kmftypes.h revision 6051:7b29d160facb
1/* 2 * Copyright (c) 1995-2000 Intel Corporation. All rights reserved. 3 */ 4/* 5 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 6 * Use is subject to license terms. 7 */ 8 9#ifndef _KMFTYPES_H 10#define _KMFTYPES_H 11 12#pragma ident "%Z%%M% %I% %E% SMI" 13 14#include <sys/types.h> 15#include <stdlib.h> 16#include <strings.h> 17#include <pthread.h> 18 19#include <security/cryptoki.h> 20 21#ifdef __cplusplus 22extern "C" { 23#endif 24 25typedef uint32_t KMF_BOOL; 26 27#define KMF_FALSE (0) 28#define KMF_TRUE (1) 29 30/* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */ 31typedef struct _kmf_handle *KMF_HANDLE_T; 32 33/* 34 * KMF_DATA 35 * The KMF_DATA structure is used to associate a length, in bytes, with 36 * an arbitrary block of contiguous memory. 37 */ 38typedef struct kmf_data 39{ 40 size_t Length; /* in bytes */ 41 uchar_t *Data; 42} KMF_DATA; 43 44typedef struct { 45 uchar_t *val; 46 size_t len; 47} KMF_BIGINT; 48 49/* 50 * KMF_OID 51 * The object identifier (OID) structure is used to hold a unique identifier for 52 * the atomic data fields and the compound substructure that comprise the fields 53 * of a certificate or CRL. 54 */ 55typedef KMF_DATA KMF_OID; 56 57typedef struct kmf_x509_private { 58 int keystore_type; 59 int flags; /* see below */ 60 char *label; 61#define KMF_FLAG_CERT_VALID 1 /* contains valid certificate */ 62#define KMF_FLAG_CERT_SIGNED 2 /* this is a signed certificate */ 63} KMF_X509_PRIVATE; 64 65/* 66 * KMF_X509_DER_CERT 67 * This structure associates packed DER certificate data. 68 * Also, it contains the private information internal used 69 * by KMF layer. 70 */ 71typedef struct 72{ 73 KMF_DATA certificate; 74 KMF_X509_PRIVATE kmf_private; 75} KMF_X509_DER_CERT; 76 77typedef int KMF_KEYSTORE_TYPE; 78#define KMF_KEYSTORE_NSS 1 79#define KMF_KEYSTORE_OPENSSL 2 80#define KMF_KEYSTORE_PK11TOKEN 3 81 82#define VALID_DEFAULT_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\ 83 (t <= KMF_KEYSTORE_PK11TOKEN)) 84 85typedef enum { 86 KMF_FORMAT_UNDEF = 0, 87 KMF_FORMAT_ASN1 = 1, /* DER */ 88 KMF_FORMAT_PEM = 2, 89 KMF_FORMAT_PKCS12 = 3, 90 KMF_FORMAT_RAWKEY = 4, /* For FindKey operation */ 91 KMF_FORMAT_PEM_KEYPAIR = 5 92} KMF_ENCODE_FORMAT; 93 94#define KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF 95 96typedef enum { 97 KMF_ALL_CERTS = 0, 98 KMF_NONEXPIRED_CERTS = 1, 99 KMF_EXPIRED_CERTS = 2 100} KMF_CERT_VALIDITY; 101 102 103typedef enum { 104 KMF_ALL_EXTNS = 0, 105 KMF_CRITICAL_EXTNS = 1, 106 KMF_NONCRITICAL_EXTNS = 2 107} KMF_FLAG_CERT_EXTN; 108 109 110typedef enum { 111 KMF_KU_SIGN_CERT = 0, 112 KMF_KU_SIGN_DATA = 1, 113 KMF_KU_ENCRYPT_DATA = 2 114} KMF_KU_PURPOSE; 115 116/* 117 * Algorithms 118 * This type defines a set of constants used to identify cryptographic 119 * algorithms. 120 */ 121typedef enum { 122 KMF_ALGID_NONE = 0, 123 KMF_ALGID_CUSTOM, 124 KMF_ALGID_SHA1, 125 KMF_ALGID_RSA, 126 KMF_ALGID_DSA, 127 KMF_ALGID_MD5WithRSA, 128 KMF_ALGID_MD2WithRSA, 129 KMF_ALGID_SHA1WithRSA, 130 KMF_ALGID_SHA1WithDSA 131} KMF_ALGORITHM_INDEX; 132 133 134/* 135 * Generic credential structure used by other structures below 136 * to convey authentication information to the underlying 137 * mechanisms. 138 */ 139typedef struct { 140 char *cred; 141 uint32_t credlen; 142} KMF_CREDENTIAL; 143 144typedef enum { 145 KMF_KEYALG_NONE = 0, 146 KMF_RSA = 1, 147 KMF_DSA = 2, 148 KMF_AES = 3, 149 KMF_RC4 = 4, 150 KMF_DES = 5, 151 KMF_DES3 = 6, 152 KMF_GENERIC_SECRET = 7 153}KMF_KEY_ALG; 154 155typedef enum { 156 KMF_KEYCLASS_NONE = 0, 157 KMF_ASYM_PUB = 1, /* public key of an asymmetric keypair */ 158 KMF_ASYM_PRI = 2, /* private key of an asymmetric keypair */ 159 KMF_SYMMETRIC = 3 /* symmetric key */ 160}KMF_KEY_CLASS; 161 162 163typedef enum { 164 KMF_CERT = 0, 165 KMF_CSR = 1, 166 KMF_CRL = 2 167}KMF_OBJECT_TYPE; 168 169 170typedef struct { 171 KMF_BIGINT mod; 172 KMF_BIGINT pubexp; 173 KMF_BIGINT priexp; 174 KMF_BIGINT prime1; 175 KMF_BIGINT prime2; 176 KMF_BIGINT exp1; 177 KMF_BIGINT exp2; 178 KMF_BIGINT coef; 179} KMF_RAW_RSA_KEY; 180 181typedef struct { 182 KMF_BIGINT prime; 183 KMF_BIGINT subprime; 184 KMF_BIGINT base; 185 KMF_BIGINT value; 186 KMF_BIGINT pubvalue; 187} KMF_RAW_DSA_KEY; 188 189typedef struct { 190 KMF_BIGINT keydata; 191} KMF_RAW_SYM_KEY; 192 193typedef struct { 194 KMF_KEY_ALG keytype; 195 boolean_t sensitive; 196 boolean_t not_extractable; 197 union { 198 KMF_RAW_RSA_KEY rsa; 199 KMF_RAW_DSA_KEY dsa; 200 KMF_RAW_SYM_KEY sym; 201 }rawdata; 202 char *label; 203 KMF_DATA id; 204} KMF_RAW_KEY_DATA; 205 206typedef struct { 207 KMF_KEYSTORE_TYPE kstype; 208 KMF_KEY_ALG keyalg; 209 KMF_KEY_CLASS keyclass; 210 boolean_t israw; 211 char *keylabel; 212 void *keyp; 213} KMF_KEY_HANDLE; 214 215typedef struct { 216 KMF_KEYSTORE_TYPE kstype; 217 uint32_t errcode; 218} KMF_ERROR; 219 220/* 221 * Typenames to use with subjectAltName 222 */ 223typedef enum { 224 GENNAME_OTHERNAME = 0x00, 225 GENNAME_RFC822NAME, 226 GENNAME_DNSNAME, 227 GENNAME_X400ADDRESS, 228 GENNAME_DIRECTORYNAME, 229 GENNAME_EDIPARTYNAME, 230 GENNAME_URI, 231 GENNAME_IPADDRESS, 232 GENNAME_REGISTEREDID, 233 GENNAME_KRB5PRINC, 234 GENNAME_SCLOGON_UPN 235} KMF_GENERALNAMECHOICES; 236 237/* 238 * KMF_FIELD 239 * This structure contains the OID/value pair for any item that can be 240 * identified by an OID. 241 */ 242typedef struct 243{ 244 KMF_OID FieldOid; 245 KMF_DATA FieldValue; 246} KMF_FIELD; 247 248typedef enum { 249 KMF_OK = 0x00, 250 KMF_ERR_BAD_PARAMETER = 0x01, 251 KMF_ERR_BAD_KEY_FORMAT = 0x02, 252 KMF_ERR_BAD_ALGORITHM = 0x03, 253 KMF_ERR_MEMORY = 0x04, 254 KMF_ERR_ENCODING = 0x05, 255 KMF_ERR_PLUGIN_INIT = 0x06, 256 KMF_ERR_PLUGIN_NOTFOUND = 0x07, 257 KMF_ERR_INTERNAL = 0x0b, 258 KMF_ERR_BAD_CERT_FORMAT = 0x0c, 259 KMF_ERR_KEYGEN_FAILED = 0x0d, 260 KMF_ERR_UNINITIALIZED = 0x10, 261 KMF_ERR_ISSUER = 0x11, 262 KMF_ERR_NOT_REVOKED = 0x12, 263 KMF_ERR_CERT_NOT_FOUND = 0x13, 264 KMF_ERR_CRL_NOT_FOUND = 0x14, 265 KMF_ERR_RDN_PARSER = 0x15, 266 KMF_ERR_RDN_ATTR = 0x16, 267 KMF_ERR_SLOTNAME = 0x17, 268 KMF_ERR_EMPTY_CRL = 0x18, 269 KMF_ERR_BUFFER_SIZE = 0x19, 270 KMF_ERR_AUTH_FAILED = 0x1a, 271 KMF_ERR_TOKEN_SELECTED = 0x1b, 272 KMF_ERR_NO_TOKEN_SELECTED = 0x1c, 273 KMF_ERR_TOKEN_NOT_PRESENT = 0x1d, 274 KMF_ERR_EXTENSION_NOT_FOUND = 0x1e, 275 KMF_ERR_POLICY_ENGINE = 0x1f, 276 KMF_ERR_POLICY_DB_FORMAT = 0x20, 277 KMF_ERR_POLICY_NOT_FOUND = 0x21, 278 KMF_ERR_POLICY_DB_FILE = 0x22, 279 KMF_ERR_POLICY_NAME = 0x23, 280 KMF_ERR_OCSP_POLICY = 0x24, 281 KMF_ERR_TA_POLICY = 0x25, 282 KMF_ERR_KEY_NOT_FOUND = 0x26, 283 KMF_ERR_OPEN_FILE = 0x27, 284 KMF_ERR_OCSP_BAD_ISSUER = 0x28, 285 KMF_ERR_OCSP_BAD_CERT = 0x29, 286 KMF_ERR_OCSP_CREATE_REQUEST = 0x2a, 287 KMF_ERR_CONNECT_SERVER = 0x2b, 288 KMF_ERR_SEND_REQUEST = 0x2c, 289 KMF_ERR_OCSP_CERTID = 0x2d, 290 KMF_ERR_OCSP_MALFORMED_RESPONSE = 0x2e, 291 KMF_ERR_OCSP_RESPONSE_STATUS = 0x2f, 292 KMF_ERR_OCSP_NO_BASIC_RESPONSE = 0x30, 293 KMF_ERR_OCSP_BAD_SIGNER = 0x31, 294 295 KMF_ERR_OCSP_RESPONSE_SIGNATURE = 0x32, 296 KMF_ERR_OCSP_UNKNOWN_CERT = 0x33, 297 KMF_ERR_OCSP_STATUS_TIME_INVALID = 0x34, 298 KMF_ERR_BAD_HTTP_RESPONSE = 0x35, 299 KMF_ERR_RECV_RESPONSE = 0x36, 300 KMF_ERR_RECV_TIMEOUT = 0x37, 301 KMF_ERR_DUPLICATE_KEYFILE = 0x38, 302 KMF_ERR_AMBIGUOUS_PATHNAME = 0x39, 303 KMF_ERR_FUNCTION_NOT_FOUND = 0x3a, 304 KMF_ERR_PKCS12_FORMAT = 0x3b, 305 KMF_ERR_BAD_KEY_TYPE = 0x3c, 306 KMF_ERR_BAD_KEY_CLASS = 0x3d, 307 KMF_ERR_BAD_KEY_SIZE = 0x3e, 308 KMF_ERR_BAD_HEX_STRING = 0x3f, 309 KMF_ERR_KEYUSAGE = 0x40, 310 KMF_ERR_VALIDITY_PERIOD = 0x41, 311 KMF_ERR_OCSP_REVOKED = 0x42, 312 KMF_ERR_CERT_MULTIPLE_FOUND = 0x43, 313 KMF_ERR_WRITE_FILE = 0x44, 314 KMF_ERR_BAD_URI = 0x45, 315 KMF_ERR_BAD_CRLFILE = 0x46, 316 KMF_ERR_BAD_CERTFILE = 0x47, 317 KMF_ERR_GETKEYVALUE_FAILED = 0x48, 318 KMF_ERR_BAD_KEYHANDLE = 0x49, 319 KMF_ERR_BAD_OBJECT_TYPE = 0x4a, 320 KMF_ERR_OCSP_RESPONSE_LIFETIME = 0x4b, 321 KMF_ERR_UNKNOWN_CSR_ATTRIBUTE = 0x4c, 322 KMF_ERR_UNINITIALIZED_TOKEN = 0x4d, 323 KMF_ERR_INCOMPLETE_TBS_CERT = 0x4e, 324 KMF_ERR_MISSING_ERRCODE = 0x4f, 325 KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50, 326 KMF_ERR_SENSITIVE_KEY = 0x51, 327 KMF_ERR_UNEXTRACTABLE_KEY = 0x52, 328 KMF_ERR_KEY_MISMATCH = 0x53, 329 KMF_ERR_ATTR_NOT_FOUND = 0x54, 330 KMF_ERR_KMF_CONF = 0x55 331} KMF_RETURN; 332 333/* Data structures for OCSP support */ 334typedef enum { 335 OCSP_GOOD = 0, 336 OCSP_REVOKED = 1, 337 OCSP_UNKNOWN = 2 338} KMF_OCSP_CERT_STATUS; 339 340typedef enum { 341 OCSP_SUCCESS = 0, 342 OCSP_MALFORMED_REQUEST = 1, 343 OCSP_INTERNAL_ERROR = 2, 344 OCSP_TRYLATER = 3, 345 OCSP_SIGREQUIRED = 4, 346 OCSP_UNAUTHORIZED = 5 347} KMF_OCSP_RESPONSE_STATUS; 348 349typedef enum { 350 OCSP_NOSTATUS = -1, 351 OCSP_UNSPECIFIED = 0, 352 OCSP_KEYCOMPROMISE = 1, 353 OCSP_CACOMPROMISE = 2, 354 OCSP_AFFILIATIONCHANGE = 3, 355 OCSP_SUPERCEDED = 4, 356 OCSP_CESSATIONOFOPERATION = 5, 357 OCSP_CERTIFICATEHOLD = 6, 358 OCSP_REMOVEFROMCRL = 7 359} KMF_OCSP_REVOKED_STATUS; 360 361typedef enum { 362 KMF_ALGCLASS_NONE = 0, 363 KMF_ALGCLASS_CUSTOM, 364 KMF_ALGCLASS_SIGNATURE, 365 KMF_ALGCLASS_SYMMETRIC, 366 KMF_ALGCLASS_DIGEST, 367 KMF_ALGCLASS_RANDOMGEN, 368 KMF_ALGCLASS_UNIQUEGEN, 369 KMF_ALGCLASS_MAC, 370 KMF_ALGCLASS_ASYMMETRIC, 371 KMF_ALGCLASS_KEYGEN, 372 KMF_ALGCLASS_DERIVEKEY 373} KMF_ALGCLASS; 374 375typedef enum { 376 KMF_CERT_ISSUER = 1, 377 KMF_CERT_SUBJECT, 378 KMF_CERT_VERSION, 379 KMF_CERT_SERIALNUM, 380 KMF_CERT_NOTBEFORE, 381 KMF_CERT_NOTAFTER, 382 KMF_CERT_PUBKEY_ALG, 383 KMF_CERT_SIGNATURE_ALG, 384 KMF_CERT_EMAIL, 385 KMF_CERT_PUBKEY_DATA, 386 KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD, 387 KMF_X509_EXT_CERT_POLICIES, 388 KMF_X509_EXT_SUBJ_ALTNAME, 389 KMF_X509_EXT_ISSUER_ALTNAME, 390 KMF_X509_EXT_BASIC_CONSTRAINTS, 391 KMF_X509_EXT_NAME_CONSTRAINTS, 392 KMF_X509_EXT_POLICY_CONSTRAINTS, 393 KMF_X509_EXT_EXT_KEY_USAGE, 394 KMF_X509_EXT_INHIBIT_ANY_POLICY, 395 KMF_X509_EXT_AUTH_KEY_ID, 396 KMF_X509_EXT_SUBJ_KEY_ID, 397 KMF_X509_EXT_POLICY_MAPPINGS, 398 KMF_X509_EXT_CRL_DIST_POINTS, 399 KMF_X509_EXT_FRESHEST_CRL, 400 KMF_X509_EXT_KEY_USAGE 401} KMF_PRINTABLE_ITEM; 402 403/* 404 * KMF_X509_ALGORITHM_IDENTIFIER 405 * This structure holds an object identifier naming a 406 * cryptographic algorithm and an optional set of 407 * parameters to be used as input to that algorithm. 408 */ 409typedef struct 410{ 411 KMF_OID algorithm; 412 KMF_DATA parameters; 413} KMF_X509_ALGORITHM_IDENTIFIER; 414 415/* 416 * KMF_X509_TYPE_VALUE_PAIR 417 * This structure contain an type-value pair. 418 */ 419typedef struct 420{ 421 KMF_OID type; 422 uint8_t valueType; /* The Tag to use when BER encoded */ 423 KMF_DATA value; 424} KMF_X509_TYPE_VALUE_PAIR; 425 426 427/* 428 * KMF_X509_RDN 429 * This structure contains a Relative Distinguished Name 430 * composed of an ordered set of type-value pairs. 431 */ 432typedef struct 433{ 434 uint32_t numberOfPairs; 435 KMF_X509_TYPE_VALUE_PAIR *AttributeTypeAndValue; 436} KMF_X509_RDN; 437 438/* 439 * KMF_X509_NAME 440 * This structure contains a set of Relative Distinguished Names. 441 */ 442typedef struct 443{ 444 uint32_t numberOfRDNs; 445 KMF_X509_RDN *RelativeDistinguishedName; 446} KMF_X509_NAME; 447 448/* 449 * KMF_X509_SPKI 450 * This structure contains the public key and the 451 * description of the verification algorithm 452 * appropriate for use with this key. 453 */ 454typedef struct 455{ 456 KMF_X509_ALGORITHM_IDENTIFIER algorithm; 457 KMF_DATA subjectPublicKey; 458} KMF_X509_SPKI; 459 460/* 461 * KMF_X509_TIME 462 * Time is represented as a string according to the 463 * definitions of GeneralizedTime and UTCTime 464 * defined in RFC 2459. 465 */ 466typedef struct 467{ 468 uint8_t timeType; 469 KMF_DATA time; 470} KMF_X509_TIME; 471 472/* 473 * KMF_X509_VALIDITY 474 */ 475typedef struct 476{ 477 KMF_X509_TIME notBefore; 478 KMF_X509_TIME notAfter; 479} KMF_X509_VALIDITY; 480 481/* 482 * KMF_X509EXT_BASICCONSTRAINTS 483 */ 484typedef struct 485{ 486 KMF_BOOL cA; 487 KMF_BOOL pathLenConstraintPresent; 488 uint32_t pathLenConstraint; 489} KMF_X509EXT_BASICCONSTRAINTS; 490 491/* 492 * KMF_X509EXT_DATA_FORMAT 493 * This list defines the valid formats for a certificate extension. 494 */ 495typedef enum 496{ 497 KMF_X509_DATAFORMAT_ENCODED = 0, 498 KMF_X509_DATAFORMAT_PARSED, 499 KMF_X509_DATAFORMAT_PAIR 500} KMF_X509EXT_DATA_FORMAT; 501 502 503/* 504 * KMF_X509EXT_TAGandVALUE 505 * This structure contains a BER/DER encoded 506 * extension value and the type of that value. 507 */ 508typedef struct 509{ 510 uint8_t type; 511 KMF_DATA value; 512} KMF_X509EXT_TAGandVALUE; 513 514 515/* 516 * KMF_X509EXT_PAIR 517 * This structure aggregates two extension representations: 518 * a tag and value, and a parsed X509 extension representation. 519 */ 520typedef struct 521{ 522 KMF_X509EXT_TAGandVALUE tagAndValue; 523 void *parsedValue; 524} KMF_X509EXT_PAIR; 525 526/* 527 * KMF_X509_EXTENSION 528 * This structure contains a complete certificate extension. 529 */ 530typedef struct 531{ 532 KMF_OID extnId; 533 KMF_BOOL critical; 534 KMF_X509EXT_DATA_FORMAT format; 535 union 536 { 537 KMF_X509EXT_TAGandVALUE *tagAndValue; 538 void *parsedValue; 539 KMF_X509EXT_PAIR *valuePair; 540 } value; 541 KMF_DATA BERvalue; 542} KMF_X509_EXTENSION; 543 544 545/* 546 * KMF_X509_EXTENSIONS 547 * This structure contains the set of all certificate 548 * extensions contained in a certificate. 549 */ 550typedef struct 551{ 552 uint32_t numberOfExtensions; 553 KMF_X509_EXTENSION *extensions; 554} KMF_X509_EXTENSIONS; 555 556/* 557 * KMF_X509_TBS_CERT 558 * This structure contains a complete X.509 certificate. 559 */ 560typedef struct 561{ 562 KMF_DATA version; 563 KMF_BIGINT serialNumber; 564 KMF_X509_ALGORITHM_IDENTIFIER signature; 565 KMF_X509_NAME issuer; 566 KMF_X509_VALIDITY validity; 567 KMF_X509_NAME subject; 568 KMF_X509_SPKI subjectPublicKeyInfo; 569 KMF_DATA issuerUniqueIdentifier; 570 KMF_DATA subjectUniqueIdentifier; 571 KMF_X509_EXTENSIONS extensions; 572} KMF_X509_TBS_CERT; 573 574/* 575 * KMF_X509_SIGNATURE 576 * This structure contains a cryptographic digital signature. 577 */ 578typedef struct 579{ 580 KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier; 581 KMF_DATA encrypted; 582} KMF_X509_SIGNATURE; 583 584/* 585 * KMF_X509_CERTIFICATE 586 * This structure associates a set of decoded certificate 587 * values with the signature covering those values. 588 */ 589typedef struct 590{ 591 KMF_X509_TBS_CERT certificate; 592 KMF_X509_SIGNATURE signature; 593} KMF_X509_CERTIFICATE; 594 595#define CERT_ALG_OID(c) &c->certificate.signature.algorithm 596#define CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm 597 598/* 599 * KMF_TBS_CSR 600 * This structure contains a complete PKCS#10 certificate request 601 */ 602typedef struct 603{ 604 KMF_DATA version; 605 KMF_X509_NAME subject; 606 KMF_X509_SPKI subjectPublicKeyInfo; 607 KMF_X509_EXTENSIONS extensions; 608} KMF_TBS_CSR; 609 610/* 611 * KMF_CSR_DATA 612 * This structure contains a complete PKCS#10 certificate signed request 613 */ 614typedef struct 615{ 616 KMF_TBS_CSR csr; 617 KMF_X509_SIGNATURE signature; 618} KMF_CSR_DATA; 619 620/* 621 * KMF_X509EXT_POLICYQUALIFIERINFO 622 */ 623typedef struct 624{ 625 KMF_OID policyQualifierId; 626 KMF_DATA value; 627} KMF_X509EXT_POLICYQUALIFIERINFO; 628 629/* 630 * KMF_X509EXT_POLICYQUALIFIERS 631 */ 632typedef struct 633{ 634 uint32_t numberOfPolicyQualifiers; 635 KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier; 636} KMF_X509EXT_POLICYQUALIFIERS; 637 638/* 639 * KMF_X509EXT_POLICYINFO 640 */ 641typedef struct 642{ 643 KMF_OID policyIdentifier; 644 KMF_X509EXT_POLICYQUALIFIERS policyQualifiers; 645} KMF_X509EXT_POLICYINFO; 646 647typedef struct 648{ 649 uint32_t numberOfPolicyInfo; 650 KMF_X509EXT_POLICYINFO *policyInfo; 651} KMF_X509EXT_CERT_POLICIES; 652 653typedef struct 654{ 655 uchar_t critical; 656 uint16_t KeyUsageBits; 657} KMF_X509EXT_KEY_USAGE; 658 659typedef struct 660{ 661 uchar_t critical; 662 uint16_t nEKUs; 663 KMF_OID *keyPurposeIdList; 664} KMF_X509EXT_EKU; 665 666 667/* 668 * X509 AuthorityInfoAccess extension 669 */ 670typedef struct 671{ 672 KMF_OID AccessMethod; 673 KMF_DATA AccessLocation; 674} KMF_X509EXT_ACCESSDESC; 675 676typedef struct 677{ 678 uint32_t numberOfAccessDescription; 679 KMF_X509EXT_ACCESSDESC *AccessDesc; 680} KMF_X509EXT_AUTHINFOACCESS; 681 682 683/* 684 * X509 Crl Distribution Point extension 685 */ 686typedef struct { 687 KMF_GENERALNAMECHOICES choice; 688 KMF_DATA name; 689} KMF_GENERALNAME; 690 691typedef struct { 692 uint32_t number; 693 KMF_GENERALNAME *namelist; 694} KMF_GENERALNAMES; 695 696typedef enum { 697 DP_GENERAL_NAME = 1, 698 DP_RELATIVE_NAME = 2 699} KMF_CRL_DIST_POINT_TYPE; 700 701typedef struct { 702 KMF_CRL_DIST_POINT_TYPE type; 703 union { 704 KMF_GENERALNAMES full_name; 705 KMF_DATA relative_name; 706 } name; 707 KMF_DATA reasons; 708 KMF_GENERALNAMES crl_issuer; 709} KMF_CRL_DIST_POINT; 710 711typedef struct { 712 uint32_t number; 713 KMF_CRL_DIST_POINT *dplist; 714} KMF_X509EXT_CRLDISTPOINTS; 715 716typedef enum { 717 KMF_DATA_ATTR, 718 KMF_OID_ATTR, 719 KMF_BIGINT_ATTR, 720 KMF_X509_DER_CERT_ATTR, 721 KMF_KEYSTORE_TYPE_ATTR, 722 KMF_ENCODE_FORMAT_ATTR, 723 KMF_CERT_VALIDITY_ATTR, 724 KMF_KU_PURPOSE_ATTR, 725 KMF_ALGORITHM_INDEX_ATTR, 726 KMF_TOKEN_LABEL_ATTR, 727 KMF_READONLY_ATTR, 728 KMF_DIRPATH_ATTR, 729 KMF_CERTPREFIX_ATTR, 730 KMF_KEYPREFIX_ATTR, 731 KMF_SECMODNAME_ATTR, 732 KMF_CREDENTIAL_ATTR, 733 KMF_TRUSTFLAG_ATTR, 734 KMF_CRL_FILENAME_ATTR, 735 KMF_CRL_CHECK_ATTR, 736 KMF_CRL_DATA_ATTR, 737 KMF_CRL_SUBJECT_ATTR, 738 KMF_CRL_ISSUER_ATTR, 739 KMF_CRL_NAMELIST_ATTR, 740 KMF_CRL_COUNT_ATTR, 741 KMF_CRL_OUTFILE_ATTR, 742 KMF_CERT_LABEL_ATTR, 743 KMF_SUBJECT_NAME_ATTR, 744 KMF_ISSUER_NAME_ATTR, 745 KMF_CERT_FILENAME_ATTR, 746 KMF_KEY_FILENAME_ATTR, 747 KMF_OUTPUT_FILENAME_ATTR, 748 KMF_IDSTR_ATTR, 749 KMF_CERT_DATA_ATTR, 750 KMF_OCSP_RESPONSE_DATA_ATTR, 751 KMF_OCSP_RESPONSE_STATUS_ATTR, 752 KMF_OCSP_RESPONSE_REASON_ATTR, 753 KMF_OCSP_RESPONSE_CERT_STATUS_ATTR, 754 KMF_OCSP_REQUEST_FILENAME_ATTR, 755 KMF_KEYALG_ATTR, 756 KMF_KEYCLASS_ATTR, 757 KMF_KEYLABEL_ATTR, 758 KMF_KEYLENGTH_ATTR, 759 KMF_RSAEXP_ATTR, 760 KMF_TACERT_DATA_ATTR, 761 KMF_SLOT_ID_ATTR, 762 KMF_PK12CRED_ATTR, 763 KMF_ISSUER_CERT_DATA_ATTR, 764 KMF_USER_CERT_DATA_ATTR, 765 KMF_SIGNER_CERT_DATA_ATTR, 766 KMF_IGNORE_RESPONSE_SIGN_ATTR, 767 KMF_RESPONSE_LIFETIME_ATTR, 768 KMF_KEY_HANDLE_ATTR, 769 KMF_PRIVKEY_HANDLE_ATTR, 770 KMF_PUBKEY_HANDLE_ATTR, 771 KMF_ERROR_ATTR, 772 KMF_X509_NAME_ATTR, 773 KMF_X509_SPKI_ATTR, 774 KMF_X509_CERTIFICATE_ATTR, 775 KMF_RAW_KEY_ATTR, 776 KMF_CSR_DATA_ATTR, 777 KMF_GENERALNAMECHOICES_ATTR, 778 KMF_STOREKEY_BOOL_ATTR, 779 KMF_SENSITIVE_BOOL_ATTR, 780 KMF_NON_EXTRACTABLE_BOOL_ATTR, 781 KMF_TOKEN_BOOL_ATTR, 782 KMF_PRIVATE_BOOL_ATTR, 783 KMF_NEWPIN_ATTR, 784 KMF_IN_SIGN_ATTR, 785 KMF_OUT_DATA_ATTR, 786 KMF_COUNT_ATTR, 787 KMF_DESTROY_BOOL_ATTR, 788 KMF_TBS_CERT_DATA_ATTR, 789 KMF_PLAINTEXT_DATA_ATTR, 790 KMF_CIPHERTEXT_DATA_ATTR, 791 KMF_VALIDATE_RESULT_ATTR, 792 KMF_KEY_DATA_ATTR 793} KMF_ATTR_TYPE; 794 795typedef struct { 796 KMF_ATTR_TYPE type; 797 void *pValue; 798 uint32_t valueLen; 799} KMF_ATTRIBUTE; 800 801/* 802 * Definitions for common X.509v3 certificate attribute OIDs 803 */ 804#define OID_ISO_MEMBER 42 /* Also in PKCS */ 805#define OID_US OID_ISO_MEMBER, 134, 72 /* Also in PKCS */ 806#define OID_CA OID_ISO_MEMBER, 124 807 808#define OID_ISO_IDENTIFIED_ORG 43 809#define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 810#define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 811#define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 812#define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */ 813 814#define OID_ISO_CCITT_DIR_SERVICE 85 815#define OID_ISO_CCITT_COUNTRY 96 816#define OID_COUNTRY_US OID_ISO_CCITT_COUNTRY, 134, 72 817#define OID_COUNTRY_CA OID_ISO_CCITT_COUNTRY, 124 818#define OID_COUNTRY_US_ORG OID_COUNTRY_US, 1 819#define OID_COUNTRY_US_MHS_MD OID_COUNTRY_US, 2 820#define OID_COUNTRY_US_STATE OID_COUNTRY_US, 3 821 822/* From the PKCS Standards */ 823#define OID_ISO_MEMBER_LENGTH 1 824#define OID_US_LENGTH (OID_ISO_MEMBER_LENGTH + 2) 825 826#define OID_RSA OID_US, 134, 247, 13 827#define OID_RSA_LENGTH (OID_US_LENGTH + 3) 828 829#define OID_RSA_HASH OID_RSA, 2 830#define OID_RSA_HASH_LENGTH (OID_RSA_LENGTH + 1) 831 832#define OID_RSA_ENCRYPT OID_RSA, 3 833#define OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1) 834 835#define OID_PKCS OID_RSA, 1 836#define OID_PKCS_LENGTH (OID_RSA_LENGTH + 1) 837 838#define OID_PKCS_1 OID_PKCS, 1 839#define OID_PKCS_1_LENGTH (OID_PKCS_LENGTH + 1) 840 841#define OID_PKCS_2 OID_PKCS, 2 842#define OID_PKCS_3 OID_PKCS, 3 843#define OID_PKCS_3_LENGTH (OID_PKCS_LENGTH + 1) 844 845#define OID_PKCS_4 OID_PKCS, 4 846#define OID_PKCS_5 OID_PKCS, 5 847#define OID_PKCS_5_LENGTH (OID_PKCS_LENGTH + 1) 848#define OID_PKCS_6 OID_PKCS, 6 849#define OID_PKCS_7 OID_PKCS, 7 850#define OID_PKCS_7_LENGTH (OID_PKCS_LENGTH + 1) 851 852#define OID_PKCS_7_Data OID_PKCS_7, 1 853#define OID_PKCS_7_SignedData OID_PKCS_7, 2 854#define OID_PKCS_7_EnvelopedData OID_PKCS_7, 3 855#define OID_PKCS_7_SignedAndEnvelopedData OID_PKCS_7, 4 856#define OID_PKCS_7_DigestedData OID_PKCS_7, 5 857#define OID_PKCS_7_EncryptedData OID_PKCS_7, 6 858 859#define OID_PKCS_8 OID_PKCS, 8 860#define OID_PKCS_9 OID_PKCS, 9 861#define OID_PKCS_9_LENGTH (OID_PKCS_LENGTH + 1) 862 863#define OID_PKCS_9_CONTENT_TYPE OID_PKCS_9, 3 864#define OID_PKCS_9_MESSAGE_DIGEST OID_PKCS_9, 4 865#define OID_PKCS_9_SIGNING_TIME OID_PKCS_9, 5 866#define OID_PKCS_9_COUNTER_SIGNATURE OID_PKCS_9, 6 867#define OID_PKCS_9_EXTENSION_REQUEST OID_PKCS_9, 14 868 869#define OID_PKCS_10 OID_PKCS, 10 870 871#define OID_PKCS_12 OID_PKCS, 12 872#define OID_PKCS_12_LENGTH (OID_PKCS_LENGTH + 1) 873 874#define PBEWithSHAAnd128BitRC4 OID_PKCS_12, 1, 1 875#define PBEWithSHAAnd40BitRC4 OID_PKCS_12, 1, 2 876#define PBEWithSHAAnd3KeyTripleDES_CBC OID_PKCS_12, 1, 3 877#define PBEWithSHAAnd2KeyTripleDES_CBC OID_PKCS_12, 1, 4 878#define PBEWithSHAAnd128BitRC2_CBC OID_PKCS_12, 1, 5 879#define PBEWithSHAAnd40BitRC2_CBC OID_PKCS_12, 1, 6 880 881#define OID_BAG_TYPES OID_PKCS_12, 10, 1 882#define OID_KeyBag OID_BAG_TYPES, 1 883#define OID_PKCS8ShroudedKeyBag OID_BAG_TYPES, 2 884#define OID_CertBag OID_BAG_TYPES, 3 885#define OID_CrlBag OID_BAG_TYPES, 4 886#define OID_SecretBag OID_BAG_TYPES, 5 887#define OID_SafeContentsBag OID_BAG_TYPES, 6 888 889#define OID_ContentInfo OID_PKCS_7, 0, 1 890 891#define OID_CERT_TYPES OID_PKCS_9, 22 892#define OID_x509Certificate OID_CERT_TYPES, 1 893#define OID_sdsiCertificate OID_CERT_TYPES, 2 894 895#define OID_CRL_TYPES OID_PKCS_9, 23 896#define OID_x509Crl OID_CRL_TYPES, 1 897 898#define OID_DS OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */ 899#define OID_DS_LENGTH 1 900 901#define OID_ATTR_TYPE OID_DS, 4 /* Also in X.501 */ 902#define OID_ATTR_TYPE_LENGTH (OID_DS_LENGTH + 1) 903 904#define OID_DSALG OID_DS, 8 /* Also in X.501 */ 905#define OID_DSALG_LENGTH (OID_DS_LENGTH + 1) 906 907#define OID_EXTENSION OID_DS, 29 /* Also in X.501 */ 908#define OID_EXTENSION_LENGTH (OID_DS_LENGTH + 1) 909 910/* 911 * From RFC 1274: 912 * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) } 913 */ 914#define OID_PILOT 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1 915#define OID_PILOT_LENGTH 9 916 917#define OID_USERID OID_PILOT 1 918#define OID_USERID_LENGTH (OID_PILOT_LENGTH + 1) 919 920/* 921 * From PKIX part1 922 * { iso(1) identified-organization(3) dod(6) internet(1) 923 * security(5) mechanisms(5) pkix(7) } 924 */ 925#define OID_PKIX 43, 6, 1, 5, 5, 7 926#define OID_PKIX_LENGTH 6 927 928/* private certificate extensions, { id-pkix 1 } */ 929#define OID_PKIX_PE OID_PKIX, 1 930#define OID_PKIX_PE_LENGTH (OID_PKIX_LENGTH + 1) 931 932/* policy qualifier types {id-pkix 2 } */ 933#define OID_PKIX_QT OID_PKIX, 2 934#define OID_PKIX_QT_LENGTH (OID_PKIX_LENGTH + 1) 935 936/* CPS qualifier, { id-qt 1 } */ 937#define OID_PKIX_QT_CPS OID_PKIX_QT, 1 938#define OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1) 939/* user notice qualifier, { id-qt 2 } */ 940#define OID_PKIX_QT_UNOTICE OID_PKIX_QT, 2 941#define OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1) 942 943/* extended key purpose OIDs {id-pkix 3 } */ 944#define OID_PKIX_KP OID_PKIX, 3 945#define OID_PKIX_KP_LENGTH (OID_PKIX_LENGTH + 1) 946 947/* access descriptors {id-pkix 4 } */ 948#define OID_PKIX_AD OID_PKIX, 48 949#define OID_PKIX_AD_LENGTH (OID_PKIX_LENGTH + 1) 950 951/* access descriptors */ 952/* OCSP */ 953#define OID_PKIX_AD_OCSP OID_PKIX_AD, 1 954#define OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1) 955 956/* cAIssuers */ 957#define OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2 958#define OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1) 959 960/* end PKIX part1 */ 961 962/* 963 * From RFC4556 (PKINIT) 964 * 965 * pkinit = { iso(1) identified-organization(3) dod(6) internet(1) 966 * security(5) kerberosv5(2) pkinit(3) } 967 */ 968#define OID_KRB5_PKINIT 43, 6, 1, 5, 2, 3 969#define OID_KRB5_PKINIT_LENGTH 6 970 971#define OID_KRB5_PKINIT_KPCLIENTAUTH OID_KRB5_PKINIT, 4 972#define OID_KRB5_PKINIT_KPCLIENTAUTH_LENGTH (OID_KRB5_PKINIT_LENGTH + 1) 973 974#define OID_KRB5_PKINIT_KPKDC OID_KRB5_PKINIT, 5 975#define OID_KRB5_PKINIT_KPKDC_LENGTH (OID_KRB5_PKINIT_LENGTH + 1) 976 977#define OID_KRB5_SAN 43, 6, 1, 5, 2, 2 978#define OID_KRB5_SAN_LENGTH 6 979 980/* 981 * Microsoft OIDs: 982 * id-ms-san-sc-logon-upn = 983 * {iso(1) identified-organization(3) dod(6) internet(1) private(4) 984 * enterprise(1) microsoft(311) 20 2 3} 985 * 986 * id-ms-kp-sc-logon = 987 * {iso(1) identified-organization(3) dod(6) internet(1) private(4) 988 * enterprise(1) microsoft(311) 20 2 2} 989 */ 990#define OID_MS 43, 6, 1, 4, 1, 130, 55 991#define OID_MS_LENGTH 7 992#define OID_MS_KP_SC_LOGON OID_MS, 20, 2, 2 993#define OID_MS_KP_SC_LOGON_LENGTH (OID_MS_LENGTH + 3) 994 995#define OID_MS_KP_SC_LOGON_UPN OID_MS, 20, 2, 3 996#define OID_MS_KP_SC_LOGON_UPN_LENGTH (OID_MS_LENGTH + 3) 997 998#define OID_APPL_TCP_PROTO 43, 6, 1, 2, 1, 27, 4 999#define OID_APPL_TCP_PROTO_LENGTH 8 1000 1001#define OID_DAP OID_DS, 3, 1 1002#define OID_DAP_LENGTH (OID_DS_LENGTH + 2) 1003 1004/* From x9.57 */ 1005#define OID_OIW_LENGTH 2 1006 1007#define OID_OIW_SECSIG OID_OIW, 3 1008#define OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1) 1009 1010#define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 1011#define OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1) 1012 1013#define OID_OIWDIR OID_OIW, 7, 2 1014#define OID_OIWDIR_LENGTH (OID_OIW_LENGTH + 2) 1015 1016#define OID_OIWDIR_CRPT OID_OIWDIR, 1 1017 1018#define OID_OIWDIR_HASH OID_OIWDIR, 2 1019#define OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1) 1020 1021#define OID_OIWDIR_SIGN OID_OIWDIR, 3 1022#define OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1) 1023 1024#define OID_X9CM OID_US, 206, 56 1025#define OID_X9CM_MODULE OID_X9CM, 1 1026#define OID_X9CM_INSTRUCTION OID_X9CM, 2 1027#define OID_X9CM_ATTR OID_X9CM, 3 1028#define OID_X9CM_X9ALGORITHM OID_X9CM, 4 1029#define OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1) 1030 1031#define INTEL 96, 134, 72, 1, 134, 248, 77 1032#define INTEL_LENGTH 7 1033 1034#define INTEL_SEC_FORMATS INTEL_CDSASECURITY, 1 1035#define INTEL_SEC_FORMATS_LENGTH (INTEL_CDSASECURITY_LENGTH + 1) 1036 1037#define INTEL_SEC_ALGS INTEL_CDSASECURITY, 2, 5 1038#define INTEL_SEC_ALGS_LENGTH (INTEL_CDSASECURITY_LENGTH + 2) 1039 1040extern const KMF_OID 1041KMFOID_AliasedEntryName, 1042KMFOID_AuthorityRevocationList, 1043KMFOID_BusinessCategory, 1044KMFOID_CACertificate, 1045KMFOID_CertificateRevocationList, 1046KMFOID_ChallengePassword, 1047KMFOID_CollectiveFacsimileTelephoneNumber, 1048KMFOID_CollectiveInternationalISDNNumber, 1049KMFOID_CollectiveOrganizationName, 1050KMFOID_CollectiveOrganizationalUnitName, 1051KMFOID_CollectivePhysicalDeliveryOfficeName, 1052KMFOID_CollectivePostOfficeBox, 1053KMFOID_CollectivePostalAddress, 1054KMFOID_CollectivePostalCode, 1055KMFOID_CollectiveStateProvinceName, 1056KMFOID_CollectiveStreetAddress, 1057KMFOID_CollectiveTelephoneNumber, 1058KMFOID_CollectiveTelexNumber, 1059KMFOID_CollectiveTelexTerminalIdentifier, 1060KMFOID_CommonName, 1061KMFOID_ContentType, 1062KMFOID_CounterSignature, 1063KMFOID_CountryName, 1064KMFOID_CrossCertificatePair, 1065KMFOID_DNQualifier, 1066KMFOID_Description, 1067KMFOID_DestinationIndicator, 1068KMFOID_DistinguishedName, 1069KMFOID_EmailAddress, 1070KMFOID_EnhancedSearchGuide, 1071KMFOID_ExtendedCertificateAttributes, 1072KMFOID_ExtensionRequest, 1073KMFOID_FacsimileTelephoneNumber, 1074KMFOID_GenerationQualifier, 1075KMFOID_GivenName, 1076KMFOID_HouseIdentifier, 1077KMFOID_Initials, 1078KMFOID_InternationalISDNNumber, 1079KMFOID_KnowledgeInformation, 1080KMFOID_LocalityName, 1081KMFOID_Member, 1082KMFOID_MessageDigest, 1083KMFOID_Name, 1084KMFOID_ObjectClass, 1085KMFOID_OrganizationName, 1086KMFOID_OrganizationalUnitName, 1087KMFOID_Owner, 1088KMFOID_PhysicalDeliveryOfficeName, 1089KMFOID_PostOfficeBox, 1090KMFOID_PostalAddress, 1091KMFOID_PostalCode, 1092KMFOID_PreferredDeliveryMethod, 1093KMFOID_PresentationAddress, 1094KMFOID_ProtocolInformation, 1095KMFOID_RFC822mailbox, 1096KMFOID_RegisteredAddress, 1097KMFOID_RoleOccupant, 1098KMFOID_SearchGuide, 1099KMFOID_SeeAlso, 1100KMFOID_SerialNumber, 1101KMFOID_SigningTime, 1102KMFOID_StateProvinceName, 1103KMFOID_StreetAddress, 1104KMFOID_SupportedApplicationContext, 1105KMFOID_Surname, 1106KMFOID_TelephoneNumber, 1107KMFOID_TelexNumber, 1108KMFOID_TelexTerminalIdentifier, 1109KMFOID_Title, 1110KMFOID_UniqueIdentifier, 1111KMFOID_UniqueMember, 1112KMFOID_UnstructuredAddress, 1113KMFOID_UnstructuredName, 1114KMFOID_UserCertificate, 1115KMFOID_UserPassword, 1116KMFOID_X_121Address, 1117KMFOID_domainComponent, 1118KMFOID_userid; 1119 1120extern const KMF_OID 1121KMFOID_AuthorityKeyID, 1122KMFOID_AuthorityInfoAccess, 1123KMFOID_VerisignCertificatePolicy, 1124KMFOID_KeyUsageRestriction, 1125KMFOID_SubjectDirectoryAttributes, 1126KMFOID_SubjectKeyIdentifier, 1127KMFOID_KeyUsage, 1128KMFOID_PrivateKeyUsagePeriod, 1129KMFOID_SubjectAltName, 1130KMFOID_IssuerAltName, 1131KMFOID_BasicConstraints, 1132KMFOID_CrlNumber, 1133KMFOID_CrlReason, 1134KMFOID_HoldInstructionCode, 1135KMFOID_InvalidityDate, 1136KMFOID_DeltaCrlIndicator, 1137KMFOID_IssuingDistributionPoints, 1138KMFOID_NameConstraints, 1139KMFOID_CrlDistributionPoints, 1140KMFOID_CertificatePolicies, 1141KMFOID_PolicyMappings, 1142KMFOID_PolicyConstraints, 1143KMFOID_AuthorityKeyIdentifier, 1144KMFOID_ExtendedKeyUsage, 1145KMFOID_PkixAdOcsp, 1146KMFOID_PkixAdCaIssuers, 1147KMFOID_PKIX_PQ_CPSuri, 1148KMFOID_PKIX_PQ_Unotice, 1149KMFOID_PKIX_KP_ServerAuth, 1150KMFOID_PKIX_KP_ClientAuth, 1151KMFOID_PKIX_KP_CodeSigning, 1152KMFOID_PKIX_KP_EmailProtection, 1153KMFOID_PKIX_KP_IPSecEndSystem, 1154KMFOID_PKIX_KP_IPSecTunnel, 1155KMFOID_PKIX_KP_IPSecUser, 1156KMFOID_PKIX_KP_TimeStamping, 1157KMFOID_PKIX_KP_OCSPSigning, 1158KMFOID_SHA1, 1159KMFOID_RSA, 1160KMFOID_DSA, 1161KMFOID_MD5WithRSA, 1162KMFOID_MD2WithRSA, 1163KMFOID_SHA1WithRSA, 1164KMFOID_SHA1WithDSA, 1165KMFOID_OIW_DSAWithSHA1, 1166KMFOID_X9CM_DSA, 1167KMFOID_X9CM_DSAWithSHA1; 1168 1169/* For PKINIT support */ 1170extern const KMF_OID 1171KMFOID_PKINIT_san, 1172KMFOID_PKINIT_ClientAuth, 1173KMFOID_PKINIT_Kdc, 1174KMFOID_MS_KP_SCLogon, 1175KMFOID_MS_KP_SCLogon_UPN; 1176 1177/* 1178 * KMF Certificate validation codes. These may be masked together. 1179 */ 1180#define KMF_CERT_VALIDATE_OK 0x00 1181#define KMF_CERT_VALIDATE_ERR_TA 0x01 1182#define KMF_CERT_VALIDATE_ERR_USER 0x02 1183#define KMF_CERT_VALIDATE_ERR_SIGNATURE 0x04 1184#define KMF_CERT_VALIDATE_ERR_KEYUSAGE 0x08 1185#define KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE 0x10 1186#define KMF_CERT_VALIDATE_ERR_TIME 0x20 1187#define KMF_CERT_VALIDATE_ERR_CRL 0x40 1188#define KMF_CERT_VALIDATE_ERR_OCSP 0x80 1189#define KMF_CERT_VALIDATE_ERR_ISSUER 0x100 1190 1191/* 1192 * KMF Key Usage bitmasks 1193 */ 1194#define KMF_digitalSignature 0x8000 1195#define KMF_nonRepudiation 0x4000 1196#define KMF_keyEncipherment 0x2000 1197#define KMF_dataEncipherment 0x1000 1198#define KMF_keyAgreement 0x0800 1199#define KMF_keyCertSign 0x0400 1200#define KMF_cRLSign 0x0200 1201#define KMF_encipherOnly 0x0100 1202#define KMF_decipherOnly 0x0080 1203 1204#define KMF_KUBITMASK 0xFF80 1205 1206/* 1207 * KMF Extended KeyUsage OID definitions 1208 */ 1209#define KMF_EKU_SERVERAUTH 0x01 1210#define KMF_EKU_CLIENTAUTH 0x02 1211#define KMF_EKU_CODESIGNING 0x04 1212#define KMF_EKU_EMAIL 0x08 1213#define KMF_EKU_TIMESTAMP 0x10 1214#define KMF_EKU_OCSPSIGNING 0x20 1215 1216 1217/* 1218 * Legacy support only - do not use these data structures - they can be 1219 * removed at any time. 1220 */ 1221 1222/* Keystore Configuration */ 1223typedef struct { 1224 char *configdir; 1225 char *certPrefix; 1226 char *keyPrefix; 1227 char *secModName; 1228} KMF_NSS_CONFIG; 1229 1230typedef struct { 1231 char *label; 1232 boolean_t readonly; 1233} KMF_PKCS11_CONFIG; 1234 1235typedef struct { 1236 KMF_KEYSTORE_TYPE kstype; 1237 union { 1238 KMF_NSS_CONFIG nss_conf; 1239 KMF_PKCS11_CONFIG pkcs11_conf; 1240 } ks_config_u; 1241} KMF_CONFIG_PARAMS; 1242 1243#define nssconfig ks_config_u.nss_conf 1244#define pkcs11config ks_config_u.pkcs11_conf 1245 1246 1247typedef struct 1248{ 1249 char *trustflag; 1250 char *slotlabel; /* "internal" by default */ 1251 int issuerId; 1252 int subjectId; 1253 char *crlfile; /* for ImportCRL */ 1254 boolean_t crl_check; /* for ImportCRL */ 1255 1256 /* 1257 * The following 2 variables are for FindCertInCRL. The caller can 1258 * either specify certLabel or provide the entire certificate in 1259 * DER format as input. 1260 */ 1261 char *certLabel; /* for FindCertInCRL */ 1262 KMF_DATA *certificate; /* for FindCertInCRL */ 1263 1264 /* 1265 * crl_subjName and crl_issuerName are used as the CRL deletion 1266 * criteria. One should be non-NULL and the other one should be NULL. 1267 * If crl_subjName is not NULL, then delete CRL by the subject name. 1268 * Othewise, delete by the issuer name. 1269 */ 1270 char *crl_subjName; 1271 char *crl_issuerName; 1272} KMF_NSS_PARAMS; 1273 1274typedef struct { 1275 char *dirpath; 1276 char *certfile; 1277 char *crlfile; 1278 char *keyfile; 1279 char *outcrlfile; 1280 boolean_t crl_check; /* CRL import check; default is true */ 1281 KMF_ENCODE_FORMAT format; /* output file format */ 1282} KMF_OPENSSL_PARAMS; 1283 1284typedef struct { 1285 boolean_t private; /* for finding CKA_PRIVATE objects */ 1286 boolean_t sensitive; 1287 boolean_t not_extractable; 1288 boolean_t token; /* true == token object, false == session */ 1289} KMF_PKCS11_PARAMS; 1290 1291typedef struct { 1292 KMF_KEYSTORE_TYPE kstype; 1293 char *certLabel; 1294 char *issuer; 1295 char *subject; 1296 char *idstr; 1297 KMF_BIGINT *serial; 1298 KMF_CERT_VALIDITY find_cert_validity; 1299 1300 union { 1301 KMF_NSS_PARAMS nss_opts; 1302 KMF_OPENSSL_PARAMS openssl_opts; 1303 KMF_PKCS11_PARAMS pkcs11_opts; 1304 } ks_opt_u; 1305} KMF_FINDCERT_PARAMS, KMF_DELETECERT_PARAMS; 1306 1307typedef struct { 1308 KMF_KEYSTORE_TYPE kstype; 1309 KMF_CREDENTIAL cred; 1310 KMF_KEY_CLASS keyclass; 1311 KMF_KEY_ALG keytype; 1312 KMF_ENCODE_FORMAT format; /* for key */ 1313 char *findLabel; 1314 char *idstr; 1315 union { 1316 KMF_NSS_PARAMS nss_opts; 1317 KMF_OPENSSL_PARAMS openssl_opts; 1318 KMF_PKCS11_PARAMS pkcs11_opts; 1319 } ks_opt_u; 1320} KMF_FINDKEY_PARAMS; 1321 1322typedef struct { 1323 KMF_KEYSTORE_TYPE kstype; 1324 KMF_KEY_ALG keytype; 1325 uint32_t keylength; 1326 char *keylabel; 1327 KMF_CREDENTIAL cred; 1328 KMF_BIGINT rsa_exponent; 1329 union { 1330 KMF_NSS_PARAMS nss_opts; 1331 KMF_OPENSSL_PARAMS openssl_opts; 1332 }ks_opt_u; 1333} KMF_CREATEKEYPAIR_PARAMS; 1334 1335 1336typedef struct { 1337 KMF_KEYSTORE_TYPE kstype; 1338 KMF_CREDENTIAL cred; 1339 KMF_ENCODE_FORMAT format; /* for key */ 1340 char *certLabel; 1341 KMF_ALGORITHM_INDEX algid; 1342 union { 1343 KMF_NSS_PARAMS nss_opts; 1344 KMF_OPENSSL_PARAMS openssl_opts; 1345 }ks_opt_u; 1346} KMF_CRYPTOWITHCERT_PARAMS; 1347 1348typedef struct { 1349 char *crl_name; 1350} KMF_CHECKCRLDATE_PARAMS; 1351 1352#define nssparms ks_opt_u.nss_opts 1353#define sslparms ks_opt_u.openssl_opts 1354#define pkcs11parms ks_opt_u.pkcs11_opts 1355 1356#ifdef __cplusplus 1357} 1358#endif 1359#endif /* _KMFTYPES_H */ 1360