1 /* 2 * Copyright (c) 1995-2000 Intel Corporation. All rights reserved. 3 */ 4 /* 5 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 6 * Use is subject to license terms. 7 */ 8 9 #ifndef _KMFTYPES_H 10 #define _KMFTYPES_H 11 12 #include <sys/types.h> 13 #include <stdlib.h> 14 #include <strings.h> 15 #include <pthread.h> 16 17 #include <security/cryptoki.h> 18 19 #ifdef __cplusplus 20 extern "C" { 21 #endif 22 23 typedef uint32_t KMF_BOOL; 24 25 #define KMF_FALSE (0) 26 #define KMF_TRUE (1) 27 28 /* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */ 29 typedef struct _kmf_handle *KMF_HANDLE_T; 30 31 /* 32 * KMF_DATA 33 * The KMF_DATA structure is used to associate a length, in bytes, with 34 * an arbitrary block of contiguous memory. 35 */ 36 typedef struct kmf_data 37 { 38 size_t Length; /* in bytes */ 39 uchar_t *Data; 40 } KMF_DATA; 41 42 typedef struct { 43 uchar_t *val; 44 size_t len; 45 } KMF_BIGINT; 46 47 /* 48 * KMF_OID 49 * The object identifier (OID) structure is used to hold a unique identifier for 50 * the atomic data fields and the compound substructure that comprise the fields 51 * of a certificate or CRL. 52 */ 53 typedef KMF_DATA KMF_OID; 54 55 typedef struct kmf_x509_private { 56 int keystore_type; 57 int flags; /* see below */ 58 char *label; 59 #define KMF_FLAG_CERT_VALID 1 /* contains valid certificate */ 60 #define KMF_FLAG_CERT_SIGNED 2 /* this is a signed certificate */ 61 } KMF_X509_PRIVATE; 62 63 /* 64 * KMF_X509_DER_CERT 65 * This structure associates packed DER certificate data. 66 * Also, it contains the private information internal used 67 * by KMF layer. 68 */ 69 typedef struct 70 { 71 KMF_DATA certificate; 72 KMF_X509_PRIVATE kmf_private; 73 } KMF_X509_DER_CERT; 74 75 typedef int KMF_KEYSTORE_TYPE; 76 #define KMF_KEYSTORE_NSS 1 77 #define KMF_KEYSTORE_OPENSSL 2 78 #define KMF_KEYSTORE_PK11TOKEN 3 79 80 #define VALID_DEFAULT_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\ 81 (t <= KMF_KEYSTORE_PK11TOKEN)) 82 83 typedef enum { 84 KMF_FORMAT_UNDEF = 0, 85 KMF_FORMAT_ASN1 = 1, /* DER */ 86 KMF_FORMAT_PEM = 2, 87 KMF_FORMAT_PKCS12 = 3, 88 KMF_FORMAT_RAWKEY = 4, /* For FindKey operation */ 89 KMF_FORMAT_PEM_KEYPAIR = 5 90 } KMF_ENCODE_FORMAT; 91 92 #define KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF 93 94 typedef enum { 95 KMF_ALL_CERTS = 0, 96 KMF_NONEXPIRED_CERTS = 1, 97 KMF_EXPIRED_CERTS = 2 98 } KMF_CERT_VALIDITY; 99 100 101 typedef enum { 102 KMF_ALL_EXTNS = 0, 103 KMF_CRITICAL_EXTNS = 1, 104 KMF_NONCRITICAL_EXTNS = 2 105 } KMF_FLAG_CERT_EXTN; 106 107 108 typedef enum { 109 KMF_KU_SIGN_CERT = 0, 110 KMF_KU_SIGN_DATA = 1, 111 KMF_KU_ENCRYPT_DATA = 2 112 } KMF_KU_PURPOSE; 113 114 /* 115 * Algorithms 116 * This type defines a set of constants used to identify cryptographic 117 * algorithms. 118 */ 119 typedef enum { 120 KMF_ALGID_NONE = 0, 121 KMF_ALGID_CUSTOM, 122 KMF_ALGID_SHA1, 123 KMF_ALGID_RSA, 124 KMF_ALGID_DSA, 125 KMF_ALGID_MD5WithRSA, 126 KMF_ALGID_MD2WithRSA, 127 KMF_ALGID_SHA1WithRSA, 128 KMF_ALGID_SHA1WithDSA 129 } KMF_ALGORITHM_INDEX; 130 131 132 /* 133 * Generic credential structure used by other structures below 134 * to convey authentication information to the underlying 135 * mechanisms. 136 */ 137 typedef struct { 138 char *cred; 139 uint32_t credlen; 140 } KMF_CREDENTIAL; 141 142 typedef enum { 143 KMF_KEYALG_NONE = 0, 144 KMF_RSA = 1, 145 KMF_DSA = 2, 146 KMF_AES = 3, 147 KMF_RC4 = 4, 148 KMF_DES = 5, 149 KMF_DES3 = 6, 150 KMF_GENERIC_SECRET = 7 151 }KMF_KEY_ALG; 152 153 typedef enum { 154 KMF_KEYCLASS_NONE = 0, 155 KMF_ASYM_PUB = 1, /* public key of an asymmetric keypair */ 156 KMF_ASYM_PRI = 2, /* private key of an asymmetric keypair */ 157 KMF_SYMMETRIC = 3 /* symmetric key */ 158 }KMF_KEY_CLASS; 159 160 161 typedef enum { 162 KMF_CERT = 0, 163 KMF_CSR = 1, 164 KMF_CRL = 2 165 }KMF_OBJECT_TYPE; 166 167 168 typedef struct { 169 KMF_BIGINT mod; 170 KMF_BIGINT pubexp; 171 KMF_BIGINT priexp; 172 KMF_BIGINT prime1; 173 KMF_BIGINT prime2; 174 KMF_BIGINT exp1; 175 KMF_BIGINT exp2; 176 KMF_BIGINT coef; 177 } KMF_RAW_RSA_KEY; 178 179 typedef struct { 180 KMF_BIGINT prime; 181 KMF_BIGINT subprime; 182 KMF_BIGINT base; 183 KMF_BIGINT value; 184 KMF_BIGINT pubvalue; 185 } KMF_RAW_DSA_KEY; 186 187 typedef struct { 188 KMF_BIGINT keydata; 189 } KMF_RAW_SYM_KEY; 190 191 typedef struct { 192 KMF_KEY_ALG keytype; 193 boolean_t sensitive; 194 boolean_t not_extractable; 195 union { 196 KMF_RAW_RSA_KEY rsa; 197 KMF_RAW_DSA_KEY dsa; 198 KMF_RAW_SYM_KEY sym; 199 }rawdata; 200 char *label; 201 KMF_DATA id; 202 } KMF_RAW_KEY_DATA; 203 204 typedef struct { 205 KMF_KEYSTORE_TYPE kstype; 206 KMF_KEY_ALG keyalg; 207 KMF_KEY_CLASS keyclass; 208 boolean_t israw; 209 char *keylabel; 210 void *keyp; 211 } KMF_KEY_HANDLE; 212 213 typedef struct { 214 KMF_KEYSTORE_TYPE kstype; 215 uint32_t errcode; 216 } KMF_ERROR; 217 218 /* 219 * Typenames to use with subjectAltName 220 */ 221 typedef enum { 222 GENNAME_OTHERNAME = 0x00, 223 GENNAME_RFC822NAME, 224 GENNAME_DNSNAME, 225 GENNAME_X400ADDRESS, 226 GENNAME_DIRECTORYNAME, 227 GENNAME_EDIPARTYNAME, 228 GENNAME_URI, 229 GENNAME_IPADDRESS, 230 GENNAME_REGISTEREDID, 231 GENNAME_KRB5PRINC, 232 GENNAME_SCLOGON_UPN 233 } KMF_GENERALNAMECHOICES; 234 235 /* 236 * KMF_FIELD 237 * This structure contains the OID/value pair for any item that can be 238 * identified by an OID. 239 */ 240 typedef struct 241 { 242 KMF_OID FieldOid; 243 KMF_DATA FieldValue; 244 } KMF_FIELD; 245 246 typedef enum { 247 KMF_OK = 0x00, 248 KMF_ERR_BAD_PARAMETER = 0x01, 249 KMF_ERR_BAD_KEY_FORMAT = 0x02, 250 KMF_ERR_BAD_ALGORITHM = 0x03, 251 KMF_ERR_MEMORY = 0x04, 252 KMF_ERR_ENCODING = 0x05, 253 KMF_ERR_PLUGIN_INIT = 0x06, 254 KMF_ERR_PLUGIN_NOTFOUND = 0x07, 255 KMF_ERR_INTERNAL = 0x0b, 256 KMF_ERR_BAD_CERT_FORMAT = 0x0c, 257 KMF_ERR_KEYGEN_FAILED = 0x0d, 258 KMF_ERR_UNINITIALIZED = 0x10, 259 KMF_ERR_ISSUER = 0x11, 260 KMF_ERR_NOT_REVOKED = 0x12, 261 KMF_ERR_CERT_NOT_FOUND = 0x13, 262 KMF_ERR_CRL_NOT_FOUND = 0x14, 263 KMF_ERR_RDN_PARSER = 0x15, 264 KMF_ERR_RDN_ATTR = 0x16, 265 KMF_ERR_SLOTNAME = 0x17, 266 KMF_ERR_EMPTY_CRL = 0x18, 267 KMF_ERR_BUFFER_SIZE = 0x19, 268 KMF_ERR_AUTH_FAILED = 0x1a, 269 KMF_ERR_TOKEN_SELECTED = 0x1b, 270 KMF_ERR_NO_TOKEN_SELECTED = 0x1c, 271 KMF_ERR_TOKEN_NOT_PRESENT = 0x1d, 272 KMF_ERR_EXTENSION_NOT_FOUND = 0x1e, 273 KMF_ERR_POLICY_ENGINE = 0x1f, 274 KMF_ERR_POLICY_DB_FORMAT = 0x20, 275 KMF_ERR_POLICY_NOT_FOUND = 0x21, 276 KMF_ERR_POLICY_DB_FILE = 0x22, 277 KMF_ERR_POLICY_NAME = 0x23, 278 KMF_ERR_OCSP_POLICY = 0x24, 279 KMF_ERR_TA_POLICY = 0x25, 280 KMF_ERR_KEY_NOT_FOUND = 0x26, 281 KMF_ERR_OPEN_FILE = 0x27, 282 KMF_ERR_OCSP_BAD_ISSUER = 0x28, 283 KMF_ERR_OCSP_BAD_CERT = 0x29, 284 KMF_ERR_OCSP_CREATE_REQUEST = 0x2a, 285 KMF_ERR_CONNECT_SERVER = 0x2b, 286 KMF_ERR_SEND_REQUEST = 0x2c, 287 KMF_ERR_OCSP_CERTID = 0x2d, 288 KMF_ERR_OCSP_MALFORMED_RESPONSE = 0x2e, 289 KMF_ERR_OCSP_RESPONSE_STATUS = 0x2f, 290 KMF_ERR_OCSP_NO_BASIC_RESPONSE = 0x30, 291 KMF_ERR_OCSP_BAD_SIGNER = 0x31, 292 293 KMF_ERR_OCSP_RESPONSE_SIGNATURE = 0x32, 294 KMF_ERR_OCSP_UNKNOWN_CERT = 0x33, 295 KMF_ERR_OCSP_STATUS_TIME_INVALID = 0x34, 296 KMF_ERR_BAD_HTTP_RESPONSE = 0x35, 297 KMF_ERR_RECV_RESPONSE = 0x36, 298 KMF_ERR_RECV_TIMEOUT = 0x37, 299 KMF_ERR_DUPLICATE_KEYFILE = 0x38, 300 KMF_ERR_AMBIGUOUS_PATHNAME = 0x39, 301 KMF_ERR_FUNCTION_NOT_FOUND = 0x3a, 302 KMF_ERR_PKCS12_FORMAT = 0x3b, 303 KMF_ERR_BAD_KEY_TYPE = 0x3c, 304 KMF_ERR_BAD_KEY_CLASS = 0x3d, 305 KMF_ERR_BAD_KEY_SIZE = 0x3e, 306 KMF_ERR_BAD_HEX_STRING = 0x3f, 307 KMF_ERR_KEYUSAGE = 0x40, 308 KMF_ERR_VALIDITY_PERIOD = 0x41, 309 KMF_ERR_OCSP_REVOKED = 0x42, 310 KMF_ERR_CERT_MULTIPLE_FOUND = 0x43, 311 KMF_ERR_WRITE_FILE = 0x44, 312 KMF_ERR_BAD_URI = 0x45, 313 KMF_ERR_BAD_CRLFILE = 0x46, 314 KMF_ERR_BAD_CERTFILE = 0x47, 315 KMF_ERR_GETKEYVALUE_FAILED = 0x48, 316 KMF_ERR_BAD_KEYHANDLE = 0x49, 317 KMF_ERR_BAD_OBJECT_TYPE = 0x4a, 318 KMF_ERR_OCSP_RESPONSE_LIFETIME = 0x4b, 319 KMF_ERR_UNKNOWN_CSR_ATTRIBUTE = 0x4c, 320 KMF_ERR_UNINITIALIZED_TOKEN = 0x4d, 321 KMF_ERR_INCOMPLETE_TBS_CERT = 0x4e, 322 KMF_ERR_MISSING_ERRCODE = 0x4f, 323 KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50, 324 KMF_ERR_SENSITIVE_KEY = 0x51, 325 KMF_ERR_UNEXTRACTABLE_KEY = 0x52, 326 KMF_ERR_KEY_MISMATCH = 0x53, 327 KMF_ERR_ATTR_NOT_FOUND = 0x54, 328 KMF_ERR_KMF_CONF = 0x55 329 } KMF_RETURN; 330 331 /* Data structures for OCSP support */ 332 typedef enum { 333 OCSP_GOOD = 0, 334 OCSP_REVOKED = 1, 335 OCSP_UNKNOWN = 2 336 } KMF_OCSP_CERT_STATUS; 337 338 typedef enum { 339 OCSP_SUCCESS = 0, 340 OCSP_MALFORMED_REQUEST = 1, 341 OCSP_INTERNAL_ERROR = 2, 342 OCSP_TRYLATER = 3, 343 OCSP_SIGREQUIRED = 4, 344 OCSP_UNAUTHORIZED = 5 345 } KMF_OCSP_RESPONSE_STATUS; 346 347 typedef enum { 348 OCSP_NOSTATUS = -1, 349 OCSP_UNSPECIFIED = 0, 350 OCSP_KEYCOMPROMISE = 1, 351 OCSP_CACOMPROMISE = 2, 352 OCSP_AFFILIATIONCHANGE = 3, 353 OCSP_SUPERCEDED = 4, 354 OCSP_CESSATIONOFOPERATION = 5, 355 OCSP_CERTIFICATEHOLD = 6, 356 OCSP_REMOVEFROMCRL = 7 357 } KMF_OCSP_REVOKED_STATUS; 358 359 typedef enum { 360 KMF_ALGCLASS_NONE = 0, 361 KMF_ALGCLASS_CUSTOM, 362 KMF_ALGCLASS_SIGNATURE, 363 KMF_ALGCLASS_SYMMETRIC, 364 KMF_ALGCLASS_DIGEST, 365 KMF_ALGCLASS_RANDOMGEN, 366 KMF_ALGCLASS_UNIQUEGEN, 367 KMF_ALGCLASS_MAC, 368 KMF_ALGCLASS_ASYMMETRIC, 369 KMF_ALGCLASS_KEYGEN, 370 KMF_ALGCLASS_DERIVEKEY 371 } KMF_ALGCLASS; 372 373 typedef enum { 374 KMF_CERT_ISSUER = 1, 375 KMF_CERT_SUBJECT, 376 KMF_CERT_VERSION, 377 KMF_CERT_SERIALNUM, 378 KMF_CERT_NOTBEFORE, 379 KMF_CERT_NOTAFTER, 380 KMF_CERT_PUBKEY_ALG, 381 KMF_CERT_SIGNATURE_ALG, 382 KMF_CERT_EMAIL, 383 KMF_CERT_PUBKEY_DATA, 384 KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD, 385 KMF_X509_EXT_CERT_POLICIES, 386 KMF_X509_EXT_SUBJ_ALTNAME, 387 KMF_X509_EXT_ISSUER_ALTNAME, 388 KMF_X509_EXT_BASIC_CONSTRAINTS, 389 KMF_X509_EXT_NAME_CONSTRAINTS, 390 KMF_X509_EXT_POLICY_CONSTRAINTS, 391 KMF_X509_EXT_EXT_KEY_USAGE, 392 KMF_X509_EXT_INHIBIT_ANY_POLICY, 393 KMF_X509_EXT_AUTH_KEY_ID, 394 KMF_X509_EXT_SUBJ_KEY_ID, 395 KMF_X509_EXT_POLICY_MAPPINGS, 396 KMF_X509_EXT_CRL_DIST_POINTS, 397 KMF_X509_EXT_FRESHEST_CRL, 398 KMF_X509_EXT_KEY_USAGE 399 } KMF_PRINTABLE_ITEM; 400 401 /* 402 * KMF_X509_ALGORITHM_IDENTIFIER 403 * This structure holds an object identifier naming a 404 * cryptographic algorithm and an optional set of 405 * parameters to be used as input to that algorithm. 406 */ 407 typedef struct 408 { 409 KMF_OID algorithm; 410 KMF_DATA parameters; 411 } KMF_X509_ALGORITHM_IDENTIFIER; 412 413 /* 414 * KMF_X509_TYPE_VALUE_PAIR 415 * This structure contain an type-value pair. 416 */ 417 typedef struct 418 { 419 KMF_OID type; 420 uint8_t valueType; /* The Tag to use when BER encoded */ 421 KMF_DATA value; 422 } KMF_X509_TYPE_VALUE_PAIR; 423 424 425 /* 426 * KMF_X509_RDN 427 * This structure contains a Relative Distinguished Name 428 * composed of an ordered set of type-value pairs. 429 */ 430 typedef struct 431 { 432 uint32_t numberOfPairs; 433 KMF_X509_TYPE_VALUE_PAIR *AttributeTypeAndValue; 434 } KMF_X509_RDN; 435 436 /* 437 * KMF_X509_NAME 438 * This structure contains a set of Relative Distinguished Names. 439 */ 440 typedef struct 441 { 442 uint32_t numberOfRDNs; 443 KMF_X509_RDN *RelativeDistinguishedName; 444 } KMF_X509_NAME; 445 446 /* 447 * KMF_X509_SPKI 448 * This structure contains the public key and the 449 * description of the verification algorithm 450 * appropriate for use with this key. 451 */ 452 typedef struct 453 { 454 KMF_X509_ALGORITHM_IDENTIFIER algorithm; 455 KMF_DATA subjectPublicKey; 456 } KMF_X509_SPKI; 457 458 /* 459 * KMF_X509_TIME 460 * Time is represented as a string according to the 461 * definitions of GeneralizedTime and UTCTime 462 * defined in RFC 2459. 463 */ 464 typedef struct 465 { 466 uint8_t timeType; 467 KMF_DATA time; 468 } KMF_X509_TIME; 469 470 /* 471 * KMF_X509_VALIDITY 472 */ 473 typedef struct 474 { 475 KMF_X509_TIME notBefore; 476 KMF_X509_TIME notAfter; 477 } KMF_X509_VALIDITY; 478 479 /* 480 * KMF_X509EXT_BASICCONSTRAINTS 481 */ 482 typedef struct 483 { 484 KMF_BOOL cA; 485 KMF_BOOL pathLenConstraintPresent; 486 uint32_t pathLenConstraint; 487 } KMF_X509EXT_BASICCONSTRAINTS; 488 489 /* 490 * KMF_X509EXT_DATA_FORMAT 491 * This list defines the valid formats for a certificate extension. 492 */ 493 typedef enum 494 { 495 KMF_X509_DATAFORMAT_ENCODED = 0, 496 KMF_X509_DATAFORMAT_PARSED, 497 KMF_X509_DATAFORMAT_PAIR 498 } KMF_X509EXT_DATA_FORMAT; 499 500 501 /* 502 * KMF_X509EXT_TAGandVALUE 503 * This structure contains a BER/DER encoded 504 * extension value and the type of that value. 505 */ 506 typedef struct 507 { 508 uint8_t type; 509 KMF_DATA value; 510 } KMF_X509EXT_TAGandVALUE; 511 512 513 /* 514 * KMF_X509EXT_PAIR 515 * This structure aggregates two extension representations: 516 * a tag and value, and a parsed X509 extension representation. 517 */ 518 typedef struct 519 { 520 KMF_X509EXT_TAGandVALUE tagAndValue; 521 void *parsedValue; 522 } KMF_X509EXT_PAIR; 523 524 /* 525 * KMF_X509_EXTENSION 526 * This structure contains a complete certificate extension. 527 */ 528 typedef struct 529 { 530 KMF_OID extnId; 531 KMF_BOOL critical; 532 KMF_X509EXT_DATA_FORMAT format; 533 union 534 { 535 KMF_X509EXT_TAGandVALUE *tagAndValue; 536 void *parsedValue; 537 KMF_X509EXT_PAIR *valuePair; 538 } value; 539 KMF_DATA BERvalue; 540 } KMF_X509_EXTENSION; 541 542 543 /* 544 * KMF_X509_EXTENSIONS 545 * This structure contains the set of all certificate 546 * extensions contained in a certificate. 547 */ 548 typedef struct 549 { 550 uint32_t numberOfExtensions; 551 KMF_X509_EXTENSION *extensions; 552 } KMF_X509_EXTENSIONS; 553 554 /* 555 * KMF_X509_TBS_CERT 556 * This structure contains a complete X.509 certificate. 557 */ 558 typedef struct 559 { 560 KMF_DATA version; 561 KMF_BIGINT serialNumber; 562 KMF_X509_ALGORITHM_IDENTIFIER signature; 563 KMF_X509_NAME issuer; 564 KMF_X509_VALIDITY validity; 565 KMF_X509_NAME subject; 566 KMF_X509_SPKI subjectPublicKeyInfo; 567 KMF_DATA issuerUniqueIdentifier; 568 KMF_DATA subjectUniqueIdentifier; 569 KMF_X509_EXTENSIONS extensions; 570 } KMF_X509_TBS_CERT; 571 572 /* 573 * KMF_X509_SIGNATURE 574 * This structure contains a cryptographic digital signature. 575 */ 576 typedef struct 577 { 578 KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier; 579 KMF_DATA encrypted; 580 } KMF_X509_SIGNATURE; 581 582 /* 583 * KMF_X509_CERTIFICATE 584 * This structure associates a set of decoded certificate 585 * values with the signature covering those values. 586 */ 587 typedef struct 588 { 589 KMF_X509_TBS_CERT certificate; 590 KMF_X509_SIGNATURE signature; 591 } KMF_X509_CERTIFICATE; 592 593 #define CERT_ALG_OID(c) &c->certificate.signature.algorithm 594 #define CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm 595 596 /* 597 * KMF_TBS_CSR 598 * This structure contains a complete PKCS#10 certificate request 599 */ 600 typedef struct 601 { 602 KMF_DATA version; 603 KMF_X509_NAME subject; 604 KMF_X509_SPKI subjectPublicKeyInfo; 605 KMF_X509_EXTENSIONS extensions; 606 } KMF_TBS_CSR; 607 608 /* 609 * KMF_CSR_DATA 610 * This structure contains a complete PKCS#10 certificate signed request 611 */ 612 typedef struct 613 { 614 KMF_TBS_CSR csr; 615 KMF_X509_SIGNATURE signature; 616 } KMF_CSR_DATA; 617 618 /* 619 * KMF_X509EXT_POLICYQUALIFIERINFO 620 */ 621 typedef struct 622 { 623 KMF_OID policyQualifierId; 624 KMF_DATA value; 625 } KMF_X509EXT_POLICYQUALIFIERINFO; 626 627 /* 628 * KMF_X509EXT_POLICYQUALIFIERS 629 */ 630 typedef struct 631 { 632 uint32_t numberOfPolicyQualifiers; 633 KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier; 634 } KMF_X509EXT_POLICYQUALIFIERS; 635 636 /* 637 * KMF_X509EXT_POLICYINFO 638 */ 639 typedef struct 640 { 641 KMF_OID policyIdentifier; 642 KMF_X509EXT_POLICYQUALIFIERS policyQualifiers; 643 } KMF_X509EXT_POLICYINFO; 644 645 typedef struct 646 { 647 uint32_t numberOfPolicyInfo; 648 KMF_X509EXT_POLICYINFO *policyInfo; 649 } KMF_X509EXT_CERT_POLICIES; 650 651 typedef struct 652 { 653 uchar_t critical; 654 uint16_t KeyUsageBits; 655 } KMF_X509EXT_KEY_USAGE; 656 657 typedef struct 658 { 659 uchar_t critical; 660 uint16_t nEKUs; 661 KMF_OID *keyPurposeIdList; 662 } KMF_X509EXT_EKU; 663 664 665 /* 666 * X509 AuthorityInfoAccess extension 667 */ 668 typedef struct 669 { 670 KMF_OID AccessMethod; 671 KMF_DATA AccessLocation; 672 } KMF_X509EXT_ACCESSDESC; 673 674 typedef struct 675 { 676 uint32_t numberOfAccessDescription; 677 KMF_X509EXT_ACCESSDESC *AccessDesc; 678 } KMF_X509EXT_AUTHINFOACCESS; 679 680 681 /* 682 * X509 Crl Distribution Point extension 683 */ 684 typedef struct { 685 KMF_GENERALNAMECHOICES choice; 686 KMF_DATA name; 687 } KMF_GENERALNAME; 688 689 typedef struct { 690 uint32_t number; 691 KMF_GENERALNAME *namelist; 692 } KMF_GENERALNAMES; 693 694 typedef enum { 695 DP_GENERAL_NAME = 1, 696 DP_RELATIVE_NAME = 2 697 } KMF_CRL_DIST_POINT_TYPE; 698 699 typedef struct { 700 KMF_CRL_DIST_POINT_TYPE type; 701 union { 702 KMF_GENERALNAMES full_name; 703 KMF_DATA relative_name; 704 } name; 705 KMF_DATA reasons; 706 KMF_GENERALNAMES crl_issuer; 707 } KMF_CRL_DIST_POINT; 708 709 typedef struct { 710 uint32_t number; 711 KMF_CRL_DIST_POINT *dplist; 712 } KMF_X509EXT_CRLDISTPOINTS; 713 714 typedef enum { 715 KMF_DATA_ATTR, 716 KMF_OID_ATTR, 717 KMF_BIGINT_ATTR, 718 KMF_X509_DER_CERT_ATTR, 719 KMF_KEYSTORE_TYPE_ATTR, 720 KMF_ENCODE_FORMAT_ATTR, 721 KMF_CERT_VALIDITY_ATTR, 722 KMF_KU_PURPOSE_ATTR, 723 KMF_ALGORITHM_INDEX_ATTR, 724 KMF_TOKEN_LABEL_ATTR, 725 KMF_READONLY_ATTR, 726 KMF_DIRPATH_ATTR, 727 KMF_CERTPREFIX_ATTR, 728 KMF_KEYPREFIX_ATTR, 729 KMF_SECMODNAME_ATTR, 730 KMF_CREDENTIAL_ATTR, 731 KMF_TRUSTFLAG_ATTR, 732 KMF_CRL_FILENAME_ATTR, 733 KMF_CRL_CHECK_ATTR, 734 KMF_CRL_DATA_ATTR, 735 KMF_CRL_SUBJECT_ATTR, 736 KMF_CRL_ISSUER_ATTR, 737 KMF_CRL_NAMELIST_ATTR, 738 KMF_CRL_COUNT_ATTR, 739 KMF_CRL_OUTFILE_ATTR, 740 KMF_CERT_LABEL_ATTR, 741 KMF_SUBJECT_NAME_ATTR, 742 KMF_ISSUER_NAME_ATTR, 743 KMF_CERT_FILENAME_ATTR, 744 KMF_KEY_FILENAME_ATTR, 745 KMF_OUTPUT_FILENAME_ATTR, 746 KMF_IDSTR_ATTR, 747 KMF_CERT_DATA_ATTR, 748 KMF_OCSP_RESPONSE_DATA_ATTR, 749 KMF_OCSP_RESPONSE_STATUS_ATTR, 750 KMF_OCSP_RESPONSE_REASON_ATTR, 751 KMF_OCSP_RESPONSE_CERT_STATUS_ATTR, 752 KMF_OCSP_REQUEST_FILENAME_ATTR, 753 KMF_KEYALG_ATTR, 754 KMF_KEYCLASS_ATTR, 755 KMF_KEYLABEL_ATTR, 756 KMF_KEYLENGTH_ATTR, 757 KMF_RSAEXP_ATTR, 758 KMF_TACERT_DATA_ATTR, 759 KMF_SLOT_ID_ATTR, 760 KMF_PK12CRED_ATTR, 761 KMF_ISSUER_CERT_DATA_ATTR, 762 KMF_USER_CERT_DATA_ATTR, 763 KMF_SIGNER_CERT_DATA_ATTR, 764 KMF_IGNORE_RESPONSE_SIGN_ATTR, 765 KMF_RESPONSE_LIFETIME_ATTR, 766 KMF_KEY_HANDLE_ATTR, 767 KMF_PRIVKEY_HANDLE_ATTR, 768 KMF_PUBKEY_HANDLE_ATTR, 769 KMF_ERROR_ATTR, 770 KMF_X509_NAME_ATTR, 771 KMF_X509_SPKI_ATTR, 772 KMF_X509_CERTIFICATE_ATTR, 773 KMF_RAW_KEY_ATTR, 774 KMF_CSR_DATA_ATTR, 775 KMF_GENERALNAMECHOICES_ATTR, 776 KMF_STOREKEY_BOOL_ATTR, 777 KMF_SENSITIVE_BOOL_ATTR, 778 KMF_NON_EXTRACTABLE_BOOL_ATTR, 779 KMF_TOKEN_BOOL_ATTR, 780 KMF_PRIVATE_BOOL_ATTR, 781 KMF_NEWPIN_ATTR, 782 KMF_IN_SIGN_ATTR, 783 KMF_OUT_DATA_ATTR, 784 KMF_COUNT_ATTR, 785 KMF_DESTROY_BOOL_ATTR, 786 KMF_TBS_CERT_DATA_ATTR, 787 KMF_PLAINTEXT_DATA_ATTR, 788 KMF_CIPHERTEXT_DATA_ATTR, 789 KMF_VALIDATE_RESULT_ATTR, 790 KMF_KEY_DATA_ATTR, 791 KMF_PK11_USER_TYPE_ATTR 792 } KMF_ATTR_TYPE; 793 794 typedef struct { 795 KMF_ATTR_TYPE type; 796 void *pValue; 797 uint32_t valueLen; 798 } KMF_ATTRIBUTE; 799 800 /* 801 * Definitions for common X.509v3 certificate attribute OIDs 802 */ 803 #define OID_ISO_MEMBER 42 /* Also in PKCS */ 804 #define OID_US OID_ISO_MEMBER, 134, 72 /* Also in PKCS */ 805 #define OID_CA OID_ISO_MEMBER, 124 806 807 #define OID_ISO_IDENTIFIED_ORG 43 808 #define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 809 #define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 810 #define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 811 #define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */ 812 813 #define OID_ISO_CCITT_DIR_SERVICE 85 814 #define OID_ISO_CCITT_COUNTRY 96 815 #define OID_COUNTRY_US OID_ISO_CCITT_COUNTRY, 134, 72 816 #define OID_COUNTRY_CA OID_ISO_CCITT_COUNTRY, 124 817 #define OID_COUNTRY_US_ORG OID_COUNTRY_US, 1 818 #define OID_COUNTRY_US_MHS_MD OID_COUNTRY_US, 2 819 #define OID_COUNTRY_US_STATE OID_COUNTRY_US, 3 820 821 /* From the PKCS Standards */ 822 #define OID_ISO_MEMBER_LENGTH 1 823 #define OID_US_LENGTH (OID_ISO_MEMBER_LENGTH + 2) 824 825 #define OID_RSA OID_US, 134, 247, 13 826 #define OID_RSA_LENGTH (OID_US_LENGTH + 3) 827 828 #define OID_RSA_HASH OID_RSA, 2 829 #define OID_RSA_HASH_LENGTH (OID_RSA_LENGTH + 1) 830 831 #define OID_RSA_ENCRYPT OID_RSA, 3 832 #define OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1) 833 834 #define OID_PKCS OID_RSA, 1 835 #define OID_PKCS_LENGTH (OID_RSA_LENGTH + 1) 836 837 #define OID_PKCS_1 OID_PKCS, 1 838 #define OID_PKCS_1_LENGTH (OID_PKCS_LENGTH + 1) 839 840 #define OID_PKCS_2 OID_PKCS, 2 841 #define OID_PKCS_3 OID_PKCS, 3 842 #define OID_PKCS_3_LENGTH (OID_PKCS_LENGTH + 1) 843 844 #define OID_PKCS_4 OID_PKCS, 4 845 #define OID_PKCS_5 OID_PKCS, 5 846 #define OID_PKCS_5_LENGTH (OID_PKCS_LENGTH + 1) 847 #define OID_PKCS_6 OID_PKCS, 6 848 #define OID_PKCS_7 OID_PKCS, 7 849 #define OID_PKCS_7_LENGTH (OID_PKCS_LENGTH + 1) 850 851 #define OID_PKCS_7_Data OID_PKCS_7, 1 852 #define OID_PKCS_7_SignedData OID_PKCS_7, 2 853 #define OID_PKCS_7_EnvelopedData OID_PKCS_7, 3 854 #define OID_PKCS_7_SignedAndEnvelopedData OID_PKCS_7, 4 855 #define OID_PKCS_7_DigestedData OID_PKCS_7, 5 856 #define OID_PKCS_7_EncryptedData OID_PKCS_7, 6 857 858 #define OID_PKCS_8 OID_PKCS, 8 859 #define OID_PKCS_9 OID_PKCS, 9 860 #define OID_PKCS_9_LENGTH (OID_PKCS_LENGTH + 1) 861 862 #define OID_PKCS_9_CONTENT_TYPE OID_PKCS_9, 3 863 #define OID_PKCS_9_MESSAGE_DIGEST OID_PKCS_9, 4 864 #define OID_PKCS_9_SIGNING_TIME OID_PKCS_9, 5 865 #define OID_PKCS_9_COUNTER_SIGNATURE OID_PKCS_9, 6 866 #define OID_PKCS_9_EXTENSION_REQUEST OID_PKCS_9, 14 867 868 #define OID_PKCS_10 OID_PKCS, 10 869 870 #define OID_PKCS_12 OID_PKCS, 12 871 #define OID_PKCS_12_LENGTH (OID_PKCS_LENGTH + 1) 872 873 #define PBEWithSHAAnd128BitRC4 OID_PKCS_12, 1, 1 874 #define PBEWithSHAAnd40BitRC4 OID_PKCS_12, 1, 2 875 #define PBEWithSHAAnd3KeyTripleDES_CBC OID_PKCS_12, 1, 3 876 #define PBEWithSHAAnd2KeyTripleDES_CBC OID_PKCS_12, 1, 4 877 #define PBEWithSHAAnd128BitRC2_CBC OID_PKCS_12, 1, 5 878 #define PBEWithSHAAnd40BitRC2_CBC OID_PKCS_12, 1, 6 879 880 #define OID_BAG_TYPES OID_PKCS_12, 10, 1 881 #define OID_KeyBag OID_BAG_TYPES, 1 882 #define OID_PKCS8ShroudedKeyBag OID_BAG_TYPES, 2 883 #define OID_CertBag OID_BAG_TYPES, 3 884 #define OID_CrlBag OID_BAG_TYPES, 4 885 #define OID_SecretBag OID_BAG_TYPES, 5 886 #define OID_SafeContentsBag OID_BAG_TYPES, 6 887 888 #define OID_ContentInfo OID_PKCS_7, 0, 1 889 890 #define OID_CERT_TYPES OID_PKCS_9, 22 891 #define OID_x509Certificate OID_CERT_TYPES, 1 892 #define OID_sdsiCertificate OID_CERT_TYPES, 2 893 894 #define OID_CRL_TYPES OID_PKCS_9, 23 895 #define OID_x509Crl OID_CRL_TYPES, 1 896 897 #define OID_DS OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */ 898 #define OID_DS_LENGTH 1 899 900 #define OID_ATTR_TYPE OID_DS, 4 /* Also in X.501 */ 901 #define OID_ATTR_TYPE_LENGTH (OID_DS_LENGTH + 1) 902 903 #define OID_DSALG OID_DS, 8 /* Also in X.501 */ 904 #define OID_DSALG_LENGTH (OID_DS_LENGTH + 1) 905 906 #define OID_EXTENSION OID_DS, 29 /* Also in X.501 */ 907 #define OID_EXTENSION_LENGTH (OID_DS_LENGTH + 1) 908 909 /* 910 * From RFC 1274: 911 * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) } 912 */ 913 #define OID_PILOT 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1 914 #define OID_PILOT_LENGTH 9 915 916 #define OID_USERID OID_PILOT 1 917 #define OID_USERID_LENGTH (OID_PILOT_LENGTH + 1) 918 919 /* 920 * From PKIX part1 921 * { iso(1) identified-organization(3) dod(6) internet(1) 922 * security(5) mechanisms(5) pkix(7) } 923 */ 924 #define OID_PKIX 43, 6, 1, 5, 5, 7 925 #define OID_PKIX_LENGTH 6 926 927 /* private certificate extensions, { id-pkix 1 } */ 928 #define OID_PKIX_PE OID_PKIX, 1 929 #define OID_PKIX_PE_LENGTH (OID_PKIX_LENGTH + 1) 930 931 /* policy qualifier types {id-pkix 2 } */ 932 #define OID_PKIX_QT OID_PKIX, 2 933 #define OID_PKIX_QT_LENGTH (OID_PKIX_LENGTH + 1) 934 935 /* CPS qualifier, { id-qt 1 } */ 936 #define OID_PKIX_QT_CPS OID_PKIX_QT, 1 937 #define OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1) 938 /* user notice qualifier, { id-qt 2 } */ 939 #define OID_PKIX_QT_UNOTICE OID_PKIX_QT, 2 940 #define OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1) 941 942 /* extended key purpose OIDs {id-pkix 3 } */ 943 #define OID_PKIX_KP OID_PKIX, 3 944 #define OID_PKIX_KP_LENGTH (OID_PKIX_LENGTH + 1) 945 946 /* access descriptors {id-pkix 4 } */ 947 #define OID_PKIX_AD OID_PKIX, 48 948 #define OID_PKIX_AD_LENGTH (OID_PKIX_LENGTH + 1) 949 950 /* access descriptors */ 951 /* OCSP */ 952 #define OID_PKIX_AD_OCSP OID_PKIX_AD, 1 953 #define OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1) 954 955 /* cAIssuers */ 956 #define OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2 957 #define OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1) 958 959 /* end PKIX part1 */ 960 961 /* 962 * From RFC4556 (PKINIT) 963 * 964 * pkinit = { iso(1) identified-organization(3) dod(6) internet(1) 965 * security(5) kerberosv5(2) pkinit(3) } 966 */ 967 #define OID_KRB5_PKINIT 43, 6, 1, 5, 2, 3 968 #define OID_KRB5_PKINIT_LENGTH 6 969 970 #define OID_KRB5_PKINIT_KPCLIENTAUTH OID_KRB5_PKINIT, 4 971 #define OID_KRB5_PKINIT_KPCLIENTAUTH_LENGTH (OID_KRB5_PKINIT_LENGTH + 1) 972 973 #define OID_KRB5_PKINIT_KPKDC OID_KRB5_PKINIT, 5 974 #define OID_KRB5_PKINIT_KPKDC_LENGTH (OID_KRB5_PKINIT_LENGTH + 1) 975 976 #define OID_KRB5_SAN 43, 6, 1, 5, 2, 2 977 #define OID_KRB5_SAN_LENGTH 6 978 979 /* 980 * Microsoft OIDs: 981 * id-ms-san-sc-logon-upn = 982 * {iso(1) identified-organization(3) dod(6) internet(1) private(4) 983 * enterprise(1) microsoft(311) 20 2 3} 984 * 985 * id-ms-kp-sc-logon = 986 * {iso(1) identified-organization(3) dod(6) internet(1) private(4) 987 * enterprise(1) microsoft(311) 20 2 2} 988 */ 989 #define OID_MS 43, 6, 1, 4, 1, 130, 55 990 #define OID_MS_LENGTH 7 991 #define OID_MS_KP_SC_LOGON OID_MS, 20, 2, 2 992 #define OID_MS_KP_SC_LOGON_LENGTH (OID_MS_LENGTH + 3) 993 994 #define OID_MS_KP_SC_LOGON_UPN OID_MS, 20, 2, 3 995 #define OID_MS_KP_SC_LOGON_UPN_LENGTH (OID_MS_LENGTH + 3) 996 997 #define OID_APPL_TCP_PROTO 43, 6, 1, 2, 1, 27, 4 998 #define OID_APPL_TCP_PROTO_LENGTH 8 999 1000 #define OID_DAP OID_DS, 3, 1 1001 #define OID_DAP_LENGTH (OID_DS_LENGTH + 2) 1002 1003 /* From x9.57 */ 1004 #define OID_OIW_LENGTH 2 1005 1006 #define OID_OIW_SECSIG OID_OIW, 3 1007 #define OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1) 1008 1009 #define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 1010 #define OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1) 1011 1012 #define OID_OIWDIR OID_OIW, 7, 2 1013 #define OID_OIWDIR_LENGTH (OID_OIW_LENGTH + 2) 1014 1015 #define OID_OIWDIR_CRPT OID_OIWDIR, 1 1016 1017 #define OID_OIWDIR_HASH OID_OIWDIR, 2 1018 #define OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1) 1019 1020 #define OID_OIWDIR_SIGN OID_OIWDIR, 3 1021 #define OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1) 1022 1023 #define OID_X9CM OID_US, 206, 56 1024 #define OID_X9CM_MODULE OID_X9CM, 1 1025 #define OID_X9CM_INSTRUCTION OID_X9CM, 2 1026 #define OID_X9CM_ATTR OID_X9CM, 3 1027 #define OID_X9CM_X9ALGORITHM OID_X9CM, 4 1028 #define OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1) 1029 1030 #define INTEL 96, 134, 72, 1, 134, 248, 77 1031 #define INTEL_LENGTH 7 1032 1033 #define INTEL_SEC_FORMATS INTEL_CDSASECURITY, 1 1034 #define INTEL_SEC_FORMATS_LENGTH (INTEL_CDSASECURITY_LENGTH + 1) 1035 1036 #define INTEL_SEC_ALGS INTEL_CDSASECURITY, 2, 5 1037 #define INTEL_SEC_ALGS_LENGTH (INTEL_CDSASECURITY_LENGTH + 2) 1038 1039 extern const KMF_OID 1040 KMFOID_AliasedEntryName, 1041 KMFOID_AuthorityRevocationList, 1042 KMFOID_BusinessCategory, 1043 KMFOID_CACertificate, 1044 KMFOID_CertificateRevocationList, 1045 KMFOID_ChallengePassword, 1046 KMFOID_CollectiveFacsimileTelephoneNumber, 1047 KMFOID_CollectiveInternationalISDNNumber, 1048 KMFOID_CollectiveOrganizationName, 1049 KMFOID_CollectiveOrganizationalUnitName, 1050 KMFOID_CollectivePhysicalDeliveryOfficeName, 1051 KMFOID_CollectivePostOfficeBox, 1052 KMFOID_CollectivePostalAddress, 1053 KMFOID_CollectivePostalCode, 1054 KMFOID_CollectiveStateProvinceName, 1055 KMFOID_CollectiveStreetAddress, 1056 KMFOID_CollectiveTelephoneNumber, 1057 KMFOID_CollectiveTelexNumber, 1058 KMFOID_CollectiveTelexTerminalIdentifier, 1059 KMFOID_CommonName, 1060 KMFOID_ContentType, 1061 KMFOID_CounterSignature, 1062 KMFOID_CountryName, 1063 KMFOID_CrossCertificatePair, 1064 KMFOID_DNQualifier, 1065 KMFOID_Description, 1066 KMFOID_DestinationIndicator, 1067 KMFOID_DistinguishedName, 1068 KMFOID_EmailAddress, 1069 KMFOID_EnhancedSearchGuide, 1070 KMFOID_ExtendedCertificateAttributes, 1071 KMFOID_ExtensionRequest, 1072 KMFOID_FacsimileTelephoneNumber, 1073 KMFOID_GenerationQualifier, 1074 KMFOID_GivenName, 1075 KMFOID_HouseIdentifier, 1076 KMFOID_Initials, 1077 KMFOID_InternationalISDNNumber, 1078 KMFOID_KnowledgeInformation, 1079 KMFOID_LocalityName, 1080 KMFOID_Member, 1081 KMFOID_MessageDigest, 1082 KMFOID_Name, 1083 KMFOID_ObjectClass, 1084 KMFOID_OrganizationName, 1085 KMFOID_OrganizationalUnitName, 1086 KMFOID_Owner, 1087 KMFOID_PhysicalDeliveryOfficeName, 1088 KMFOID_PostOfficeBox, 1089 KMFOID_PostalAddress, 1090 KMFOID_PostalCode, 1091 KMFOID_PreferredDeliveryMethod, 1092 KMFOID_PresentationAddress, 1093 KMFOID_ProtocolInformation, 1094 KMFOID_RFC822mailbox, 1095 KMFOID_RegisteredAddress, 1096 KMFOID_RoleOccupant, 1097 KMFOID_SearchGuide, 1098 KMFOID_SeeAlso, 1099 KMFOID_SerialNumber, 1100 KMFOID_SigningTime, 1101 KMFOID_StateProvinceName, 1102 KMFOID_StreetAddress, 1103 KMFOID_SupportedApplicationContext, 1104 KMFOID_Surname, 1105 KMFOID_TelephoneNumber, 1106 KMFOID_TelexNumber, 1107 KMFOID_TelexTerminalIdentifier, 1108 KMFOID_Title, 1109 KMFOID_UniqueIdentifier, 1110 KMFOID_UniqueMember, 1111 KMFOID_UnstructuredAddress, 1112 KMFOID_UnstructuredName, 1113 KMFOID_UserCertificate, 1114 KMFOID_UserPassword, 1115 KMFOID_X_121Address, 1116 KMFOID_domainComponent, 1117 KMFOID_userid; 1118 1119 extern const KMF_OID 1120 KMFOID_AuthorityKeyID, 1121 KMFOID_AuthorityInfoAccess, 1122 KMFOID_VerisignCertificatePolicy, 1123 KMFOID_KeyUsageRestriction, 1124 KMFOID_SubjectDirectoryAttributes, 1125 KMFOID_SubjectKeyIdentifier, 1126 KMFOID_KeyUsage, 1127 KMFOID_PrivateKeyUsagePeriod, 1128 KMFOID_SubjectAltName, 1129 KMFOID_IssuerAltName, 1130 KMFOID_BasicConstraints, 1131 KMFOID_CrlNumber, 1132 KMFOID_CrlReason, 1133 KMFOID_HoldInstructionCode, 1134 KMFOID_InvalidityDate, 1135 KMFOID_DeltaCrlIndicator, 1136 KMFOID_IssuingDistributionPoints, 1137 KMFOID_NameConstraints, 1138 KMFOID_CrlDistributionPoints, 1139 KMFOID_CertificatePolicies, 1140 KMFOID_PolicyMappings, 1141 KMFOID_PolicyConstraints, 1142 KMFOID_AuthorityKeyIdentifier, 1143 KMFOID_ExtendedKeyUsage, 1144 KMFOID_PkixAdOcsp, 1145 KMFOID_PkixAdCaIssuers, 1146 KMFOID_PKIX_PQ_CPSuri, 1147 KMFOID_PKIX_PQ_Unotice, 1148 KMFOID_PKIX_KP_ServerAuth, 1149 KMFOID_PKIX_KP_ClientAuth, 1150 KMFOID_PKIX_KP_CodeSigning, 1151 KMFOID_PKIX_KP_EmailProtection, 1152 KMFOID_PKIX_KP_IPSecEndSystem, 1153 KMFOID_PKIX_KP_IPSecTunnel, 1154 KMFOID_PKIX_KP_IPSecUser, 1155 KMFOID_PKIX_KP_TimeStamping, 1156 KMFOID_PKIX_KP_OCSPSigning, 1157 KMFOID_SHA1, 1158 KMFOID_RSA, 1159 KMFOID_DSA, 1160 KMFOID_MD5WithRSA, 1161 KMFOID_MD2WithRSA, 1162 KMFOID_SHA1WithRSA, 1163 KMFOID_SHA1WithDSA, 1164 KMFOID_OIW_DSAWithSHA1, 1165 KMFOID_X9CM_DSA, 1166 KMFOID_X9CM_DSAWithSHA1; 1167 1168 /* For PKINIT support */ 1169 extern const KMF_OID 1170 KMFOID_PKINIT_san, 1171 KMFOID_PKINIT_ClientAuth, 1172 KMFOID_PKINIT_Kdc, 1173 KMFOID_MS_KP_SCLogon, 1174 KMFOID_MS_KP_SCLogon_UPN; 1175 1176 /* 1177 * KMF Certificate validation codes. These may be masked together. 1178 */ 1179 #define KMF_CERT_VALIDATE_OK 0x00 1180 #define KMF_CERT_VALIDATE_ERR_TA 0x01 1181 #define KMF_CERT_VALIDATE_ERR_USER 0x02 1182 #define KMF_CERT_VALIDATE_ERR_SIGNATURE 0x04 1183 #define KMF_CERT_VALIDATE_ERR_KEYUSAGE 0x08 1184 #define KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE 0x10 1185 #define KMF_CERT_VALIDATE_ERR_TIME 0x20 1186 #define KMF_CERT_VALIDATE_ERR_CRL 0x40 1187 #define KMF_CERT_VALIDATE_ERR_OCSP 0x80 1188 #define KMF_CERT_VALIDATE_ERR_ISSUER 0x100 1189 1190 /* 1191 * KMF Key Usage bitmasks 1192 */ 1193 #define KMF_digitalSignature 0x8000 1194 #define KMF_nonRepudiation 0x4000 1195 #define KMF_keyEncipherment 0x2000 1196 #define KMF_dataEncipherment 0x1000 1197 #define KMF_keyAgreement 0x0800 1198 #define KMF_keyCertSign 0x0400 1199 #define KMF_cRLSign 0x0200 1200 #define KMF_encipherOnly 0x0100 1201 #define KMF_decipherOnly 0x0080 1202 1203 #define KMF_KUBITMASK 0xFF80 1204 1205 /* 1206 * KMF Extended KeyUsage OID definitions 1207 */ 1208 #define KMF_EKU_SERVERAUTH 0x01 1209 #define KMF_EKU_CLIENTAUTH 0x02 1210 #define KMF_EKU_CODESIGNING 0x04 1211 #define KMF_EKU_EMAIL 0x08 1212 #define KMF_EKU_TIMESTAMP 0x10 1213 #define KMF_EKU_OCSPSIGNING 0x20 1214 1215 1216 /* 1217 * Legacy support only - do not use these data structures - they can be 1218 * removed at any time. 1219 */ 1220 1221 /* Keystore Configuration */ 1222 typedef struct { 1223 char *configdir; 1224 char *certPrefix; 1225 char *keyPrefix; 1226 char *secModName; 1227 } KMF_NSS_CONFIG; 1228 1229 typedef struct { 1230 char *label; 1231 boolean_t readonly; 1232 } KMF_PKCS11_CONFIG; 1233 1234 typedef struct { 1235 KMF_KEYSTORE_TYPE kstype; 1236 union { 1237 KMF_NSS_CONFIG nss_conf; 1238 KMF_PKCS11_CONFIG pkcs11_conf; 1239 } ks_config_u; 1240 } KMF_CONFIG_PARAMS; 1241 1242 #define nssconfig ks_config_u.nss_conf 1243 #define pkcs11config ks_config_u.pkcs11_conf 1244 1245 1246 typedef struct 1247 { 1248 char *trustflag; 1249 char *slotlabel; /* "internal" by default */ 1250 int issuerId; 1251 int subjectId; 1252 char *crlfile; /* for ImportCRL */ 1253 boolean_t crl_check; /* for ImportCRL */ 1254 1255 /* 1256 * The following 2 variables are for FindCertInCRL. The caller can 1257 * either specify certLabel or provide the entire certificate in 1258 * DER format as input. 1259 */ 1260 char *certLabel; /* for FindCertInCRL */ 1261 KMF_DATA *certificate; /* for FindCertInCRL */ 1262 1263 /* 1264 * crl_subjName and crl_issuerName are used as the CRL deletion 1265 * criteria. One should be non-NULL and the other one should be NULL. 1266 * If crl_subjName is not NULL, then delete CRL by the subject name. 1267 * Othewise, delete by the issuer name. 1268 */ 1269 char *crl_subjName; 1270 char *crl_issuerName; 1271 } KMF_NSS_PARAMS; 1272 1273 typedef struct { 1274 char *dirpath; 1275 char *certfile; 1276 char *crlfile; 1277 char *keyfile; 1278 char *outcrlfile; 1279 boolean_t crl_check; /* CRL import check; default is true */ 1280 KMF_ENCODE_FORMAT format; /* output file format */ 1281 } KMF_OPENSSL_PARAMS; 1282 1283 typedef struct { 1284 boolean_t private; /* for finding CKA_PRIVATE objects */ 1285 boolean_t sensitive; 1286 boolean_t not_extractable; 1287 boolean_t token; /* true == token object, false == session */ 1288 } KMF_PKCS11_PARAMS; 1289 1290 typedef struct { 1291 KMF_KEYSTORE_TYPE kstype; 1292 char *certLabel; 1293 char *issuer; 1294 char *subject; 1295 char *idstr; 1296 KMF_BIGINT *serial; 1297 KMF_CERT_VALIDITY find_cert_validity; 1298 1299 union { 1300 KMF_NSS_PARAMS nss_opts; 1301 KMF_OPENSSL_PARAMS openssl_opts; 1302 KMF_PKCS11_PARAMS pkcs11_opts; 1303 } ks_opt_u; 1304 } KMF_FINDCERT_PARAMS, KMF_DELETECERT_PARAMS; 1305 1306 typedef struct { 1307 KMF_KEYSTORE_TYPE kstype; 1308 KMF_CREDENTIAL cred; 1309 KMF_KEY_CLASS keyclass; 1310 KMF_KEY_ALG keytype; 1311 KMF_ENCODE_FORMAT format; /* for key */ 1312 char *findLabel; 1313 char *idstr; 1314 union { 1315 KMF_NSS_PARAMS nss_opts; 1316 KMF_OPENSSL_PARAMS openssl_opts; 1317 KMF_PKCS11_PARAMS pkcs11_opts; 1318 } ks_opt_u; 1319 } KMF_FINDKEY_PARAMS; 1320 1321 typedef struct { 1322 KMF_KEYSTORE_TYPE kstype; 1323 KMF_KEY_ALG keytype; 1324 uint32_t keylength; 1325 char *keylabel; 1326 KMF_CREDENTIAL cred; 1327 KMF_BIGINT rsa_exponent; 1328 union { 1329 KMF_NSS_PARAMS nss_opts; 1330 KMF_OPENSSL_PARAMS openssl_opts; 1331 }ks_opt_u; 1332 } KMF_CREATEKEYPAIR_PARAMS; 1333 1334 1335 typedef struct { 1336 KMF_KEYSTORE_TYPE kstype; 1337 KMF_CREDENTIAL cred; 1338 KMF_ENCODE_FORMAT format; /* for key */ 1339 char *certLabel; 1340 KMF_ALGORITHM_INDEX algid; 1341 union { 1342 KMF_NSS_PARAMS nss_opts; 1343 KMF_OPENSSL_PARAMS openssl_opts; 1344 }ks_opt_u; 1345 } KMF_CRYPTOWITHCERT_PARAMS; 1346 1347 typedef struct { 1348 char *crl_name; 1349 } KMF_CHECKCRLDATE_PARAMS; 1350 1351 #define nssparms ks_opt_u.nss_opts 1352 #define sslparms ks_opt_u.openssl_opts 1353 #define pkcs11parms ks_opt_u.pkcs11_opts 1354 1355 #ifdef __cplusplus 1356 } 1357 #endif 1358 #endif /* _KMFTYPES_H */ 1359