From 31366290fcfbb7b51332e41755ba3f0c4b01084f Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Sat, 28 Apr 2007 22:39:24 +0000 Subject: A complete but slow implementation for certificate listing. --- ckcapi-builtin.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++ ckcapi-cert.c | 86 ++++++++++++++-------- ckcapi-object.c | 23 ++++-- ckcapi-session.c | 40 ++++++++++ ckcapi-util.c | 6 +- ckcapi.c | 14 ++-- ckcapi.dsp | 4 + ckcapi.h | 41 ++++++++++- pkcs11/pkcs11n.h | 221 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 573 insertions(+), 52 deletions(-) create mode 100644 ckcapi-builtin.c create mode 100644 pkcs11/pkcs11n.h diff --git a/ckcapi-builtin.c b/ckcapi-builtin.c new file mode 100644 index 0000000..94d170e --- /dev/null +++ b/ckcapi-builtin.c @@ -0,0 +1,190 @@ + +#include "ckcapi.h" +#include "pkcs11/pkcs11n.h" + +static const CK_BBOOL ck_true = CK_TRUE; +static const CK_BBOOL ck_false = CK_FALSE; + +static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST; + +static const char ck_root_label[] = "Windows Certificate Roots"; + +#define CK_END_LIST (CK_ULONG)-1 + +static const CK_ATTRIBUTE builtin_root[] = { + { CKA_TOKEN, (void*)&ck_true, sizeof(CK_BBOOL) }, + { CKA_CLASS, (void*)&cko_netscape_builtin_root_list, sizeof(CK_OBJECT_CLASS) }, + { CKA_PRIVATE, (void*)&ck_false, sizeof(CK_BBOOL) }, + { CKA_MODIFIABLE, (void*)&ck_false, sizeof(CK_BBOOL) }, + { CKA_LABEL, (void*)ck_root_label, sizeof(ck_root_label) }, + { CK_END_LIST, NULL, 0 } +}; + +static const CK_ATTRIBUTE_PTR all_builtins[] = { + (CK_ATTRIBUTE_PTR)&builtin_root, + NULL, +}; + +static CK_ULONG num_builtins = 0; + +typedef struct _BuiltinObject +{ + CkCapiObject obj; + + /* Together these form the unique key. Must be contiguous */ + unsigned int otype; + CK_ULONG builtin_index; +} +BuiltinObject; + +static CK_RV +builtin_attribute(void* obj, CK_ATTRIBUTE_TYPE type, + CK_VOID_PTR data, CK_ULONG_PTR len) +{ + CK_ATTRIBUTE_PTR builtin = (CK_ATTRIBUTE_PTR)obj; + + ASSERT(len); + ASSERT(obj); + + while(builtin->type != CK_END_LIST) + { + if(builtin->type == type) + { + if(builtin->ulValueLen == 0) + return CKR_ATTRIBUTE_TYPE_INVALID; + + if(!data) + { + *len = builtin->ulValueLen; + return CKR_OK; + } + + if(builtin->ulValueLen > *len) + { + *len = builtin->ulValueLen; + return CKR_BUFFER_TOO_SMALL; + } + + *len = builtin->ulValueLen; + memcpy(data, builtin->pValue, builtin->ulValueLen); + return CKR_OK; + } + + builtin++; + } + + return CKR_ATTRIBUTE_TYPE_INVALID; +} + +static void +builtin_release(void* data) +{ + /* Nothing to do to free builtin data */ +} + +static const CkCapiObjectDataVtable builtin_objdata_vtable = { + builtin_attribute, + builtin_attribute, + builtin_attribute, + builtin_attribute, + builtin_release, +}; + +static CK_RV +builtin_load(CkCapiObject* obj, CkCapiObjectData* objdata) +{ + BuiltinObject* bobj = (BuiltinObject*)obj; + + ASSERT(bobj); + ASSERT(objdata); + ASSERT(num_builtins > 0); + + if(bobj->builtin_index > num_builtins) + return CKR_OBJECT_HANDLE_INVALID; + + objdata->data = (void*)all_builtins[bobj->builtin_index]; + objdata->data_funcs = builtin_objdata_vtable; + + return CKR_OK; +} + + +static void +builtin_object_release(void* data) +{ + BuiltinObject* bobj = (BuiltinObject*)data; + ASSERT(bobj); + free(bobj); +} + +static const CkCapiObjectVtable builtin_object_vtable = { + builtin_load, + builtin_object_release, +}; + +static CK_RV +register_builtin_object(CkCapiSession* sess, CK_ULONG index, CK_OBJECT_HANDLE_PTR id) +{ + BuiltinObject* bobj; + CK_RV ret; + + bobj = calloc(sizeof(BuiltinObject), 1); + if(!bobj) + return CKR_HOST_MEMORY; + + bobj->otype = OBJECT_BUILTIN; + bobj->builtin_index = index; + + bobj->obj.id = 0; + bobj->obj.obj_funcs = builtin_object_vtable; + bobj->obj.unique_key = UNIQUE_KEY_AT(bobj, otype); + bobj->obj.unique_len = UNIQUE_KEY_LEN(bobj, otype, builtin_index); + + ret = ckcapi_object_register(sess, &(bobj->obj)); + if(ret != CKR_OK) + { + free(bobj); + return ret; + } + + ASSERT(bobj->obj.id != 0); + *id = bobj->obj.id; + return CKR_OK; +} + +CK_RV +ckcapi_builtin_find_all(CkCapiSession* sess, CK_ATTRIBUTE_PTR match, + CK_ULONG count, CkCapiArray* arr) +{ + CK_OBJECT_HANDLE obj; + CkCapiObjectData objdata; + CK_RV ret = CKR_OK; + CK_ULONG i; + + /* First time around count total number */ + if(!num_builtins) + { + while(all_builtins[num_builtins]) + ++num_builtins; + ASSERT(num_builtins > 0); + } + + /* Match each certificate */ + for(i = 0; i < num_builtins; ++i) + { + objdata.data = (void*)all_builtins[i]; + objdata.data_funcs = builtin_objdata_vtable; + + if(ckcapi_object_data_match(&objdata, match, count)) + { + ret = register_builtin_object(sess, i, &obj); + if(ret != CKR_OK) + break; + + ckcapi_array_append(arr, obj); + } + } + + return ret; +} + diff --git a/ckcapi-cert.c b/ckcapi-cert.c index 0605ef9..672e189 100644 --- a/ckcapi-cert.c +++ b/ckcapi-cert.c @@ -13,15 +13,33 @@ #define CERT_KEY_IDENTIFIER_PROP_ID 20 #endif +#define USE_ENCODINGS (X509_ASN_ENCODING | PKCS_7_ASN_ENCODING) + typedef struct _CertObject { CkCapiObject obj; const char* store; - BYTE* key_id; - DWORD key_id_len; + + /* Together these can uniquely identify a certificate */ + CRYPT_INTEGER_BLOB serial; + CERT_NAME_BLOB issuer; + + /* + * This must stay together. It comprises a unique + * key, together with the data that runs off the end. + */ + int otype; + BYTE cert_data[1]; } CertObject; +typedef struct _CertUnique +{ + int otype; + BYTE key[1]; +} +CertUnique; + static CK_RV copy_static_data(CK_VOID_PTR val, CK_ULONG_PTR len, CK_VOID_PTR data, DWORD cb) @@ -364,8 +382,8 @@ cert_load(CkCapiObject* obj, CkCapiObjectData* objdata) { CertObject* cobj = (CertObject*)obj; HCERTSTORE store; + CERT_INFO info; PCCERT_CONTEXT cert; - CRYPT_HASH_BLOB blob; ASSERT(cobj); ASSERT(objdata); @@ -375,13 +393,17 @@ cert_load(CkCapiObject* obj, CkCapiObjectData* objdata) if(!store) return ckcapi_winerr_to_ckr(GetLastError()); - ASSERT(cobj->key_id); - ASSERT(cobj->key_id_len); - blob.pbData = cobj->key_id; - blob.cbData = cobj->key_id_len; + ASSERT(cobj->issuer.pbData); + ASSERT(cobj->issuer.cbData); + ASSERT(cobj->serial.pbData); + ASSERT(cobj->serial.cbData); + + /* Setup our search */ + memset(&info, 0, sizeof(info)); + memcpy(&info.SerialNumber, &cobj->serial, sizeof(info.SerialNumber)); + memcpy(&info.Issuer, &cobj->issuer, sizeof(info.Issuer)); - cert = CertFindCertificateInStore(store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, CERT_FIND_KEY_IDENTIFIER, &blob, NULL); + cert = CertGetSubjectCertificateFromStore(store, USE_ENCODINGS, &info); CertCloseStore(store, 0); @@ -422,36 +444,38 @@ register_cert_object(CkCapiSession* sess, const char* store, PCCERT_CONTEXT cert { CertObject* cobj; CK_RV ret; - DWORD len; - - if(!CertGetCertificateContextProperty(cert, CERT_KEY_IDENTIFIER_PROP_ID, NULL, &len)) - { - DBG(("cannot get certificate key identifier: %d", GetLastError())); - return CKR_ATTRIBUTE_TYPE_INVALID; - } + size_t len; + + /* We save the Issuer and SerialNumber for identification later */ + len = cert->pCertInfo->SerialNumber.cbData + + cert->pCertInfo->Issuer.cbData; + + /* Add one in case null termination is needed */ + len++; cobj = calloc(sizeof(CertObject) + len, 1); if(!cobj) return CKR_HOST_MEMORY; - /* Store keyid in allocated area after CertObject */ - cobj->key_id = (BYTE*)(cobj + 1); - cobj->key_id_len = len; - - if(!CertGetCertificateContextProperty(cert, CERT_KEY_IDENTIFIER_PROP_ID, - cobj->key_id, &(cobj->key_id_len))) - { - DBG(("cannot read certificate key identifier: %d", GetLastError())); - free(cobj); - return CKR_ATTRIBUTE_TYPE_INVALID; - } - + cobj->otype = OBJECT_CERT; cobj->store = store; + cobj->obj.id = 0; - cobj->obj.unique_key = cobj->key_id; - cobj->obj.unique_len = cobj->key_id_len; + cobj->obj.unique_key = UNIQUE_KEY_AT(cobj, otype); + cobj->obj.unique_len = UNIQUE_KEY_VAR_LEN(cobj, otype, cert_data, len); cobj->obj.obj_funcs = cert_object_vtable; - cobj->obj.data_funcs = cert_objdata_vtable; + + /* Copy Issuer data in */ + cobj->issuer.cbData = cert->pCertInfo->Issuer.cbData; + cobj->issuer.pbData = cobj->cert_data; + memcpy(cobj->issuer.pbData, cert->pCertInfo->Issuer.pbData, + cobj->issuer.cbData); + + /* Copy Serial Number data in */ + cobj->serial.cbData = cert->pCertInfo->SerialNumber.cbData; + cobj->serial.pbData = cobj->cert_data + cobj->issuer.cbData; + memcpy(cobj->serial.pbData, cert->pCertInfo->SerialNumber.pbData, + cobj->serial.cbData); ret = ckcapi_object_register(sess, &(cobj->obj)); if(ret != CKR_OK) diff --git a/ckcapi-object.c b/ckcapi-object.c index c620cc4..da3a467 100644 --- a/ckcapi-object.c +++ b/ckcapi-object.c @@ -32,7 +32,7 @@ ckcapi_object_clear_all(void) if(object_array) { - for(i = 0; i < object_array->len; ++i) + for(i = 1; i < object_array->len; ++i) { ASSERT(ckcapi_array_index(object_array, CkCapiObject*, i)); object_free(ckcapi_array_index(object_array, CkCapiObject*, i)); @@ -70,13 +70,15 @@ ckcapi_object_register(CkCapiSession* sess, CkCapiObject* obj) { CkCapiObject* prev; CK_RV ret = CKR_OK; + void* key; + size_t klen; ASSERT(sess); ASSERT(obj->id == 0); ASSERT(obj->unique_key); - ASSERT(obj->unique_len); + ASSERT(obj->unique_len > 0); - DBGS(sess, "registering new object"); + DBG(("registering object")); ckcapi_lock_global(); @@ -105,14 +107,21 @@ ckcapi_object_register(CkCapiSession* sess, CkCapiObject* obj) ASSERT(object_array); ASSERT(object_hash); + /* The type of object is part of the hash */ + key = obj->unique_key; + klen = obj->unique_len; + + /* Sanity check, in case calcs went wrong somewhere */ + ASSERT(klen < 0xFFFFFF); + /* Look in the hash and find a previous object */ - prev = ckcapi_hash_get(object_hash, obj->unique_key, obj->unique_len); + prev = ckcapi_hash_get(object_hash, key, klen); if(prev) { /* Register it in the previous object's place */ obj->id = prev->id; ASSERT(prev->id < object_array->len); - if(ckcapi_hash_set(object_hash, obj->unique_key, obj->unique_len, obj)) + if(ckcapi_hash_set(object_hash, key, klen, obj)) { ckcapi_array_index(object_array, CkCapiObject*, obj->id) = obj; object_free(prev); @@ -129,7 +138,7 @@ ckcapi_object_register(CkCapiSession* sess, CkCapiObject* obj) /* Register it at the end of the array */ obj->id = object_array->len; ASSERT(obj->id > 0); - if(ckcapi_hash_set(object_hash, obj->unique_key, obj->unique_len, obj)) + if(ckcapi_hash_set(object_hash, key, klen, obj)) { if(ckcapi_array_append(object_array, obj)) { @@ -140,7 +149,7 @@ ckcapi_object_register(CkCapiSession* sess, CkCapiObject* obj) ret = CKR_HOST_MEMORY; /* Roll back our addition */ - ckcapi_hash_rem(object_hash, obj->unique_key, obj->unique_len); + ckcapi_hash_rem(object_hash, key, klen); } } else diff --git a/ckcapi-session.c b/ckcapi-session.c index 1076fbd..ce7e9d2 100644 --- a/ckcapi-session.c +++ b/ckcapi-session.c @@ -359,6 +359,12 @@ gather_objects(CkCapiSession* sess, CK_ATTRIBUTE_PTR match, CK_OBJECT_CLASS ocls = CK_INVALID_HANDLE; CK_RV ret = CKR_OK; + /* TODO: Reenable this once we have trust worked out + ret = ckcapi_builtin_find_all(sess, match, count, arr); + if(ret != CKR_OK) + return ret; + */ + get_ulong_attribute(CKA_CLASS, match, count, &ocls); switch(ocls) { @@ -387,6 +393,36 @@ cleanup_find_operation(CkCapiSession* sess) sess->operation_cancel = NULL; } +void +purge_duplicate_ulongs(CkCapiArray* arr) +{ + CkCapiHash* checks; + CK_ULONG* v; + size_t i; + + checks = ckcapi_hash_new(); + if(!checks) + return; + + for(i = 0; i < arr->len; ) + { + v = &ckcapi_array_index(arr, CK_ULONG, i); + if(ckcapi_hash_get(checks, v, sizeof(CK_ULONG))) + { + ckcapi_array_remove_index(arr, i); + /* Look at same i again */ + } + else + { + if(!ckcapi_hash_set(checks, v, sizeof(CK_ULONG), v)) + break; + ++i; + } + } + + ckcapi_hash_free(checks); +} + CK_RV ckcapi_session_find_init(CkCapiSession* sess, CK_ATTRIBUTE_PTR match, CK_ULONG count) @@ -411,6 +447,9 @@ ckcapi_session_find_init(CkCapiSession* sess, CK_ATTRIBUTE_PTR match, return ret; } + /* Cleanup all duplicates in the array */ + purge_duplicate_ulongs(arr); + sess->operation_type = OPERATION_FIND; sess->operation_data = arr; sess->operation_cancel = cleanup_find_operation; @@ -459,3 +498,4 @@ ckcapi_session_find_final(CkCapiSession* sess) return CKR_OK; } + diff --git a/ckcapi-util.c b/ckcapi-util.c index 4078ab5..3c587ac 100644 --- a/ckcapi-util.c +++ b/ckcapi-util.c @@ -151,7 +151,7 @@ ckcapi_array_remove_range(CkCapiArray* parray, unsigned int index, size_t length if(index >= array->pub.len) return; - if(index + length > array->pub.len); + if(index + length > array->pub.len) length = array->pub.len - index; if(length == 0) return; @@ -187,8 +187,6 @@ ckcapi_array_remove_range(CkCapiArray* parray, unsigned int index, size_t length */ -#define KEY_DATA(he) ((he)->key) - /* * The internal form of a hash table. * @@ -375,7 +373,7 @@ find_entry(CkCapiHash* ht, const void* key, size_t klen, const void* val) he; hep = &he->next, he = *hep) { if(he->hash == hash && he->klen == klen && - memcmp(KEY_DATA(he), key, klen) == 0) + memcmp(he->key, key, klen) == 0) break; } diff --git a/ckcapi.c b/ckcapi.c index 84538c8..a1243b8 100644 --- a/ckcapi.c +++ b/ckcapi.c @@ -20,7 +20,7 @@ static HANDLE global_mutex = NULL; #define LIBRARY_DESCRIPTION "Cryptoki CAPI Provider " #define LIBRARY_VERSION_MAJOR 1 #define LIBRARY_VERSION_MINOR 1 -#define SLOT_DESCRIPTION "Windows CAPI Certificates and Keys " +#define SLOT_DESCRIPTION "Windows Certificates and Keys " #define HARDWARE_VERSION_MAJOR 0 #define HARDWARE_VERSION_MINOR 0 #define FIRMWARE_VERSION_MAJOR 0 @@ -44,6 +44,8 @@ ckcapi_debug(const char* msg, ...) _vsnprintf(buf, 1024, msg, va); va_end(va); + strncat(buf, "\n", 1024); + buf[1024 - 1] = 0; OutputDebugStringA(buf); } @@ -306,18 +308,18 @@ CC_C_GetMechanismList(CK_SLOT_ID id, CK_MECHANISM_TYPE_PTR mechanism_list, if(mechanism_list == NULL) { - *count = 1; + *count = 0; RETURN(CKR_OK); } - if(*count < 1) + if(*count < 0) { - *count = 1; + *count = 0; RETURN(CKR_BUFFER_TOO_SMALL); } - mechanism_list[0] = CKM_RSA_PKCS; - *count = 1; + /* mechanism_list[0] = CKM_RSA_PKCS; */ + *count = 0; RETURN(CKR_OK); } diff --git a/ckcapi.dsp b/ckcapi.dsp index c50d0af..d81ae3a 100644 --- a/ckcapi.dsp +++ b/ckcapi.dsp @@ -92,6 +92,10 @@ LINK32=link.exe # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" # Begin Source File +SOURCE=".\ckcapi-builtin.c" +# End Source File +# Begin Source File + SOURCE=".\ckcapi-cert.c" # End Source File # Begin Source File diff --git a/ckcapi.h b/ckcapi.h index 2f832dd..e1a0301 100644 --- a/ckcapi.h +++ b/ckcapi.h @@ -75,12 +75,17 @@ CK_RV ckcapi_session_find (CkCapiSession* sess, CK_OBJECT_HANDLE_PTR objects CK_ULONG max_object_count, CK_ULONG_PTR object_count); CK_RV ckcapi_session_find_final (CkCapiSession* sess); - - /* ------------------------------------------------------------------ * ckcapi-object.c */ +/* For operation_type in CkCapiSession */ +enum +{ + OBJECT_CERT = 1, + OBJECT_BUILTIN = 2 +}; + typedef CK_RV (*CkCapiGetAttribute)(void* obj, CK_ATTRIBUTE_TYPE type, CK_VOID_PTR data, CK_ULONG_PTR len); @@ -103,6 +108,7 @@ typedef struct _CkCapiObjectData } CkCapiObjectData; +typedef CK_RV (*CkCapiPurge)(struct _CkCapiObject* obj); typedef CK_RV (*CkCapiLoadData)(struct _CkCapiObject* obj, CkCapiObjectData* objdata); typedef struct _CkCapiObjectVtable @@ -112,13 +118,34 @@ typedef struct _CkCapiObjectVtable } CkCapiObjectVtable; +/* + * Each object has a unique key which guarantees that we're + * not loading the same objects over and over again. + * Usually these are contiguous members of a struct. These + * macros help calculate the address and length of such a + * unique key + */ + +/* The unique key starts at the address of the starting struct member */ +#define UNIQUE_KEY_AT(obj, mem) \ + (void*)(&((obj->mem))) + +/* Calculates key length between first and last struct members */ +#define UNIQUE_KEY_LEN(obj, first, last) \ + UNIQUE_KEY_VAR_LEN(obj, first, last, sizeof(obj->last)) + +/* Calcs key len between first and a certain num of bytes past last struct member */ +#define UNIQUE_KEY_VAR_LEN(obj, first, last, len) \ + ((((char*)&((obj->last))) - ((char*)&((obj->first)))) + (len)) + typedef struct _CkCapiObject { CK_OBJECT_HANDLE id; + + // These items must remain together in the structure + CkCapiObjectVtable obj_funcs; void* unique_key; size_t unique_len; - CkCapiObjectVtable obj_funcs; - CkCapiObjectDataVtable data_funcs; } CkCapiObject; @@ -157,6 +184,12 @@ CK_RV ckcapi_cert_find_all (CkCapiSession* sess, CK_ATTRIBUTE_PTR match, CK_RV ckcapi_cert_find_in_store (CkCapiSession* sess, const char* store_name, CK_ATTRIBUTE_PTR match, CK_ULONG count, CkCapiArray* arr); +/* ------------------------------------------------------------------- + * ckcapi-builtin.c + */ + +CK_RV ckcapi_builtin_find_all (CkCapiSession* sess, CK_ATTRIBUTE_PTR match, + CK_ULONG count, CkCapiArray* arr); #endif /* CRYPTOKI_CAPI_H */ diff --git a/pkcs11/pkcs11n.h b/pkcs11/pkcs11n.h new file mode 100644 index 0000000..d611d75 --- /dev/null +++ b/pkcs11/pkcs11n.h @@ -0,0 +1,221 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Dr Stephen Henson + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef _PKCS11N_H_ +#define _PKCS11N_H_ + +#ifdef DEBUG +static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.15 $ $Date: 2005/09/28 17:12:17 $"; +#endif /* DEBUG */ + +/* + * pkcs11n.h + * + * This file contains the NSS-specific type definitions for Cryptoki + * (PKCS#11). + */ + +/* + * NSSCK_VENDOR_NETSCAPE + * + * Cryptoki reserves the high half of all the number spaces for + * vendor-defined use. I'd like to keep all of our Netscape- + * specific values together, but not in the oh-so-obvious + * 0x80000001, 0x80000002, etc. area. So I've picked an offset, + * and constructed values for the beginnings of our spaces. + * + * Note that some "historical" Netscape values don't fall within + * this range. + */ +#define NSSCK_VENDOR_NETSCAPE 0x4E534350 /* NSCP */ + +/* + * Netscape-defined object classes + * + */ +#define CKO_NETSCAPE (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE) + +#define CKO_NETSCAPE_CRL (CKO_NETSCAPE + 1) +#define CKO_NETSCAPE_SMIME (CKO_NETSCAPE + 2) +#define CKO_NETSCAPE_TRUST (CKO_NETSCAPE + 3) +#define CKO_NETSCAPE_BUILTIN_ROOT_LIST (CKO_NETSCAPE + 4) +#define CKO_NETSCAPE_NEWSLOT (CKO_NETSCAPE + 5) +#define CKO_NETSCAPE_DELSLOT (CKO_NETSCAPE + 6) + +/* + * Netscape-defined key types + * + */ +#define CKK_NETSCAPE (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE) + +#define CKK_NETSCAPE_PKCS8 (CKK_NETSCAPE + 1) +/* + * Netscape-defined certificate types + * + */ +#define CKC_NETSCAPE (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE) + +/* + * Netscape-defined object attributes + * + */ +#define CKA_NETSCAPE (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE) + +#define CKA_NETSCAPE_URL (CKA_NETSCAPE + 1) +#define CKA_NETSCAPE_EMAIL (CKA_NETSCAPE + 2) +#define CKA_NETSCAPE_SMIME_INFO (CKA_NETSCAPE + 3) +#define CKA_NETSCAPE_SMIME_TIMESTAMP (CKA_NETSCAPE + 4) +#define CKA_NETSCAPE_PKCS8_SALT (CKA_NETSCAPE + 5) +#define CKA_NETSCAPE_PASSWORD_CHECK (CKA_NETSCAPE + 6) +#define CKA_NETSCAPE_EXPIRES (CKA_NETSCAPE + 7) +#define CKA_NETSCAPE_KRL (CKA_NETSCAPE + 8) + +#define CKA_NETSCAPE_PQG_COUNTER (CKA_NETSCAPE + 20) +#define CKA_NETSCAPE_PQG_SEED (CKA_NETSCAPE + 21) +#define CKA_NETSCAPE_PQG_H (CKA_NETSCAPE + 22) +#define CKA_NETSCAPE_PQG_SEED_BITS (CKA_NETSCAPE + 23) +#define CKA_NETSCAPE_MODULE_SPEC (CKA_NETSCAPE + 24) + +/* + * Trust attributes: + * + * If trust goes standard, these probably will too. So I'll + * put them all in one place. + */ + +#define CKA_TRUST (CKA_NETSCAPE + 0x2000) + +/* "Usage" key information */ +#define CKA_TRUST_DIGITAL_SIGNATURE (CKA_TRUST + 1) +#define CKA_TRUST_NON_REPUDIATION (CKA_TRUST + 2) +#define CKA_TRUST_KEY_ENCIPHERMENT (CKA_TRUST + 3) +#define CKA_TRUST_DATA_ENCIPHERMENT (CKA_TRUST + 4) +#define CKA_TRUST_KEY_AGREEMENT (CKA_TRUST + 5) +#define CKA_TRUST_KEY_CERT_SIGN (CKA_TRUST + 6) +#define CKA_TRUST_CRL_SIGN (CKA_TRUST + 7) + +/* "Purpose" trust information */ +#define CKA_TRUST_SERVER_AUTH (CKA_TRUST + 8) +#define CKA_TRUST_CLIENT_AUTH (CKA_TRUST + 9) +#define CKA_TRUST_CODE_SIGNING (CKA_TRUST + 10) +#define CKA_TRUST_EMAIL_PROTECTION (CKA_TRUST + 11) +#define CKA_TRUST_IPSEC_END_SYSTEM (CKA_TRUST + 12) +#define CKA_TRUST_IPSEC_TUNNEL (CKA_TRUST + 13) +#define CKA_TRUST_IPSEC_USER (CKA_TRUST + 14) +#define CKA_TRUST_TIME_STAMPING (CKA_TRUST + 15) +#define CKA_TRUST_STEP_UP_APPROVED (CKA_TRUST + 16) + +#define CKA_CERT_SHA1_HASH (CKA_TRUST + 100) +#define CKA_CERT_MD5_HASH (CKA_TRUST + 101) + +/* Netscape trust stuff */ +/* XXX fgmr new ones here-- step-up, etc. */ + +/* HISTORICAL: define used to pass in the database key for DSA private keys */ +#define CKA_NETSCAPE_DB 0xD5A0DB00L +#define CKA_NETSCAPE_TRUST 0x80000001L + +/* + * Netscape-defined crypto mechanisms + * + */ +#define CKM_NETSCAPE (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE) + +#define CKM_NETSCAPE_AES_KEY_WRAP (CKM_NETSCAPE + 1) +#define CKM_NETSCAPE_AES_KEY_WRAP_PAD (CKM_NETSCAPE + 2) + +/* + * HISTORICAL: + * Do not attempt to use these. They are only used by NETSCAPE's internal + * PKCS #11 interface. Most of these are place holders for other mechanism + * and will change in the future. + */ +#define CKM_NETSCAPE_PBE_SHA1_DES_CBC 0x80000002L +#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC 0x80000003L +#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC 0x80000004L +#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC 0x80000005L +#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4 0x80000006L +#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4 0x80000007L +#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC 0x80000008L +#define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN 0x80000009L +#define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN 0x8000000aL +#define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN 0x8000000bL + +#define CKM_TLS_PRF_GENERAL 0x80000373L + +/* + * Netscape-defined return values + * + */ +#define CKR_NETSCAPE (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE) + +#define CKR_NETSCAPE_CERTDB_FAILED (CKR_NETSCAPE + 1) +#define CKR_NETSCAPE_KEYDB_FAILED (CKR_NETSCAPE + 2) + +/* + * Trust info + * + * This isn't part of the Cryptoki standard (yet), so I'm putting + * all the definitions here. Some of this would move to nssckt.h + * if trust info were made part of the standard. In view of this + * possibility, I'm putting my (Netscape) values in the netscape + * vendor space, like everything else. + */ + +typedef CK_ULONG CK_TRUST; + +/* The following trust types are defined: */ +#define CKT_VENDOR_DEFINED 0x80000000 + +#define CKT_NETSCAPE (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE) + +/* If trust goes standard, these'll probably drop out of vendor space. */ +#define CKT_NETSCAPE_TRUSTED (CKT_NETSCAPE + 1) +#define CKT_NETSCAPE_TRUSTED_DELEGATOR (CKT_NETSCAPE + 2) +#define CKT_NETSCAPE_UNTRUSTED (CKT_NETSCAPE + 3) +#define CKT_NETSCAPE_MUST_VERIFY (CKT_NETSCAPE + 4) +#define CKT_NETSCAPE_TRUST_UNKNOWN (CKT_NETSCAPE + 5) /* default */ + +/* + * These may well remain Netscape-specific; I'm only using them + * to cache resolution data. + */ +#define CKT_NETSCAPE_VALID (CKT_NETSCAPE + 10) +#define CKT_NETSCAPE_VALID_DELEGATOR (CKT_NETSCAPE + 11) + + +#endif /* _PKCS11N_H_ */ -- cgit v1.2.3