GENERAL_NAME = 1, 695 DP_RELATIVE_NAME = 2 696} KMF_CRL_DIST_POINT_TYPE; 697 698typedef struct { 699 KMF_CRL_DIST_POINT_TYPE type; 700 union { 701 KMF_GENERALNAMES full_name; 702 KMF_DATA relative_name; 703 } name; 704 KMF_DATA reasons; 705 KMF_GENERALNAMES crl_issuer; 706} KMF_CRL_DIST_POINT; 707 708typedef struct { 709 uint32_t number; 710 KMF_CRL_DIST_POINT *dplist; 711} KMF_X509EXT_CRLDISTPOINTS; 712 713typedef enum { 714 KMF_DATA_ATTR, 715 KMF_OID_ATTR, 716 KMF_BIGINT_ATTR, 717 KMF_X509_DER_CERT_ATTR, 718 KMF_KEYSTORE_TYPE_ATTR, 719 KMF_ENCODE_FORMAT_ATTR, 720 KMF_CERT_VALIDITY_ATTR, 721 KMF_KU_PURPOSE_ATTR, 722 KMF_ALGORITHM_INDEX_ATTR, 723 KMF_TOKEN_LABEL_ATTR, 724 KMF_READONLY_ATTR, 725 KMF_DIRPATH_ATTR, 726 KMF_CERTPREFIX_ATTR, 727 KMF_KEYPREFIX_ATTR, 728 KMF_SECMODNAME_ATTR, 729 KMF_CREDENTIAL_ATTR, 730 KMF_TRUSTFLAG_ATTR, 731 KMF_CRL_FILENAME_ATTR, 732 KMF_CRL_CHECK_ATTR, 733 KMF_CRL_DATA_ATTR, 734 KMF_CRL_SUBJECT_ATTR, 735 KMF_CRL_ISSUER_ATTR, 736 KMF_CRL_NAMELIST_ATTR, 737 KMF_CRL_COUNT_ATTR, 738 KMF_CRL_OUTFILE_ATTR, 739 KMF_CERT_LABEL_ATTR, 740 KMF_SUBJECT_NAME_ATTR, 741 KMF_ISSUER_NAME_ATTR, 742 KMF_CERT_FILENAME_ATTR, 743 KMF_KEY_FILENAME_ATTR, 744 KMF_OUTPUT_FILENAME_ATTR, 745 KMF_IDSTR_ATTR, 746 KMF_CERT_DATA_ATTR, 747 KMF_OCSP_RESPONSE_DATA_ATTR, 748 KMF_OCSP_RESPONSE_STATUS_ATTR, 749 KMF_OCSP_RESPONSE_REASON_ATTR, 750 KMF_OCSP_RESPONSE_CERT_STATUS_ATTR, 751 KMF_OCSP_REQUEST_FILENAME_ATTR, 752 KMF_KEYALG_ATTR, 753 KMF_KEYCLASS_ATTR, 754 KMF_KEYLABEL_ATTR, 755 KMF_KEYLENGTH_ATTR, 756 KMF_RSAEXP_ATTR, 757 KMF_TACERT_DATA_ATTR, 758 KMF_SLOT_ID_ATTR, 759 KMF_PK12CRED_ATTR, 760 KMF_ISSUER_CERT_DATA_ATTR, 761 KMF_USER_CERT_DATA_ATTR, 762 KMF_SIGNER_CERT_DATA_ATTR, 763 KMF_IGNORE_RESPONSE_SIGN_ATTR, 764 KMF_RESPONSE_LIFETIME_ATTR, 765 KMF_KEY_HANDLE_ATTR, 766 KMF_PRIVKEY_HANDLE_ATTR, 767 KMF_PUBKEY_HANDLE_ATTR, 768 KMF_ERROR_ATTR, 769 KMF_X509_NAME_ATTR, 770 KMF_X509_SPKI_ATTR, 771 KMF_X509_CERTIFICATE_ATTR, 772 KMF_RAW_KEY_ATTR, 773 KMF_CSR_DATA_ATTR, 774 KMF_GENERALNAMECHOICES_ATTR, 775 KMF_STOREKEY_BOOL_ATTR, 776 KMF_SENSITIVE_BOOL_ATTR, 777 KMF_NON_EXTRACTABLE_BOOL_ATTR, 778 KMF_TOKEN_BOOL_ATTR, 779 KMF_PRIVATE_BOOL_ATTR, 780 KMF_NEWPIN_ATTR, 781 KMF_IN_SIGN_ATTR, 782 KMF_OUT_DATA_ATTR, 783 KMF_COUNT_ATTR, 784 KMF_DESTROY_BOOL_ATTR, 785 KMF_TBS_CERT_DATA_ATTR, 786 KMF_PLAINTEXT_DATA_ATTR, 787 KMF_CIPHERTEXT_DATA_ATTR, 788 KMF_VALIDATE_RESULT_ATTR, 789 KMF_KEY_DATA_ATTR 790} KMF_ATTR_TYPE; 791 792typedef struct { 793 KMF_ATTR_TYPE type; 794 void *pValue; 795 uint32_t valueLen; 796} KMF_ATTRIBUTE; 797 798/* 799 * Definitions for common X.509v3 certificate attribute OIDs 800 */ 801#define OID_ISO_MEMBER 42 /* Also in PKCS */ 802#define OID_US OID_ISO_MEMBER, 134, 72 /* Also in PKCS */ 803#define OID_CA OID_ISO_MEMBER, 124 804 805#define OID_ISO_IDENTIFIED_ORG 43 806#define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 807#define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 808#define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 809#define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */ 810 811#define OID_ISO_CCITT_DIR_SERVICE 85 812#define OID_ISO_CCITT_COUNTRY 96 813#define OID_COUNTRY_US OID_ISO_CCITT_COUNTRY, 134, 72 814#define OID_COUNTRY_CA OID_ISO_CCITT_COUNTRY, 124 815#define OID_COUNTRY_US_ORG OID_COUNTRY_US, 1 816#define OID_COUNTRY_US_MHS_MD OID_COUNTRY_US, 2 817#define OID_COUNTRY_US_STATE OID_COUNTRY_US, 3 818 819/* From the PKCS Standards */ 820#define OID_ISO_MEMBER_LENGTH 1 821#define OID_US_LENGTH (OID_ISO_MEMBER_LENGTH + 2) 822 823#define OID_RSA OID_US, 134, 247, 13 824#define OID_RSA_LENGTH (OID_US_LENGTH + 3) 825 826#define OID_RSA_HASH OID_RSA, 2 827#define OID_RSA_HASH_LENGTH (OID_RSA_LENGTH + 1) 828 829#define OID_RSA_ENCRYPT OID_RSA, 3 830#define OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1) 831 832#define OID_PKCS OID_RSA, 1 833#define OID_PKCS_LENGTH (OID_RSA_LENGTH + 1) 834 835#define OID_PKCS_1 OID_PKCS, 1 836#define OID_PKCS_1_LENGTH (OID_PKCS_LENGTH + 1) 837 838#define OID_PKCS_2 OID_PKCS, 2 839#define OID_PKCS_3 OID_PKCS, 3 840#define OID_PKCS_3_LENGTH (OID_PKCS_LENGTH + 1) 841 842#define OID_PKCS_4 OID_PKCS, 4 843#define OID_PKCS_5 OID_PKCS, 5 844#define OID_PKCS_5_LENGTH (OID_PKCS_LENGTH + 1) 845#define OID_PKCS_6 OID_PKCS, 6 846#define OID_PKCS_7 OID_PKCS, 7 847#define OID_PKCS_7_LENGTH (OID_PKCS_LENGTH + 1) 848 849#define OID_PKCS_7_Data OID_PKCS_7, 1 850#define OID_PKCS_7_SignedData OID_PKCS_7, 2 851#define OID_PKCS_7_EnvelopedData OID_PKCS_7, 3 852#define OID_PKCS_7_SignedAndEnvelopedData OID_PKCS_7, 4 853#define OID_PKCS_7_DigestedData OID_PKCS_7, 5 854#define OID_PKCS_7_EncryptedData OID_PKCS_7, 6 855 856#define OID_PKCS_8 OID_PKCS, 8 857#define OID_PKCS_9 OID_PKCS, 9 858#define OID_PKCS_9_LENGTH (OID_PKCS_LENGTH + 1) 859 860#define OID_PKCS_9_CONTENT_TYPE OID_PKCS_9, 3 861#define OID_PKCS_9_MESSAGE_DIGEST OID_PKCS_9, 4 862#define OID_PKCS_9_SIGNING_TIME OID_PKCS_9, 5 863#define OID_PKCS_9_COUNTER_SIGNATURE OID_PKCS_9, 6 864#define OID_PKCS_9_EXTENSION_REQUEST OID_PKCS_9, 14 865 866#define OID_PKCS_10 OID_PKCS, 10 867 868#define OID_PKCS_12 OID_PKCS, 12 869#define OID_PKCS_12_LENGTH (OID_PKCS_LENGTH + 1) 870 871#define PBEWithSHAAnd128BitRC4 OID_PKCS_12, 1, 1 872#define PBEWithSHAAnd40BitRC4 OID_PKCS_12, 1, 2 873#define PBEWithSHAAnd3KeyTripleDES_CBC OID_PKCS_12, 1, 3 874#define PBEWithSHAAnd2KeyTripleDES_CBC OID_PKCS_12, 1, 4 875#define PBEWithSHAAnd128BitRC2_CBC OID_PKCS_12, 1, 5 876#define PBEWithSHAAnd40BitRC2_CBC OID_PKCS_12, 1, 6 877 878#define OID_BAG_TYPES OID_PKCS_12, 10, 1 879#define OID_KeyBag OID_BAG_TYPES, 1 880#define OID_PKCS8ShroudedKeyBag OID_BAG_TYPES, 2 881#define OID_CertBag OID_BAG_TYPES, 3 882#define OID_CrlBag OID_BAG_TYPES, 4 883#define OID_SecretBag OID_BAG_TYPES, 5 884#define OID_SafeContentsBag OID_BAG_TYPES, 6 885 886#define OID_ContentInfo OID_PKCS_7, 0, 1 887 888#define OID_CERT_TYPES OID_PKCS_9, 22 889#define OID_x509Certificate OID_CERT_TYPES, 1 890#define OID_sdsiCertificate OID_CERT_TYPES, 2 891 892#define OID_CRL_TYPES OID_PKCS_9, 23 893#define OID_x509Crl OID_CRL_TYPES, 1 894 895#define OID_DS OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */ 896#define OID_DS_LENGTH 1 897 898#define OID_ATTR_TYPE OID_DS, 4 /* Also in X.501 */ 899#define OID_ATTR_TYPE_LENGTH (OID_DS_LENGTH + 1) 900 901#define OID_DSALG OID_DS, 8 /* Also in X.501 */ 902#define OID_DSALG_LENGTH (OID_DS_LENGTH + 1) 903 904#define OID_EXTENSION OID_DS, 29 /* Also in X.501 */ 905#define OID_EXTENSION_LENGTH (OID_DS_LENGTH + 1) 906 907/* 908 * From RFC 1274: 909 * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) } 910 */ 911#define OID_PILOT 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1 912#define OID_PILOT_LENGTH 9 913 914#define OID_USERID OID_PILOT 1 915#define OID_USERID_LENGTH (OID_PILOT_LENGTH + 1) 916 917/* 918 * From PKIX part1 919 * { iso(1) identified-organization(3) dod(6) internet(1) 920 * security(5) mechanisms(5) pkix(7) } 921 */ 922#define OID_PKIX 43, 6, 1, 5, 5, 7 923#define OID_PKIX_LENGTH 6 924 925/* private certificate extensions, { id-pkix 1 } */ 926#define OID_PKIX_PE OID_PKIX, 1 927#define OID_PKIX_PE_LENGTH (OID_PKIX_LENGTH + 1) 928 929/* policy qualifier types {id-pkix 2 } */ 930#define OID_PKIX_QT OID_PKIX, 2 931#define OID_PKIX_QT_LENGTH (OID_PKIX_LENGTH + 1) 932 933/* CPS qualifier, { id-qt 1 } */ 934#define OID_PKIX_QT_CPS OID_PKIX_QT, 1 935#define OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1) 936/* user notice qualifier, { id-qt 2 } */ 937#define OID_PKIX_QT_UNOTICE OID_PKIX_QT, 2 938#define OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1) 939 940/* extended key purpose OIDs {id-pkix 3 } */ 941#define OID_PKIX_KP OID_PKIX, 3 942#define OID_PKIX_KP_LENGTH (OID_PKIX_LENGTH + 1) 943 944/* access descriptors {id-pkix 4 } */ 945#define OID_PKIX_AD OID_PKIX, 48 946#define OID_PKIX_AD_LENGTH (OID_PKIX_LENGTH + 1) 947 948/* access descriptors */ 949/* OCSP */ 950#define OID_PKIX_AD_OCSP OID_PKIX_AD, 1 951#define OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1) 952 953/* cAIssuers */ 954#define OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2 955#define OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1) 956 957/* end PKIX part1 */ 958#define OID_APPL_TCP_PROTO 43, 6, 1, 2, 1, 27, 4 959#define OID_APPL_TCP_PROTO_LENGTH 8 960 961#define OID_DAP OID_DS, 3, 1 962#define OID_DAP_LENGTH (OID_DS_LENGTH + 2) 963 964/* From x9.57 */ 965#define OID_OIW_LENGTH 2 966 967#define OID_OIW_SECSIG OID_OIW, 3 968#define OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1) 969 970#define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 971#define OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1) 972 973#define OID_OIWDIR OID_OIW, 7, 2 974#define OID_OIWDIR_LENGTH (OID_OIW_LENGTH + 2) 975 976#define OID_OIWDIR_CRPT OID_OIWDIR, 1 977 978#define OID_OIWDIR_HASH OID_OIWDIR, 2 979#define OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1) 980 981#define OID_OIWDIR_SIGN OID_OIWDIR, 3 982#define OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1) 983 984#define OID_X9CM OID_US, 206, 56 985#define OID_X9CM_MODULE OID_X9CM, 1 986#define OID_X9CM_INSTRUCTION OID_X9CM, 2 987#define OID_X9CM_ATTR OID_X9CM, 3 988#define OID_X9CM_X9ALGORITHM OID_X9CM, 4 989#define OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1) 990 991#define INTEL 96, 134, 72, 1, 134, 248, 77 992#define INTEL_LENGTH 7 993 994#define INTEL_SEC_FORMATS INTEL_CDSASECURITY, 1 995#define INTEL_SEC_FORMATS_LENGTH (INTEL_CDSASECURITY_LENGTH + 1) 996 997#define INTEL_SEC_ALGS INTEL_CDSASECURITY, 2, 5 998#define INTEL_SEC_ALGS_LENGTH (INTEL_CDSASECURITY_LENGTH + 2) 999 1000extern const KMF_OID 1001KMFOID_AliasedEntryName, 1002KMFOID_AuthorityRevocationList, 1003KMFOID_BusinessCategory, 1004KMFOID_CACertificate, 1005KMFOID_CertificateRevocationList, 1006KMFOID_ChallengePassword, 1007KMFOID_CollectiveFacsimileTelephoneNumber, 1008KMFOID_CollectiveInternationalISDNNumber, 1009KMFOID_CollectiveOrganizationName, 1010KMFOID_CollectiveOrganizationalUnitName, 1011KMFOID_CollectivePhysicalDeliveryOfficeName, 1012KMFOID_CollectivePostOfficeBox, 1013KMFOID_CollectivePostalAddress, 1014KMFOID_CollectivePostalCode, 1015KMFOID_CollectiveStateProvinceName, 1016KMFOID_CollectiveStreetAddress, 1017KMFOID_CollectiveTelephoneNumber, 1018KMFOID_CollectiveTelexNumber, 1019KMFOID_CollectiveTelexTerminalIdentifier, 1020KMFOID_CommonName, 1021KMFOID_ContentType, 1022KMFOID_CounterSignature, 1023KMFOID_CountryName, 1024KMFOID_CrossCertificatePair, 1025KMFOID_DNQualifier, 1026KMFOID_Description, 1027KMFOID_DestinationIndicator, 1028KMFOID_DistinguishedName, 1029KMFOID_EmailAddress, 1030KMFOID_EnhancedSearchGuide, 1031KMFOID_ExtendedCertificateAttributes, 1032KMFOID_ExtensionRequest, 1033KMFOID_FacsimileTelephoneNumber, 1034KMFOID_GenerationQualifier, 1035KMFOID_GivenName, 1036KMFOID_HouseIdentifier, 1037KMFOID_Initials, 1038KMFOID_InternationalISDNNumber, 1039KMFOID_KnowledgeInformation, 1040KMFOID_LocalityName, 1041KMFOID_Member, 1042KMFOID_MessageDigest, 1043KMFOID_Name, 1044KMFOID_ObjectClass, 1045KMFOID_OrganizationName, 1046KMFOID_OrganizationalUnitName, 1047KMFOID_Owner, 1048KMFOID_PhysicalDeliveryOfficeName, 1049KMFOID_PostOfficeBox, 1050KMFOID_PostalAddress, 1051KMFOID_PostalCode, 1052KMFOID_PreferredDeliveryMethod, 1053KMFOID_PresentationAddress, 1054KMFOID_ProtocolInformation, 1055KMFOID_RFC822mailbox, 1056KMFOID_RegisteredAddress, 1057KMFOID_RoleOccupant, 1058KMFOID_SearchGuide, 1059KMFOID_SeeAlso, 1060KMFOID_SerialNumber, 1061KMFOID_SigningTime, 1062KMFOID_StateProvinceName, 1063KMFOID_StreetAddress, 1064KMFOID_SupportedApplicationContext, 1065KMFOID_Surname, 1066KMFOID_TelephoneNumber, 1067KMFOID_TelexNumber, 1068KMFOID_TelexTerminalIdentifier, 1069KMFOID_Title, 1070KMFOID_UniqueIdentifier, 1071KMFOID_UniqueMember, 1072KMFOID_UnstructuredAddress, 1073KMFOID_UnstructuredName, 1074KMFOID_UserCertificate, 1075KMFOID_UserPassword, 1076KMFOID_X_121Address, 1077KMFOID_domainComponent, 1078KMFOID_userid; 1079 1080extern const KMF_OID 1081KMFOID_AuthorityKeyID, 1082KMFOID_AuthorityInfoAccess, 1083KMFOID_VerisignCertificatePolicy, 1084KMFOID_KeyUsageRestriction, 1085KMFOID_SubjectDirectoryAttributes, 1086KMFOID_SubjectKeyIdentifier, 1087KMFOID_KeyUsage, 1088KMFOID_PrivateKeyUsagePeriod, 1089KMFOID_SubjectAltName, 1090KMFOID_IssuerAltName, 1091KMFOID_BasicConstraints, 1092KMFOID_CrlNumber, 1093KMFOID_CrlReason, 1094KMFOID_HoldInstructionCode, 1095KMFOID_InvalidityDate, 1096KMFOID_DeltaCrlIndicator, 1097KMFOID_IssuingDistributionPoints, 1098KMFOID_NameConstraints, 1099KMFOID_CrlDistributionPoints, 1100KMFOID_CertificatePolicies, 1101KMFOID_PolicyMappings, 1102KMFOID_PolicyConstraints, 1103KMFOID_AuthorityKeyIdentifier, 1104KMFOID_ExtendedKeyUsage, 1105KMFOID_PkixAdOcsp, 1106KMFOID_PkixAdCaIssuers, 1107KMFOID_PKIX_PQ_CPSuri, 1108KMFOID_PKIX_PQ_Unotice, 1109KMFOID_PKIX_KP_ServerAuth, 1110KMFOID_PKIX_KP_ClientAuth, 1111KMFOID_PKIX_KP_CodeSigning, 1112KMFOID_PKIX_KP_EmailProtection, 1113KMFOID_PKIX_KP_IPSecEndSystem, 1114KMFOID_PKIX_KP_IPSecTunnel, 1115KMFOID_PKIX_KP_IPSecUser, 1116KMFOID_PKIX_KP_TimeStamping, 1117KMFOID_PKIX_KP_OCSPSigning, 1118KMFOID_SHA1, 1119KMFOID_RSA, 1120KMFOID_DSA, 1121KMFOID_MD5WithRSA, 1122KMFOID_MD2WithRSA, 1123KMFOID_SHA1WithRSA, 1124KMFOID_SHA1WithDSA, 1125KMFOID_OIW_DSAWithSHA1, 1126KMFOID_X9CM_DSA, 1127KMFOID_X9CM_DSAWithSHA1; 1128 1129/* 1130 * KMF Certificate validation codes. These may be masked together. 1131 */ 1132#define KMF_CERT_VALIDATE_OK 0x00 1133#define KMF_CERT_VALIDATE_ERR_TA 0x01 1134#define KMF_CERT_VALIDATE_ERR_USER 0x02 1135#define KMF_CERT_VALIDATE_ERR_SIGNATURE 0x04 1136#define KMF_CERT_VALIDATE_ERR_KEYUSAGE 0x08 1137#define KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE 0x10 1138#define KMF_CERT_VALIDATE_ERR_TIME 0x20 1139#define KMF_CERT_VALIDATE_ERR_CRL 0x40 1140#define KMF_CERT_VALIDATE_ERR_OCSP 0x80 1141#define KMF_CERT_VALIDATE_ERR_ISSUER 0x100 1142 1143/* 1144 * KMF Key Usage bitmasks 1145 */ 1146#define KMF_digitalSignature 0x8000 1147#define KMF_nonRepudiation 0x4000 1148#define KMF_keyEncipherment 0x2000 1149#define KMF_dataEncipherment 0x1000 1150#define KMF_keyAgreement 0x0800 1151#define KMF_keyCertSign 0x0400 1152#define KMF_cRLSign 0x0200 1153#define KMF_encipherOnly 0x0100 1154#define KMF_decipherOnly 0x0080 1155 1156#define KMF_KUBITMASK 0xFF80 1157 1158/* 1159 * KMF Extended KeyUsage OID definitions 1160 */ 1161#define KMF_EKU_SERVERAUTH 0x01 1162#define KMF_EKU_CLIENTAUTH 0x02 1163#define KMF_EKU_CODESIGNING 0x04 1164#define KMF_EKU_EMAIL 0x08 1165#define KMF_EKU_TIMESTAMP 0x10 1166#define KMF_EKU_OCSPSIGNING 0x20 1167 1168 1169/* 1170 * Legacy support only - do not use these data structures - they can be 1171 * removed at any time. 1172 */ 1173 1174/* Keystore Configuration */ 1175typedef struct { 1176 char *configdir; 1177 char *certPrefix; 1178 char *keyPrefix; 1179 char *secModName; 1180} KMF_NSS_CONFIG; 1181 1182typedef struct { 1183 char *label; 1184 boolean_t readonly; 1185} KMF_PKCS11_CONFIG; 1186 1187typedef struct { 1188 KMF_KEYSTORE_TYPE kstype; 1189 union { 1190 KMF_NSS_CONFIG nss_conf; 1191 KMF_PKCS11_CONFIG pkcs11_conf; 1192 } ks_config_u; 1193} KMF_CONFIG_PARAMS; 1194 1195#define nssconfig ks_config_u.nss_conf 1196#define pkcs11config ks_config_u.pkcs11_conf 1197 1198 1199typedef struct 1200{ 1201 char *trustflag; 1202 char *slotlabel; /* "internal" by default */ 1203 int issuerId; 1204 int subjectId; 1205 char *crlfile; /* for ImportCRL */ 1206 boolean_t crl_check; /* for ImportCRL */ 1207 1208 /* 1209 * The following 2 variables are for FindCertInCRL. The caller can 1210 * either specify certLabel or provide the entire certificate in 1211 * DER format as input. 1212 */ 1213 char *certLabel; /* for FindCertInCRL */ 1214 KMF_DATA *certificate; /* for FindCertInCRL */ 1215 1216 /* 1217 * crl_subjName and crl_issuerName are used as the CRL deletion 1218 * criteria. One should be non-NULL and the other one should be NULL. 1219 * If crl_subjName is not NULL, then delete CRL by the subject name. 1220 * Othewise, delete by the issuer name. 1221 */ 1222 char *crl_subjName; 1223 char *crl_issuerName; 1224} KMF_NSS_PARAMS; 1225 1226typedef struct { 1227 char *dirpath; 1228 char *certfile; 1229 char *crlfile; 1230 char *keyfile; 1231 char *outcrlfile; 1232 boolean_t crl_check; /* CRL import check; default is true */ 1233 KMF_ENCODE_FORMAT format; /* output file format */ 1234} KMF_OPENSSL_PARAMS; 1235 1236typedef struct { 1237 boolean_t private; /* for finding CKA_PRIVATE objects */ 1238 boolean_t sensitive; 1239 boolean_t not_extractable; 1240 boolean_t token; /* true == token object, false == session */ 1241} KMF_PKCS11_PARAMS; 1242 1243typedef struct { 1244 KMF_KEYSTORE_TYPE kstype; 1245 char *certLabel; 1246 char *issuer; 1247 char *subject; 1248 char *idstr; 1249 KMF_BIGINT *serial; 1250 KMF_CERT_VALIDITY find_cert_validity; 1251 1252 union { 1253 KMF_NSS_PARAMS nss_opts; 1254 KMF_OPENSSL_PARAMS openssl_opts; 1255 KMF_PKCS11_PARAMS pkcs11_opts; 1256 } ks_opt_u; 1257} KMF_FINDCERT_PARAMS, KMF_DELETECERT_PARAMS; 1258 1259typedef struct { 1260 KMF_KEYSTORE_TYPE kstype; 1261 KMF_CREDENTIAL cred; 1262 KMF_KEY_CLASS keyclass; 1263 KMF_KEY_ALG keytype; 1264 KMF_ENCODE_FORMAT format; /* for key */ 1265 char *findLabel; 1266 char *idstr; 1267 union { 1268 KMF_NSS_PARAMS nss_opts; 1269 KMF_OPENSSL_PARAMS openssl_opts; 1270 KMF_PKCS11_PARAMS pkcs11_opts; 1271 } ks_opt_u; 1272} KMF_FINDKEY_PARAMS; 1273 1274typedef struct { 1275 KMF_KEYSTORE_TYPE kstype; 1276 KMF_KEY_ALG keytype; 1277 uint32_t keylength; 1278 char *keylabel; 1279 KMF_CREDENTIAL cred; 1280 KMF_BIGINT rsa_exponent; 1281 union { 1282 KMF_NSS_PARAMS nss_opts; 1283 KMF_OPENSSL_PARAMS openssl_opts; 1284 }ks_opt_u; 1285} KMF_CREATEKEYPAIR_PARAMS; 1286 1287 1288typedef struct { 1289 KMF_KEYSTORE_TYPE kstype; 1290 KMF_CREDENTIAL cred; 1291 KMF_ENCODE_FORMAT format; /* for key */ 1292 char *certLabel; 1293 KMF_ALGORITHM_INDEX algid; 1294 union { 1295 KMF_NSS_PARAMS nss_opts; 1296 KMF_OPENSSL_PARAMS openssl_opts; 1297 }ks_opt_u; 1298} KMF_CRYPTOWITHCERT_PARAMS; 1299 1300typedef struct { 1301 char *crl_name; 1302} KMF_CHECKCRLDATE_PARAMS; 1303 1304#define nssparms ks_opt_u.nss_opts 1305#define sslparms ks_opt_u.openssl_opts 1306#define pkcs11parms ks_opt_u.pkcs11_opts 1307 1308#ifdef __cplusplus 1309} 1310#endif 1311#endif /* _KMFTYPES_H */ 1312