gh0s7/NE_YuR
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openbox lab initialized

Browse Source
This commit is contained in:
CGH0S7
2025-11-06 00:01:42 +08:00
parent 0fe20bb24c
commit edb0725375
2508 changed files with 670396 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
openflow/usr/include/nss/alghmac.h Normal file
View File

@@ -0,0 +1,64 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _ALGHMAC_H_
#define _ALGHMAC_H_
typedef struct HMACContextStr HMACContext;
SEC_BEGIN_PROTOS
/* destroy HMAC context */
extern void
HMAC_Destroy(HMACContext *cx, PRBool freeit);
/* create HMAC context
* hash_obj hash object from SECRawHashObjects[]
* secret the secret with which the HMAC is performed.
* secret_len the length of the secret.
* isFIPS true if conforming to FIPS 198.
*
* NULL is returned if an error occurs.
*/
extern HMACContext *
HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret,
unsigned int secret_len, PRBool isFIPS);
/* like HMAC_Create, except caller allocates HMACContext. */
SECStatus
HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj,
const unsigned char *secret, unsigned int secret_len, PRBool isFIPS);
/* reset HMAC for a fresh round */
extern void
HMAC_Begin(HMACContext *cx);
/* update HMAC
* cx HMAC Context
* data the data to perform HMAC on
* data_len the length of the data to process
*/
extern void
HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len);
/* Finish HMAC -- place the results within result
* cx HMAC context
* result buffer for resulting hmac'd data
* result_len where the resultant hmac length is stored
* max_result_len maximum possible length that can be stored in result
*/
extern SECStatus
HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
unsigned int max_result_len);
/* clone a copy of the HMAC state. this is usefult when you would
* need to keep a running hmac but also need to extract portions
* partway through the process.
*/
extern HMACContext *
HMAC_Clone(HMACContext *cx);
SEC_END_PROTOS
#endif

41
openflow/usr/include/nss/base64.h Normal file
View File

@@ -0,0 +1,41 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* base64.h - prototypes for base64 encoding/decoding
* Note: These functions are deprecated; see nssb64.h for new routines.
*/
#ifndef _BASE64_H_
#define _BASE64_H_
#include "utilrename.h"
#include "seccomon.h"
SEC_BEGIN_PROTOS
/*
** Return an PORT_Alloc'd ascii string which is the base64 encoded
** version of the input string.
*/
extern char *BTOA_DataToAscii(const unsigned char *data, unsigned int len);
/*
** Return an PORT_Alloc'd string which is the base64 decoded version
** of the input string; set *lenp to the length of the returned data.
*/
extern unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp);
/*
** Convert from ascii to binary encoding of an item.
*/
extern SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, const char *ascii);
/*
** Convert from binary encoding of an item to ascii.
*/
extern char *BTOA_ConvertItemToAscii(SECItem *binary_item);
SEC_END_PROTOS
#endif /* _BASE64_H_ */

1625
openflow/usr/include/nss/blapi.h Normal file
View File

File diff suppressed because it is too large Load Diff

414
openflow/usr/include/nss/blapit.h Normal file
View File

@@ -0,0 +1,414 @@
/*
* blapit.h - public data structures for the freebl library
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _BLAPIT_H_
#define _BLAPIT_H_
#include "seccomon.h"
#include "prlink.h"
#include "plarena.h"
#include "ecl-exp.h"
/* RC2 operation modes */
#define NSS_RC2 0
#define NSS_RC2_CBC 1
/* RC5 operation modes */
#define NSS_RC5 0
#define NSS_RC5_CBC 1
/* DES operation modes */
#define NSS_DES 0
#define NSS_DES_CBC 1
#define NSS_DES_EDE3 2
#define NSS_DES_EDE3_CBC 3
#define DES_KEY_LENGTH 8 /* Bytes */
/* AES operation modes */
#define NSS_AES 0
#define NSS_AES_CBC 1
#define NSS_AES_CTS 2
#define NSS_AES_CTR 3
#define NSS_AES_GCM 4
/* Camellia operation modes */
#define NSS_CAMELLIA 0
#define NSS_CAMELLIA_CBC 1
/* SEED operation modes */
#define NSS_SEED 0
#define NSS_SEED_CBC 1
#define DSA1_SUBPRIME_LEN 20 /* Bytes */
#define DSA1_SIGNATURE_LEN (DSA1_SUBPRIME_LEN * 2) /* Bytes */
#define DSA_MAX_SUBPRIME_LEN 32 /* Bytes */
#define DSA_MAX_SIGNATURE_LEN (DSA_MAX_SUBPRIME_LEN * 2) /* Bytes */
/*
* Mark the old defines as deprecated. This will warn code that expected
* DSA1 only that they need to change if the are to support DSA2.
*/
#if defined(__GNUC__) && (__GNUC__ > 3)
/* make GCC warn when we use these #defines */
typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
#define DSA_SUBPRIME_LEN ((__BLAPI_DEPRECATED)DSA1_SUBPRIME_LEN)
#define DSA_SIGNATURE_LEN ((__BLAPI_DEPRECATED)DSA1_SIGNATURE_LEN)
#define DSA_Q_BITS ((__BLAPI_DEPRECATED)(DSA1_SUBPRIME_LEN * 8))
#else
#ifdef _WIN32
/* This magic gets the windows compiler to give us a deprecation
* warning */
#pragma deprecated(DSA_SUBPRIME_LEN, DSA_SIGNATURE_LEN, DSA_QBITS)
#endif
#define DSA_SUBPRIME_LEN DSA1_SUBPRIME_LEN
#define DSA_SIGNATURE_LEN DSA1_SIGNATURE_LEN
#define DSA_Q_BITS (DSA1_SUBPRIME_LEN * 8)
#endif
/* XXX We shouldn't have to hard code this limit. For
* now, this is the quickest way to support ECDSA signature
* processing (ECDSA signature lengths depend on curve
* size). This limit is sufficient for curves upto
* 576 bits.
*/
#define MAX_ECKEY_LEN 72 /* Bytes */
#define EC_MAX_KEY_BITS 521 /* in bits */
#define EC_MIN_KEY_BITS 256 /* in bits */
/* EC point compression format */
#define EC_POINT_FORM_COMPRESSED_Y0 0x02
#define EC_POINT_FORM_COMPRESSED_Y1 0x03
#define EC_POINT_FORM_UNCOMPRESSED 0x04
#define EC_POINT_FORM_HYBRID_Y0 0x06
#define EC_POINT_FORM_HYBRID_Y1 0x07
/*
* Number of bytes each hash algorithm produces
*/
#define MD2_LENGTH 16 /* Bytes */
#define MD5_LENGTH 16 /* Bytes */
#define SHA1_LENGTH 20 /* Bytes */
#define SHA256_LENGTH 32 /* bytes */
#define SHA384_LENGTH 48 /* bytes */
#define SHA512_LENGTH 64 /* bytes */
#define HASH_LENGTH_MAX SHA512_LENGTH
/*
* Input block size for each hash algorithm.
*/
#define MD2_BLOCK_LENGTH 64 /* bytes */
#define MD5_BLOCK_LENGTH 64 /* bytes */
#define SHA1_BLOCK_LENGTH 64 /* bytes */
#define SHA224_BLOCK_LENGTH 64 /* bytes */
#define SHA256_BLOCK_LENGTH 64 /* bytes */
#define SHA384_BLOCK_LENGTH 128 /* bytes */
#define SHA512_BLOCK_LENGTH 128 /* bytes */
#define HASH_BLOCK_LENGTH_MAX SHA512_BLOCK_LENGTH
#define AES_KEY_WRAP_IV_BYTES 8
#define AES_KEY_WRAP_BLOCK_SIZE 8 /* bytes */
#define AES_BLOCK_SIZE 16 /* bytes */
#define AES_128_KEY_LENGTH 16 /* bytes */
#define AES_192_KEY_LENGTH 24 /* bytes */
#define AES_256_KEY_LENGTH 32 /* bytes */
#define CAMELLIA_BLOCK_SIZE 16 /* bytes */
#define SEED_BLOCK_SIZE 16 /* bytes */
#define SEED_KEY_LENGTH 16 /* bytes */
#define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
/*
* These values come from the initial key size limits from the PKCS #11
* module. They may be arbitrarily adjusted to any value freebl supports.
*/
#define RSA_MIN_MODULUS_BITS 128
#define RSA_MAX_MODULUS_BITS 16384
#define RSA_MAX_EXPONENT_BITS 64
#define DH_MIN_P_BITS 128
#define DH_MAX_P_BITS 16384
/*
* The FIPS 186-1 algorithm for generating primes P and Q allows only 9
* distinct values for the length of P, and only one value for the
* length of Q.
* The algorithm uses a variable j to indicate which of the 9 lengths
* of P is to be used.
* The following table relates j to the lengths of P and Q in bits.
*
* j bits in P bits in Q
* _ _________ _________
* 0 512 160
* 1 576 160
* 2 640 160
* 3 704 160
* 4 768 160
* 5 832 160
* 6 896 160
* 7 960 160
* 8 1024 160
*
* The FIPS-186-1 compliant PQG generator takes j as an input parameter.
*
* FIPS 186-3 algorithm specifies 4 distinct P and Q sizes:
*
* bits in P bits in Q
* _________ _________
* 1024 160
* 2048 224
* 2048 256
* 3072 256
*
* The FIPS-186-3 complaiant PQG generator (PQG V2) takes arbitrary p and q
* lengths as input and returns an error if they aren't in this list.
*/
#define DSA1_Q_BITS 160
#define DSA_MAX_P_BITS 3072
#define DSA_MIN_P_BITS 512
#define DSA_MAX_Q_BITS 256
#define DSA_MIN_Q_BITS 160
#if DSA_MAX_Q_BITS != DSA_MAX_SUBPRIME_LEN * 8
#error "Inconsistent declaration of DSA SUBPRIME/Q parameters in blapit.h"
#endif
/*
* function takes desired number of bits in P,
* returns index (0..8) or -1 if number of bits is invalid.
*/
#define PQG_PBITS_TO_INDEX(bits) \
(((bits) < 512 || (bits) > 1024 || (bits) % 64) ? -1 : (int)((bits)-512) / 64)
/*
* function takes index (0-8)
* returns number of bits in P for that index, or -1 if index is invalid.
*/
#define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))
/***************************************************************************
** Opaque objects
*/
struct DESContextStr;
struct RC2ContextStr;
struct RC4ContextStr;
struct RC5ContextStr;
struct AESContextStr;
struct CamelliaContextStr;
struct MD2ContextStr;
struct MD5ContextStr;
struct SHA1ContextStr;
struct SHA256ContextStr;
struct SHA512ContextStr;
struct AESKeyWrapContextStr;
struct SEEDContextStr;
struct ChaCha20Poly1305ContextStr;
typedef struct DESContextStr DESContext;
typedef struct RC2ContextStr RC2Context;
typedef struct RC4ContextStr RC4Context;
typedef struct RC5ContextStr RC5Context;
typedef struct AESContextStr AESContext;
typedef struct CamelliaContextStr CamelliaContext;
typedef struct MD2ContextStr MD2Context;
typedef struct MD5ContextStr MD5Context;
typedef struct SHA1ContextStr SHA1Context;
typedef struct SHA256ContextStr SHA256Context;
/* SHA224Context is really a SHA256ContextStr. This is not a mistake. */
typedef struct SHA256ContextStr SHA224Context;
typedef struct SHA512ContextStr SHA512Context;
/* SHA384Context is really a SHA512ContextStr. This is not a mistake. */
typedef struct SHA512ContextStr SHA384Context;
typedef struct AESKeyWrapContextStr AESKeyWrapContext;
typedef struct SEEDContextStr SEEDContext;
typedef struct ChaCha20Poly1305ContextStr ChaCha20Poly1305Context;
/***************************************************************************
** RSA Public and Private Key structures
*/
/* member names from PKCS#1, section 7.1 */
struct RSAPublicKeyStr {
PLArenaPool *arena;
SECItem modulus;
SECItem publicExponent;
};
typedef struct RSAPublicKeyStr RSAPublicKey;
/* member names from PKCS#1, section 7.2 */
struct RSAPrivateKeyStr {
PLArenaPool *arena;
SECItem version;
SECItem modulus;
SECItem publicExponent;
SECItem privateExponent;
SECItem prime1;
SECItem prime2;
SECItem exponent1;
SECItem exponent2;
SECItem coefficient;
};
typedef struct RSAPrivateKeyStr RSAPrivateKey;
/***************************************************************************
** DSA Public and Private Key and related structures
*/
struct PQGParamsStr {
PLArenaPool *arena;
SECItem prime; /* p */
SECItem subPrime; /* q */
SECItem base; /* g */
/* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
};
typedef struct PQGParamsStr PQGParams;
struct PQGVerifyStr {
PLArenaPool *arena; /* includes this struct, seed, & h. */
unsigned int counter;
SECItem seed;
SECItem h;
};
typedef struct PQGVerifyStr PQGVerify;
struct DSAPublicKeyStr {
PQGParams params;
SECItem publicValue;
};
typedef struct DSAPublicKeyStr DSAPublicKey;
struct DSAPrivateKeyStr {
PQGParams params;
SECItem publicValue;
SECItem privateValue;
};
typedef struct DSAPrivateKeyStr DSAPrivateKey;
/***************************************************************************
** Diffie-Hellman Public and Private Key and related structures
** Structure member names suggested by PKCS#3.
*/
struct DHParamsStr {
PLArenaPool *arena;
SECItem prime; /* p */
SECItem base; /* g */
};
typedef struct DHParamsStr DHParams;
struct DHPublicKeyStr {
PLArenaPool *arena;
SECItem prime;
SECItem base;
SECItem publicValue;
};
typedef struct DHPublicKeyStr DHPublicKey;
struct DHPrivateKeyStr {
PLArenaPool *arena;
SECItem prime;
SECItem base;
SECItem publicValue;
SECItem privateValue;
};
typedef struct DHPrivateKeyStr DHPrivateKey;
/***************************************************************************
** Data structures used for elliptic curve parameters and
** public and private keys.
*/
/*
** The ECParams data structures can encode elliptic curve
** parameters for both GFp and GF2m curves.
*/
typedef enum { ec_params_explicit,
ec_params_named
} ECParamsType;
typedef enum { ec_field_GFp = 1,
ec_field_GF2m,
ec_field_plain
} ECFieldType;
struct ECFieldIDStr {
int size; /* field size in bits */
ECFieldType type;
union {
SECItem prime; /* prime p for (GFp) */
SECItem poly; /* irreducible binary polynomial for (GF2m) */
} u;
int k1; /* first coefficient of pentanomial or
* the only coefficient of trinomial
*/
int k2; /* two remaining coefficients of pentanomial */
int k3;
};
typedef struct ECFieldIDStr ECFieldID;
struct ECCurveStr {
SECItem a; /* contains octet stream encoding of
* field element (X9.62 section 4.3.3)
*/
SECItem b;
SECItem seed;
};
typedef struct ECCurveStr ECCurve;
struct ECParamsStr {
PLArenaPool *arena;
ECParamsType type;
ECFieldID fieldID;
ECCurve curve;
SECItem base;
SECItem order;
int cofactor;
SECItem DEREncoding;
ECCurveName name;
SECItem curveOID;
};
typedef struct ECParamsStr ECParams;
struct ECPublicKeyStr {
ECParams ecParams;
SECItem publicValue; /* elliptic curve point encoded as
* octet stream.
*/
};
typedef struct ECPublicKeyStr ECPublicKey;
struct ECPrivateKeyStr {
ECParams ecParams;
SECItem publicValue; /* encoded ec point */
SECItem privateValue; /* private big integer */
SECItem version; /* As per SEC 1, Appendix C, Section C.4 */
};
typedef struct ECPrivateKeyStr ECPrivateKey;
typedef void *(*BLapiAllocateFunc)(void);
typedef void (*BLapiDestroyContextFunc)(void *cx, PRBool freeit);
typedef SECStatus (*BLapiInitContextFunc)(void *cx,
const unsigned char *key,
unsigned int keylen,
const unsigned char *,
int,
unsigned int,
unsigned int);
typedef SECStatus (*BLapiEncrypt)(void *cx, unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input,
unsigned int inputLen);
#endif /* _BLAPIT_H_ */

1584
openflow/usr/include/nss/cert.h Normal file
View File

File diff suppressed because it is too large Load Diff

89
openflow/usr/include/nss/certdb.h Normal file
View File

@@ -0,0 +1,89 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _CERTDB_H_
#define _CERTDB_H_
/* common flags for all types of certificates */
#define CERTDB_TERMINAL_RECORD (1u << 0)
#define CERTDB_TRUSTED (1u << 1)
#define CERTDB_SEND_WARN (1u << 2)
#define CERTDB_VALID_CA (1u << 3)
#define CERTDB_TRUSTED_CA (1u << 4) /* trusted for issuing server certs */
#define CERTDB_NS_TRUSTED_CA (1u << 5)
#define CERTDB_USER (1u << 6)
#define CERTDB_TRUSTED_CLIENT_CA (1u << 7) /* trusted for issuing client certs */
#define CERTDB_INVISIBLE_CA (1u << 8) /* don't show in UI */
#define CERTDB_GOVT_APPROVED_CA (1u << 9) /* can do strong crypto in export ver */
/* old usage, to keep old programs compiling */
/* On Windows, Mac, and Linux (and other gcc platforms), we can give compile
* time deprecation warnings when applications use the old CERTDB_VALID_PEER
* define */
#if __GNUC__ > 3
#if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated));
#else
typedef unsigned int __CERTDB_VALID_PEER __attribute__((
deprecated("CERTDB_VALID_PEER is now CERTDB_TERMINAL_RECORD")));
#endif
#define CERTDB_VALID_PEER ((__CERTDB_VALID_PEER)CERTDB_TERMINAL_RECORD)
#else
#ifdef _WIN32
#pragma deprecated(CERTDB_VALID_PEER)
#endif
#define CERTDB_VALID_PEER CERTDB_TERMINAL_RECORD
#endif
SEC_BEGIN_PROTOS
CERTSignedCrl *SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey,
int type);
CERTSignedCrl *SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey,
int type);
CERTSignedCrl *SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl,
int type);
PRBool SEC_CertNicknameConflict(const char *nickname, const SECItem *derSubject,
CERTCertDBHandle *handle);
CERTSignedCrl *SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl,
int type);
SECStatus SEC_DeletePermCRL(CERTSignedCrl *crl);
SECStatus SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes,
int type);
SECStatus SEC_DestroyCrl(CERTSignedCrl *crl);
CERTSignedCrl *SEC_DupCrl(CERTSignedCrl *acrl);
SECStatus CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
CERTCertTrust *trust);
SECStatus SEC_DeletePermCertificate(CERTCertificate *cert);
PRBool SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old);
/*
** Extract the validity times from a CRL
** "crl" is the CRL
** "notBefore" is the start of the validity period (last update)
** "notAfter" is the end of the validity period (next update)
*/
SECStatus SEC_GetCrlTimes(CERTCrl *crl, PRTime *notBefore, PRTime *notAfter);
/*
** Check the validity times of a crl vs. time 't', allowing
** some slop for broken clocks and stuff.
** "crl" is the certificate to be checked
** "t" is the time to check against
*/
SECCertTimeValidity SEC_CheckCrlTimes(CERTCrl *crl, PRTime t);
SEC_END_PROTOS
#endif /* _CERTDB_H_ */

1328
openflow/usr/include/nss/certt.h Normal file
View File

File diff suppressed because it is too large Load Diff

59
openflow/usr/include/nss/ciferfam.h Normal file
View File

@@ -0,0 +1,59 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* ciferfam.h - cipher familie IDs used for configuring ciphers for export
* control
*/
#ifndef _CIFERFAM_H_
#define _CIFERFAM_H_
#include "utilrename.h"
/* Cipher Suite "Families" */
#define CIPHER_FAMILY_PKCS12 "PKCS12"
#define CIPHER_FAMILY_SMIME "SMIME"
#define CIPHER_FAMILY_SSL2 "SSLv2" /* deprecated */
#define CIPHER_FAMILY_SSL3 "SSLv3"
#define CIPHER_FAMILY_SSL "SSL"
#define CIPHER_FAMILY_ALL ""
#define CIPHER_FAMILY_UNKNOWN "UNKNOWN"
#define CIPHER_FAMILYID_MASK 0xFFFF0000L
#define CIPHER_FAMILYID_SSL 0x00000000L
#define CIPHER_FAMILYID_SMIME 0x00010000L
#define CIPHER_FAMILYID_PKCS12 0x00020000L
/* SMIME "Cipher Suites" */
/*
* Note that it is assumed that the cipher number itself can be used
* as a bit position in a mask, and that mask is currently 32 bits wide.
* So, if you want to add a cipher that is greater than 0037, secmime.c
* needs to be made smarter at the same time.
*/
#define SMIME_RC2_CBC_40 (CIPHER_FAMILYID_SMIME | 0001)
#define SMIME_RC2_CBC_64 (CIPHER_FAMILYID_SMIME | 0002)
#define SMIME_RC2_CBC_128 (CIPHER_FAMILYID_SMIME | 0003)
#define SMIME_DES_CBC_56 (CIPHER_FAMILYID_SMIME | 0011)
#define SMIME_DES_EDE3_168 (CIPHER_FAMILYID_SMIME | 0012)
#define SMIME_AES_CBC_128 (CIPHER_FAMILYID_SMIME | 0013)
#define SMIME_AES_CBC_256 (CIPHER_FAMILYID_SMIME | 0014)
#define SMIME_RC5PAD_64_16_40 (CIPHER_FAMILYID_SMIME | 0021)
#define SMIME_RC5PAD_64_16_64 (CIPHER_FAMILYID_SMIME | 0022)
#define SMIME_RC5PAD_64_16_128 (CIPHER_FAMILYID_SMIME | 0023)
#define SMIME_FORTEZZA (CIPHER_FAMILYID_SMIME | 0031)
/* PKCS12 "Cipher Suites" */
#define PKCS12_RC2_CBC_40 (CIPHER_FAMILYID_PKCS12 | 0001)
#define PKCS12_RC2_CBC_128 (CIPHER_FAMILYID_PKCS12 | 0002)
#define PKCS12_RC4_40 (CIPHER_FAMILYID_PKCS12 | 0011)
#define PKCS12_RC4_128 (CIPHER_FAMILYID_PKCS12 | 0012)
#define PKCS12_DES_56 (CIPHER_FAMILYID_PKCS12 | 0021)
#define PKCS12_DES_EDE3_168 (CIPHER_FAMILYID_PKCS12 | 0022)
/* SMIME version numbers are negative, to avoid colliding with SSL versions */
#define SMIME_LIBRARY_VERSION_1_0 -0x0100
#endif /* _CIFERFAM_H_ */

1082
openflow/usr/include/nss/cmmf.h Normal file
View File

File diff suppressed because it is too large Load Diff

73
openflow/usr/include/nss/cmmft.h Normal file
View File

@@ -0,0 +1,73 @@
/* -*- Mode: C; tab-width: 8 -*-*/
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _CMMFT_H_
#define _CMMFT_H_
#include "secasn1.h"
/*
* These are the enumerations used to distinguish between the different
* choices available for the CMMFCertOrEncCert structure.
*/
typedef enum {
cmmfNoCertOrEncCert = 0,
cmmfCertificate = 1,
cmmfEncryptedCert = 2
} CMMFCertOrEncCertChoice;
/*
* This is the enumeration and the corresponding values used to
* represent the CMMF type PKIStatus
*/
typedef enum {
cmmfNoPKIStatus = -1,
cmmfGranted = 0,
cmmfGrantedWithMods = 1,
cmmfRejection = 2,
cmmfWaiting = 3,
cmmfRevocationWarning = 4,
cmmfRevocationNotification = 5,
cmmfKeyUpdateWarning = 6,
cmmfNumPKIStatus
} CMMFPKIStatus;
/*
* These enumerations are used to represent the corresponding values
* in PKIFailureInfo defined in CMMF.
*/
typedef enum {
cmmfBadAlg = 0,
cmmfBadMessageCheck = 1,
cmmfBadRequest = 2,
cmmfBadTime = 3,
cmmfBadCertId = 4,
cmmfBadDataFormat = 5,
cmmfWrongAuthority = 6,
cmmfIncorrectData = 7,
cmmfMissingTimeStamp = 8,
cmmfNoFailureInfo = 9
} CMMFPKIFailureInfo;
typedef struct CMMFPKIStatusInfoStr CMMFPKIStatusInfo;
typedef struct CMMFCertOrEncCertStr CMMFCertOrEncCert;
typedef struct CMMFCertifiedKeyPairStr CMMFCertifiedKeyPair;
typedef struct CMMFCertResponseStr CMMFCertResponse;
typedef struct CMMFCertResponseSeqStr CMMFCertResponseSeq;
typedef struct CMMFPOPODecKeyChallContentStr CMMFPOPODecKeyChallContent;
typedef struct CMMFChallengeStr CMMFChallenge;
typedef struct CMMFRandStr CMMFRand;
typedef struct CMMFPOPODecKeyRespContentStr CMMFPOPODecKeyRespContent;
typedef struct CMMFKeyRecRepContentStr CMMFKeyRecRepContent;
typedef struct CMMFCertRepContentStr CMMFCertRepContent;
/* Export this so people can call SEC_ASN1EncodeItem instead of having to
* write callbacks that are passed in to the high level encode function
* for CMMFCertRepContent.
*/
extern const SEC_ASN1Template CMMFCertRepContentTemplate[];
extern const SEC_ASN1Template CMMFPOPODecKeyChallContentTemplate[];
#endif /*_CMMFT_H_*/

1153
openflow/usr/include/nss/cms.h Normal file
View File

File diff suppressed because it is too large Load Diff

27
openflow/usr/include/nss/cmsreclist.h Normal file
View File

@@ -0,0 +1,27 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _CMSRECLIST_H
#define _CMSRECLIST_H
struct NSSCMSRecipientStr {
int riIndex; /* this recipient's index in recipientInfo array */
int subIndex; /* index into recipientEncryptedKeys */
/* (only in NSSCMSKeyAgreeRecipientInfoStr) */
enum { RLIssuerSN = 0,
RLSubjKeyID = 1 } kind; /* for conversion recipientinfos -> recipientlist */
union {
CERTIssuerAndSN* issuerAndSN;
SECItem* subjectKeyID;
} id;
/* result data (filled out for each recipient that's us) */
CERTCertificate* cert;
SECKEYPrivateKey* privkey;
PK11SlotInfo* slot;
};
typedef struct NSSCMSRecipientStr NSSCMSRecipient;
#endif /* _CMSRECLIST_H */

491
openflow/usr/include/nss/cmst.h Normal file
View File

@@ -0,0 +1,491 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Header for CMS types.
*/
#ifndef _CMST_H_
#define _CMST_H_
#include "seccomon.h"
#include "secoidt.h"
#include "certt.h"
#include "secmodt.h"
#include "secmodt.h"
#include "plarena.h"
/* Non-opaque objects. NOTE, though: I want them to be treated as
* opaque as much as possible. If I could hide them completely,
* I would. (I tried, but ran into trouble that was taking me too
* much time to get out of.) I still intend to try to do so.
* In fact, the only type that "outsiders" should even *name* is
* NSSCMSMessage, and they should not reference its fields.
*/
/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
* This is because when we search the recipient list for the cert and key we
* want, we need to invert the order of the loops we used to have. The old
* loops were:
*
* For each recipient {
* find_cert = PK11_Find_AllCert(recipient->issuerSN);
* [which unrolls to... ]
* For each slot {
* Log into slot;
* search slot for cert;
* }
* }
*
* the new loop searchs all the recipients at once on a slot. this allows
* PKCS #11 to order slots in such a way that logout slots don't get checked
* if we can find the cert on a logged in slot. This eliminates lots of
* spurious password prompts when smart cards are installed... so why this
* comment? If you make NSSCMSRecipientInfo completely opaque, you need
* to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
* and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
* function.
*/
typedef struct NSSCMSMessageStr NSSCMSMessage;
typedef union NSSCMSContentUnion NSSCMSContent;
typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
typedef struct NSSCMSGenericWrapperDataStr NSSCMSGenericWrapperData;
typedef struct NSSCMSAttributeStr NSSCMSAttribute;
typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
typedef struct NSSCMSContentInfoPrivateStr NSSCMSContentInfoPrivate;
typedef SECStatus (*NSSCMSGenericWrapperDataCallback)(NSSCMSGenericWrapperData *);
typedef void (*NSSCMSGenericWrapperDataDestroy)(NSSCMSGenericWrapperData *);
extern const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[];
extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[];
SEC_ASN1_CHOOSER_DECLARE(NSS_PointerToCMSGenericWrapperDataTemplate)
SEC_ASN1_CHOOSER_DECLARE(NSSCMSGenericWrapperDataTemplate)
/*
* Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
* If specified, this is where the content bytes (only) will be "sent"
* as they are recovered during the decoding.
* And:
* Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
* This is where the DER-encoded bytes will be "sent".
*
* XXX Should just combine this with NSSCMSEncoderContentCallback type
* and use a simpler, common name.
*/
typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
/*
* Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
* to retrieve the decryption key. This function is intended to be
* used for EncryptedData content info's which do not have a key available
* in a certificate, etc.
*/
typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
/* =============================================================================
* ENCAPSULATED CONTENTINFO & CONTENTINFO
*/
union NSSCMSContentUnion {
/* either unstructured */
SECItem *data;
/* or structured data */
NSSCMSDigestedData *digestedData;
NSSCMSEncryptedData *encryptedData;
NSSCMSEnvelopedData *envelopedData;
NSSCMSSignedData *signedData;
NSSCMSGenericWrapperData *genericData;
/* or anonymous pointer to something */
void *pointer;
};
struct NSSCMSContentInfoStr {
SECItem contentType;
NSSCMSContent content;
/* --------- local; not part of encoding --------- */
SECOidData *contentTypeTag;
/* additional info for encryptedData and envelopedData */
/* we waste this space for signedData and digestedData. sue me. */
SECAlgorithmID contentEncAlg;
SECItem *rawContent; /* encrypted DER, optional */
/* XXXX bytes not encrypted, but encoded? */
/* --------- local; not part of encoding --------- */
PK11SymKey *bulkkey; /* bulk encryption key */
int keysize; /* size of bulk encryption key
* (only used by creation code) */
SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm
* (only used by creation code) */
NSSCMSContentInfoPrivate *privateInfo; /* place for NSS private info */
void *reserved; /* keep binary compatibility */
};
/* =============================================================================
* MESSAGE
*/
struct NSSCMSMessageStr {
NSSCMSContentInfo contentInfo; /* "outer" cinfo */
/* --------- local; not part of encoding --------- */
PLArenaPool *poolp;
PRBool poolp_is_ours;
int refCount;
/* properties of the "inner" data */
SECAlgorithmID **detached_digestalgs;
SECItem **detached_digests;
void *pwfn_arg;
NSSCMSGetDecryptKeyCallback decrypt_key_cb;
void *decrypt_key_cb_arg;
};
/* ============================================================================
* GENERIC WRAPPER
*
* used for user defined types.
*/
struct NSSCMSGenericWrapperDataStr {
NSSCMSContentInfo contentInfo;
/* ---- local; not part of encoding ------ */
NSSCMSMessage *cmsg;
/* wrapperspecific data starts here */
};
/* =============================================================================
* SIGNEDDATA
*/
struct NSSCMSSignedDataStr {
SECItem version;
SECAlgorithmID **digestAlgorithms;
NSSCMSContentInfo contentInfo;
SECItem **rawCerts;
CERTSignedCrl **crls;
NSSCMSSignerInfo **signerInfos;
/* --------- local; not part of encoding --------- */
NSSCMSMessage *cmsg; /* back pointer to message */
SECItem **digests;
CERTCertificate **certs;
CERTCertificateList **certLists;
CERTCertificate **tempCerts; /* temporary certs, needed
* for example for signature
* verification */
};
#define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we *create* */
#define NSS_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we *create* */
typedef enum {
NSSCMSVS_Unverified = 0,
NSSCMSVS_GoodSignature = 1,
NSSCMSVS_BadSignature = 2,
NSSCMSVS_DigestMismatch = 3,
NSSCMSVS_SigningCertNotFound = 4,
NSSCMSVS_SigningCertNotTrusted = 5,
NSSCMSVS_SignatureAlgorithmUnknown = 6,
NSSCMSVS_SignatureAlgorithmUnsupported = 7,
NSSCMSVS_MalformedSignature = 8,
NSSCMSVS_ProcessingError = 9
} NSSCMSVerificationStatus;
typedef enum {
NSSCMSSignerID_IssuerSN = 0,
NSSCMSSignerID_SubjectKeyID = 1
} NSSCMSSignerIDSelector;
struct NSSCMSSignerIdentifierStr {
NSSCMSSignerIDSelector identifierType;
union {
CERTIssuerAndSN *issuerAndSN;
SECItem *subjectKeyID;
} id;
};
struct NSSCMSSignerInfoStr {
SECItem version;
NSSCMSSignerIdentifier signerIdentifier;
SECAlgorithmID digestAlg;
NSSCMSAttribute **authAttr;
SECAlgorithmID digestEncAlg;
SECItem encDigest;
NSSCMSAttribute **unAuthAttr;
/* --------- local; not part of encoding --------- */
NSSCMSMessage *cmsg; /* back pointer to message */
CERTCertificate *cert;
CERTCertificateList *certList;
PRTime signingTime;
NSSCMSVerificationStatus verificationStatus;
SECKEYPrivateKey *signingKey; /* Used if we're using subjKeyID*/
SECKEYPublicKey *pubKey;
};
#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */
#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */
typedef enum {
NSSCMSCM_None = 0,
NSSCMSCM_CertOnly = 1,
NSSCMSCM_CertChain = 2,
NSSCMSCM_CertChainWithRoot = 3
} NSSCMSCertChainMode;
/* =============================================================================
* ENVELOPED DATA
*/
struct NSSCMSEnvelopedDataStr {
SECItem version;
NSSCMSOriginatorInfo *originatorInfo; /* optional */
NSSCMSRecipientInfo **recipientInfos;
NSSCMSContentInfo contentInfo;
NSSCMSAttribute **unprotectedAttr;
/* --------- local; not part of encoding --------- */
NSSCMSMessage *cmsg; /* back pointer to message */
};
#define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we *create* */
#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we *create* */
struct NSSCMSOriginatorInfoStr {
SECItem **rawCerts;
CERTSignedCrl **crls;
/* --------- local; not part of encoding --------- */
CERTCertificate **certs;
};
/* -----------------------------------------------------------------------------
* key transport recipient info
*/
typedef enum {
NSSCMSRecipientID_IssuerSN = 0,
NSSCMSRecipientID_SubjectKeyID = 1,
NSSCMSRecipientID_BrandNew = 2
} NSSCMSRecipientIDSelector;
struct NSSCMSRecipientIdentifierStr {
NSSCMSRecipientIDSelector identifierType;
union {
CERTIssuerAndSN *issuerAndSN;
SECItem *subjectKeyID;
} id;
};
typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
struct NSSCMSKeyTransRecipientInfoStr {
SECItem version;
NSSCMSRecipientIdentifier recipientIdentifier;
SECAlgorithmID keyEncAlg;
SECItem encKey;
};
typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
/*
* View comments before NSSCMSRecipientInfoStr for purpose of this
* structure.
*/
struct NSSCMSKeyTransRecipientInfoExStr {
NSSCMSKeyTransRecipientInfo recipientInfo;
int version; /* version of this structure (0) */
SECKEYPublicKey *pubKey;
};
typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;
#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we *create* */
#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we *create* */
/* -----------------------------------------------------------------------------
* key agreement recipient info
*/
struct NSSCMSOriginatorPublicKeyStr {
SECAlgorithmID algorithmIdentifier;
SECItem publicKey; /* bit string! */
};
typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
typedef enum {
NSSCMSOriginatorIDOrKey_IssuerSN = 0,
NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
} NSSCMSOriginatorIDOrKeySelector;
struct NSSCMSOriginatorIdentifierOrKeyStr {
NSSCMSOriginatorIDOrKeySelector identifierType;
union {
CERTIssuerAndSN *issuerAndSN; /* static-static */
SECItem *subjectKeyID; /* static-static */
NSSCMSOriginatorPublicKey originatorPublicKey; /* ephemeral-static */
} id;
};
typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
struct NSSCMSRecipientKeyIdentifierStr {
SECItem *subjectKeyIdentifier;
SECItem *date; /* optional */
SECItem *other; /* optional */
};
typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
typedef enum {
NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
NSSCMSKeyAgreeRecipientID_RKeyID = 1
} NSSCMSKeyAgreeRecipientIDSelector;
struct NSSCMSKeyAgreeRecipientIdentifierStr {
NSSCMSKeyAgreeRecipientIDSelector identifierType;
union {
CERTIssuerAndSN *issuerAndSN;
NSSCMSRecipientKeyIdentifier recipientKeyIdentifier;
} id;
};
typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
struct NSSCMSRecipientEncryptedKeyStr {
NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier;
SECItem encKey;
};
typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
struct NSSCMSKeyAgreeRecipientInfoStr {
SECItem version;
NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
SECItem *ukm; /* optional */
SECAlgorithmID keyEncAlg;
NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
};
typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we *create* */
/* -----------------------------------------------------------------------------
* KEK recipient info
*/
struct NSSCMSKEKIdentifierStr {
SECItem keyIdentifier;
SECItem *date; /* optional */
SECItem *other; /* optional */
};
typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
struct NSSCMSKEKRecipientInfoStr {
SECItem version;
NSSCMSKEKIdentifier kekIdentifier;
SECAlgorithmID keyEncAlg;
SECItem encKey;
};
typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we *create* */
/* -----------------------------------------------------------------------------
* recipient info
*/
typedef enum {
NSSCMSRecipientInfoID_KeyTrans = 0,
NSSCMSRecipientInfoID_KeyAgree = 1,
NSSCMSRecipientInfoID_KEK = 2
} NSSCMSRecipientInfoIDSelector;
/*
* In order to preserve backwards binary compatibility when implementing
* creation of Recipient Info's that uses subjectKeyID in the
* keyTransRecipientInfo we need to stash a public key pointer in this
* structure somewhere. We figured out that NSSCMSKeyTransRecipientInfo
* is the smallest member of the ri union. We're in luck since that's
* the very structure that would need to use the public key. So we created
* a new structure NSSCMSKeyTransRecipientInfoEx which has a member
* NSSCMSKeyTransRecipientInfo as the first member followed by a version
* and a public key pointer. This way we can keep backwards compatibility
* without changing the size of this structure.
*
* BTW, size of structure:
* NSSCMSKeyTransRecipientInfo: 9 ints, 4 pointers
* NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
* NSSCMSKEKRecipientInfo: 10 ints, 7 pointers
*
* The new structure:
* NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
* 1 int, 1 pointer
*/
struct NSSCMSRecipientInfoStr {
NSSCMSRecipientInfoIDSelector recipientInfoType;
union {
NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
NSSCMSKEKRecipientInfo kekRecipientInfo;
NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
} ri;
/* --------- local; not part of encoding --------- */
NSSCMSMessage *cmsg; /* back pointer to message */
CERTCertificate *cert; /* recipient's certificate */
};
/* =============================================================================
* DIGESTED DATA
*/
struct NSSCMSDigestedDataStr {
SECItem version;
SECAlgorithmID digestAlg;
NSSCMSContentInfo contentInfo;
SECItem digest;
/* --------- local; not part of encoding --------- */
NSSCMSMessage *cmsg; /* back pointer */
SECItem cdigest; /* calculated digest */
};
#define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we *create* */
#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we *create* */
/* =============================================================================
* ENCRYPTED DATA
*/
struct NSSCMSEncryptedDataStr {
SECItem version;
NSSCMSContentInfo contentInfo;
NSSCMSAttribute **unprotectedAttr; /* optional */
/* --------- local; not part of encoding --------- */
NSSCMSMessage *cmsg; /* back pointer */
};
#define NSS_CMS_ENCRYPTED_DATA_VERSION 0 /* what we *create* */
#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we *create* */
/*
* *****************************************************************************
* *****************************************************************************
* *****************************************************************************
*/
/*
* See comment above about this type not really belonging to CMS.
*/
struct NSSCMSAttributeStr {
/* The following fields make up an encoded Attribute: */
SECItem type;
SECItem **values; /* data may or may not be encoded */
/* The following fields are not part of an encoded Attribute: */
SECOidData *typeTag;
PRBool encoded; /* when true, values are encoded */
};
#endif /* _CMST_H_ */

1741
openflow/usr/include/nss/crmf.h Normal file
View File

File diff suppressed because it is too large Load Diff

186
openflow/usr/include/nss/crmft.h Normal file
View File

@@ -0,0 +1,186 @@
/* -*- Mode: C; tab-width: 8 -*-*/
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* Header file with all of the structures and types that will be exported
* by the security library for implementation of CRMF.
*/
#ifndef _CRMFT_H_
#define _CRMFT_H_
/* Use these enumerated values for adding fields to the certificate request */
typedef enum {
crmfVersion = 0,
crmfSerialNumber = 1,
crmfSigningAlg = 2,
crmfIssuer = 3,
crmfValidity = 4,
crmfSubject = 5,
crmfPublicKey = 6,
crmfIssuerUID = 7,
crmfSubjectUID = 8,
crmfExtension = 9
} CRMFCertTemplateField;
/*
* An enumeration for the different types of controls.
*/
typedef enum {
crmfNoControl = 0,
crmfRegTokenControl = 1,
crmfAuthenticatorControl = 2,
crmfPKIPublicationInfoControl = 3,
crmfPKIArchiveOptionsControl = 4,
crmfOldCertIDControl = 5,
crmfProtocolEncrKeyControl = 6
} CRMFControlType;
/*
* The possible values that are passed into CRMF_CreatePKIPublicationInfo
*/
typedef enum {
crmfDontPublish = 0,
crmfPleasePublish = 1
} CRMFPublicationAction;
/*
* An enumeration for the possible for pubMethod which is a part of
* the SinglePubInfo ASN1 type.
*/
typedef enum {
crmfDontCare = 0,
crmfX500 = 1,
crmfWeb = 2,
crmfLdap = 3
} CRMFPublicationMethod;
/*
* An enumeration for the different options for PKIArchiveOptions type.
*/
typedef enum {
crmfNoArchiveOptions = 0,
crmfEncryptedPrivateKey = 1,
crmfKeyGenParameters = 2,
crmfArchiveRemGenPrivKey = 3
} CRMFPKIArchiveOptionsType;
/*
* An enumeration for the different options for ProofOfPossession
*/
typedef enum {
crmfNoPOPChoice = 0,
crmfRAVerified = 1,
crmfSignature = 2,
crmfKeyEncipherment = 3,
crmfKeyAgreement = 4
} CRMFPOPChoice;
/*
* An enumertion type for options for the authInfo field of the
* CRMFPOPOSigningKeyInput structure.
*/
typedef enum {
crmfSender = 0,
crmfPublicKeyMAC = 1
} CRMFPOPOSkiInputAuthChoice;
/*
* An enumeration for the SubsequentMessage Options.
*/
typedef enum {
crmfNoSubseqMess = 0,
crmfEncrCert = 1,
crmfChallengeResp = 2
} CRMFSubseqMessOptions;
/*
* An enumeration for the choice used by POPOPrivKey.
*/
typedef enum {
crmfNoMessage = 0,
crmfThisMessage = 1,
crmfSubsequentMessage = 2,
crmfDHMAC = 3
} CRMFPOPOPrivKeyChoice;
/*
* An enumeration for the choices for the EncryptedKey type.
*/
typedef enum {
crmfNoEncryptedKeyChoice = 0,
crmfEncryptedValueChoice = 1,
crmfEnvelopedDataChoice = 2
} CRMFEncryptedKeyChoice;
/*
* TYPE: CRMFEncoderOutputCallback
* This function type defines a prototype for a function that the CRMF
* library expects when encoding is performed.
*
* ARGUMENTS:
* arg
* This will be a pointer the user passed into an encoding function.
* The user of the library is free to use this pointer in any way.
* The most common use is to keep around a buffer for writing out
* the DER encoded bytes.
* buf
* The DER encoded bytes that should be written out.
* len
* The number of DER encoded bytes to write out.
*
*/
typedef void (*CRMFEncoderOutputCallback)(void *arg,
const char *buf,
unsigned long len);
/*
* Type for the function that gets a password. Just in case we ever
* need to support publicKeyMAC for POPOSigningKeyInput
*/
typedef SECItem *(*CRMFMACPasswordCallback)(void *arg);
typedef struct CRMFOptionalValidityStr CRMFOptionalValidity;
typedef struct CRMFValidityCreationInfoStr CRMFGetValidity;
typedef struct CRMFCertTemplateStr CRMFCertTemplate;
typedef struct CRMFCertRequestStr CRMFCertRequest;
typedef struct CRMFCertReqMsgStr CRMFCertReqMsg;
typedef struct CRMFCertReqMessagesStr CRMFCertReqMessages;
typedef struct CRMFProofOfPossessionStr CRMFProofOfPossession;
typedef struct CRMFPOPOSigningKeyStr CRMFPOPOSigningKey;
typedef struct CRMFPOPOSigningKeyInputStr CRMFPOPOSigningKeyInput;
typedef struct CRMFPOPOPrivKeyStr CRMFPOPOPrivKey;
typedef struct CRMFPKIPublicationInfoStr CRMFPKIPublicationInfo;
typedef struct CRMFSinglePubInfoStr CRMFSinglePubInfo;
typedef struct CRMFPKIArchiveOptionsStr CRMFPKIArchiveOptions;
typedef struct CRMFEncryptedKeyStr CRMFEncryptedKey;
typedef struct CRMFEncryptedValueStr CRMFEncryptedValue;
typedef struct CRMFCertIDStr CRMFCertID;
typedef struct CRMFCertIDStr CRMFOldCertID;
typedef CERTSubjectPublicKeyInfo CRMFProtocolEncrKey;
typedef struct CRMFValidityCreationInfoStr CRMFValidityCreationInfo;
typedef struct CRMFCertExtCreationInfoStr CRMFCertExtCreationInfo;
typedef struct CRMFPKMACValueStr CRMFPKMACValue;
typedef struct CRMFAttributeStr CRMFAttribute;
typedef struct CRMFControlStr CRMFControl;
typedef CERTGeneralName CRMFGeneralName;
typedef struct CRMFCertExtensionStr CRMFCertExtension;
struct CRMFValidityCreationInfoStr {
PRTime *notBefore;
PRTime *notAfter;
};
struct CRMFCertExtCreationInfoStr {
CRMFCertExtension **extensions;
int numExtensions;
};
/*
* Some ASN1 Templates that may be needed.
*/
extern const SEC_ASN1Template CRMFCertReqMessagesTemplate[];
extern const SEC_ASN1Template CRMFCertRequestTemplate[];
#endif /*_CRMFT_H_*/

364
openflow/usr/include/nss/cryptohi.h Normal file
View File

@@ -0,0 +1,364 @@
/*
* cryptohi.h - public prototypes for the crypto library
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _CRYPTOHI_H_
#define _CRYPTOHI_H_
#include "blapit.h"
#include "seccomon.h"
#include "secoidt.h"
#include "secdert.h"
#include "cryptoht.h"
#include "keyt.h"
#include "certt.h"
SEC_BEGIN_PROTOS
/****************************************/
/*
** DER encode/decode (EC)DSA signatures
*/
/* ANSI X9.57 defines DSA signatures as DER encoded data. Our DSA1 code (and
* most of the rest of the world) just generates 40 bytes of raw data. These
* functions convert between formats.
*/
extern SECStatus DSAU_EncodeDerSig(SECItem *dest, SECItem *src);
extern SECItem *DSAU_DecodeDerSig(const SECItem *item);
/*
* Unlike DSA1, raw DSA2 and ECDSA signatures do not have a fixed length.
* Rather they contain two integers r and s whose length depends
* on the size of q or the EC key used for signing.
*
* We can reuse the DSAU_EncodeDerSig interface to DER encode
* raw ECDSA signature keeping in mind that the length of r
* is the same as that of s and exactly half of src->len.
*
* For decoding, we need to pass the length of the desired
* raw signature (twice the key size) explicitly.
*/
extern SECStatus DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src,
unsigned int len);
extern SECItem *DSAU_DecodeDerSigToLen(const SECItem *item, unsigned int len);
/****************************************/
/*
** Signature creation operations
*/
/*
** Create a new signature context used for signing a data stream.
** "alg" the signature algorithm to use (e.g. SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION)
** "privKey" the private key to use
*/
extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey);
/*
** Destroy a signature-context object
** "cx" the object
** "freeit" if PR_TRUE then free the object as well as its sub-objects
*/
extern void SGN_DestroyContext(SGNContext *cx, PRBool freeit);
/*
** Reset the signing context "cx" to its initial state, preparing it for
** another stream of data.
*/
extern SECStatus SGN_Begin(SGNContext *cx);
/*
** Update the signing context with more data to sign.
** "cx" the context
** "input" the input data to sign
** "inputLen" the length of the input data
*/
extern SECStatus SGN_Update(SGNContext *cx, const unsigned char *input,
unsigned int inputLen);
/*
** Finish the signature process. Use either k0 or k1 to sign the data
** stream that was input using SGN_Update. The resulting signature is
** formatted using PKCS#1 and then encrypted using RSA private or public
** encryption.
** "cx" the context
** "result" the final signature data (memory is allocated)
*/
extern SECStatus SGN_End(SGNContext *cx, SECItem *result);
/*
** Sign a single block of data using private key encryption and given
** signature/hash algorithm.
** "result" the final signature data (memory is allocated)
** "buf" the input data to sign
** "len" the amount of data to sign
** "pk" the private key to encrypt with
** "algid" the signature/hash algorithm to sign with
** (must be compatible with the key type).
*/
extern SECStatus SEC_SignData(SECItem *result,
const unsigned char *buf, int len,
SECKEYPrivateKey *pk, SECOidTag algid);
/*
** Sign a pre-digested block of data using private key encryption, encoding
** The given signature/hash algorithm.
** "result" the final signature data (memory is allocated)
** "digest" the digest to sign
** "privKey" the private key to encrypt with
** "algtag" The algorithm tag to encode (need for RSA only)
*/
extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey,
SECOidTag algtag, SECItem *result, SECItem *digest);
/*
** DER sign a single block of data using private key encryption and the
** MD5 hashing algorithm. This routine first computes a digital signature
** using SEC_SignData, then wraps it with an CERTSignedData and then der
** encodes the result.
** "arena" is the memory arena to use to allocate data from
** "result" the final der encoded data (memory is allocated)
** "buf" the input data to sign
** "len" the amount of data to sign
** "pk" the private key to encrypt with
*/
extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result,
const unsigned char *buf, int len,
SECKEYPrivateKey *pk, SECOidTag algid);
/*
** Destroy a signed-data object.
** "sd" the object
** "freeit" if PR_TRUE then free the object as well as its sub-objects
*/
extern void SEC_DestroySignedData(CERTSignedData *sd, PRBool freeit);
/*
** Get the signature algorithm tag number for the given key type and hash
** algorithm tag. Returns SEC_OID_UNKNOWN if key type and hash algorithm
** do not match or are not supported.
*/
extern SECOidTag SEC_GetSignatureAlgorithmOidTag(KeyType keyType,
SECOidTag hashAlgTag);
/****************************************/
/*
** Signature verification operations
*/
/*
** Create a signature verification context. This version is deprecated,
** This function is deprecated. Use VFY_CreateContextDirect or
** VFY_CreateContextWithAlgorithmID instead.
** "key" the public key to verify with
** "sig" the encrypted signature data if sig is NULL then
** VFY_EndWithSignature must be called with the correct signature at
** the end of the processing.
** "sigAlg" specifies the signing algorithm to use (including the
** hash algorthim). This must match the key type.
** "wincx" void pointer to the window context
*/
extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig,
SECOidTag sigAlg, void *wincx);
/*
** Create a signature verification context.
** "key" the public key to verify with
** "sig" the encrypted signature data if sig is NULL then
** VFY_EndWithSignature must be called with the correct signature at
** the end of the processing.
** "pubkAlg" specifies the cryptographic signing algorithm to use (the
** raw algorithm without any hash specified. This must match the key
** type.
** "hashAlg" specifies the hashing algorithm used. If the key is an
** RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN.
** the hash is selected from data in the sig.
** "hash" optional pointer to return the actual hash algorithm used.
** in practice this should always match the passed in hashAlg (the
** exception is the case where hashAlg is SEC_OID_UNKNOWN above).
** If this value is NULL no, hash oid is returned.
** "wincx" void pointer to the window context
*/
extern VFYContext *VFY_CreateContextDirect(const SECKEYPublicKey *key,
const SECItem *sig,
SECOidTag pubkAlg,
SECOidTag hashAlg,
SECOidTag *hash, void *wincx);
/*
** Create a signature verification context from a algorithm ID.
** "key" the public key to verify with
** "sig" the encrypted signature data if sig is NULL then
** VFY_EndWithSignature must be called with the correct signature at
** the end of the processing.
** "algid" specifies the signing algorithm and parameters to use.
** This must match the key type.
** "hash" optional pointer to return the oid of the actual hash used in
** the signature. If this value is NULL no, hash oid is returned.
** "wincx" void pointer to the window context
*/
extern VFYContext *VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key,
const SECItem *sig,
const SECAlgorithmID *algid,
SECOidTag *hash,
void *wincx);
/*
** Destroy a verification-context object.
** "cx" the context to destroy
** "freeit" if PR_TRUE then free the object as well as its sub-objects
*/
extern void VFY_DestroyContext(VFYContext *cx, PRBool freeit);
extern SECStatus VFY_Begin(VFYContext *cx);
/*
** Update a verification context with more input data. The input data
** is fed to a secure hash function (depending on what was in the
** encrypted signature data).
** "cx" the context
** "input" the input data
** "inputLen" the amount of input data
*/
extern SECStatus VFY_Update(VFYContext *cx, const unsigned char *input,
unsigned int inputLen);
/*
** Finish the verification process. The return value is a status which
** indicates success or failure. On success, the SECSuccess value is
** returned. Otherwise, SECFailure is returned and the error code found
** using PORT_GetError() indicates what failure occurred.
** "cx" the context
*/
extern SECStatus VFY_End(VFYContext *cx);
/*
** Finish the verification process. The return value is a status which
** indicates success or failure. On success, the SECSuccess value is
** returned. Otherwise, SECFailure is returned and the error code found
** using PORT_GetError() indicates what failure occurred. If signature is
** supplied the verification uses this signature to verify, otherwise the
** signature passed in VFY_CreateContext() is used.
** VFY_EndWithSignature(cx,NULL); is identical to VFY_End(cx);.
** "cx" the context
** "sig" the encrypted signature data
*/
extern SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig);
/*
** Verify the signature on a block of data for which we already have
** the digest. The signature data is an RSA private key encrypted
** block of data formatted according to PKCS#1.
** This function is deprecated. Use VFY_VerifyDigestDirect or
** VFY_VerifyDigestWithAlgorithmID instead.
** "dig" the digest
** "key" the public key to check the signature with
** "sig" the encrypted signature data
** "sigAlg" specifies the signing algorithm to use. This must match
** the key type.
** "wincx" void pointer to the window context
**/
extern SECStatus VFY_VerifyDigest(SECItem *dig, SECKEYPublicKey *key,
SECItem *sig, SECOidTag sigAlg, void *wincx);
/*
** Verify the signature on a block of data for which we already have
** the digest. The signature data is an RSA private key encrypted
** block of data formatted according to PKCS#1.
** "dig" the digest
** "key" the public key to check the signature with
** "sig" the encrypted signature data
** "pubkAlg" specifies the cryptographic signing algorithm to use (the
** raw algorithm without any hash specified. This must match the key
** type.
** "hashAlg" specifies the hashing algorithm used.
** "wincx" void pointer to the window context
**/
extern SECStatus VFY_VerifyDigestDirect(const SECItem *dig,
const SECKEYPublicKey *key,
const SECItem *sig, SECOidTag pubkAlg,
SECOidTag hashAlg, void *wincx);
/*
** Verify the signature on a block of data for which we already have
** the digest. The signature data is an RSA private key encrypted
** block of data formatted according to PKCS#1.
** "key" the public key to verify with
** "sig" the encrypted signature data if sig is NULL then
** VFY_EndWithSignature must be called with the correct signature at
** the end of the processing.
** "algid" specifies the signing algorithm and parameters to use.
** This must match the key type.
** "hash" oid of the actual hash used to create digest. If this value is
** not set to SEC_OID_UNKNOWN, it must match the hash of the signature.
** "wincx" void pointer to the window context
*/
extern SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *dig,
const SECKEYPublicKey *key, const SECItem *sig,
const SECAlgorithmID *algid, SECOidTag hash,
void *wincx);
/*
** Verify the signature on a block of data. The signature data is an RSA
** private key encrypted block of data formatted according to PKCS#1.
** This function is deprecated. Use VFY_VerifyDataDirect or
** VFY_VerifyDataWithAlgorithmID instead.
** "buf" the input data
** "len" the length of the input data
** "key" the public key to check the signature with
** "sig" the encrypted signature data
** "sigAlg" specifies the signing algorithm to use. This must match
** the key type.
** "wincx" void pointer to the window context
*/
extern SECStatus VFY_VerifyData(const unsigned char *buf, int len,
const SECKEYPublicKey *key, const SECItem *sig,
SECOidTag sigAlg, void *wincx);
/*
** Verify the signature on a block of data. The signature data is an RSA
** private key encrypted block of data formatted according to PKCS#1.
** "buf" the input data
** "len" the length of the input data
** "key" the public key to check the signature with
** "sig" the encrypted signature data
** "pubkAlg" specifies the cryptographic signing algorithm to use (the
** raw algorithm without any hash specified. This must match the key
** type.
** "hashAlg" specifies the hashing algorithm used. If the key is an
** RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN.
** the hash is selected from data in the sig.
** "hash" optional pointer to return the actual hash algorithm used.
** in practice this should always match the passed in hashAlg (the
** exception is the case where hashAlg is SEC_OID_UNKNOWN above).
** If this value is NULL no, hash oid is returned.
** "wincx" void pointer to the window context
*/
extern SECStatus VFY_VerifyDataDirect(const unsigned char *buf, int len,
const SECKEYPublicKey *key,
const SECItem *sig,
SECOidTag pubkAlg, SECOidTag hashAlg,
SECOidTag *hash, void *wincx);
/*
** Verify the signature on a block of data. The signature data is an RSA
** private key encrypted block of data formatted according to PKCS#1.
** "buf" the input data
** "len" the length of the input data
** "key" the public key to check the signature with
** "sig" the encrypted signature data
** "algid" specifies the signing algorithm and parameters to use.
** This must match the key type.
** "hash" optional pointer to return the oid of the actual hash used in
** the signature. If this value is NULL no, hash oid is returned.
** "wincx" void pointer to the window context
*/
extern SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf,
int len, const SECKEYPublicKey *key,
const SECItem *sig,
const SECAlgorithmID *algid, SECOidTag *hash,
void *wincx);
SEC_END_PROTOS
#endif /* _CRYPTOHI_H_ */

14
openflow/usr/include/nss/cryptoht.h Normal file
View File

@@ -0,0 +1,14 @@
/*
* cryptoht.h - public data structures for the crypto library
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _CRYPTOHT_H_
#define _CRYPTOHT_H_
typedef struct SGNContextStr SGNContext;
typedef struct VFYContextStr VFYContext;
#endif /* _CRYPTOHT_H_ */

15
openflow/usr/include/nss/eccutil.h Normal file
View File

@@ -0,0 +1,15 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _FREEBL_H_
#define _FREEBL_H_
/* deprecated */
typedef enum {
ECPoint_Uncompressed,
ECPoint_XOnly,
ECPoint_Undefined
} ECPointEncoding;
#endif /* _FREEBL_H_ */

167
openflow/usr/include/nss/ecl-exp.h Normal file
View File

@@ -0,0 +1,167 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __ecl_exp_h_
#define __ecl_exp_h_
/* Curve field type */
typedef enum {
ECField_GFp,
ECField_GF2m
} ECField;
/* Hexadecimal encoding of curve parameters */
struct ECCurveParamsStr {
char *text;
ECField field;
unsigned int size;
char *irr;
char *curvea;
char *curveb;
char *genx;
char *geny;
char *order;
int cofactor;
int security;
int pointSize;
unsigned int usage;
};
typedef struct ECCurveParamsStr ECCurveParams;
/* Named curve parameters */
typedef enum {
ECCurve_noName = 0,
/* NIST prime curves */
ECCurve_NIST_P192, /* not supported */
ECCurve_NIST_P224, /* not supported */
ECCurve_NIST_P256,
ECCurve_NIST_P384,
ECCurve_NIST_P521,
/* NIST binary curves */
ECCurve_NIST_K163, /* not supported */
ECCurve_NIST_B163, /* not supported */
ECCurve_NIST_K233, /* not supported */
ECCurve_NIST_B233, /* not supported */
ECCurve_NIST_K283, /* not supported */
ECCurve_NIST_B283, /* not supported */
ECCurve_NIST_K409, /* not supported */
ECCurve_NIST_B409, /* not supported */
ECCurve_NIST_K571, /* not supported */
ECCurve_NIST_B571, /* not supported */
/* ANSI X9.62 prime curves */
/* ECCurve_X9_62_PRIME_192V1 == ECCurve_NIST_P192 */
ECCurve_X9_62_PRIME_192V2, /* not supported */
ECCurve_X9_62_PRIME_192V3, /* not supported */
ECCurve_X9_62_PRIME_239V1, /* not supported */
ECCurve_X9_62_PRIME_239V2, /* not supported */
ECCurve_X9_62_PRIME_239V3, /* not supported */
/* ECCurve_X9_62_PRIME_256V1 == ECCurve_NIST_P256 */
/* ANSI X9.62 binary curves */
ECCurve_X9_62_CHAR2_PNB163V1, /* not supported */
ECCurve_X9_62_CHAR2_PNB163V2, /* not supported */
ECCurve_X9_62_CHAR2_PNB163V3, /* not supported */
ECCurve_X9_62_CHAR2_PNB176V1, /* not supported */
ECCurve_X9_62_CHAR2_TNB191V1, /* not supported */
ECCurve_X9_62_CHAR2_TNB191V2, /* not supported */
ECCurve_X9_62_CHAR2_TNB191V3, /* not supported */
ECCurve_X9_62_CHAR2_PNB208W1, /* not supported */
ECCurve_X9_62_CHAR2_TNB239V1, /* not supported */
ECCurve_X9_62_CHAR2_TNB239V2, /* not supported */
ECCurve_X9_62_CHAR2_TNB239V3, /* not supported */
ECCurve_X9_62_CHAR2_PNB272W1, /* not supported */
ECCurve_X9_62_CHAR2_PNB304W1, /* not supported */
ECCurve_X9_62_CHAR2_TNB359V1, /* not supported */
ECCurve_X9_62_CHAR2_PNB368W1, /* not supported */
ECCurve_X9_62_CHAR2_TNB431R1, /* not supported */
/* SEC2 prime curves */
ECCurve_SECG_PRIME_112R1, /* not supported */
ECCurve_SECG_PRIME_112R2, /* not supported */
ECCurve_SECG_PRIME_128R1, /* not supported */
ECCurve_SECG_PRIME_128R2, /* not supported */
ECCurve_SECG_PRIME_160K1, /* not supported */
ECCurve_SECG_PRIME_160R1, /* not supported */
ECCurve_SECG_PRIME_160R2, /* not supported */
ECCurve_SECG_PRIME_192K1, /* not supported */
/* ECCurve_SECG_PRIME_192R1 == ECCurve_NIST_P192 */
ECCurve_SECG_PRIME_224K1, /* not supported */
/* ECCurve_SECG_PRIME_224R1 == ECCurve_NIST_P224 */
ECCurve_SECG_PRIME_256K1, /* not supported */
/* ECCurve_SECG_PRIME_256R1 == ECCurve_NIST_P256 */
/* ECCurve_SECG_PRIME_384R1 == ECCurve_NIST_P384 */
/* ECCurve_SECG_PRIME_521R1 == ECCurve_NIST_P521 */
/* SEC2 binary curves */
ECCurve_SECG_CHAR2_113R1, /* not supported */
ECCurve_SECG_CHAR2_113R2, /* not supported */
ECCurve_SECG_CHAR2_131R1, /* not supported */
ECCurve_SECG_CHAR2_131R2, /* not supported */
/* ECCurve_SECG_CHAR2_163K1 == ECCurve_NIST_K163 */
ECCurve_SECG_CHAR2_163R1, /* not supported */
/* ECCurve_SECG_CHAR2_163R2 == ECCurve_NIST_B163 */
ECCurve_SECG_CHAR2_193R1, /* not supported */
ECCurve_SECG_CHAR2_193R2, /* not supported */
/* ECCurve_SECG_CHAR2_233K1 == ECCurve_NIST_K233 */
/* ECCurve_SECG_CHAR2_233R1 == ECCurve_NIST_B233 */
ECCurve_SECG_CHAR2_239K1, /* not supported */
/* ECCurve_SECG_CHAR2_283K1 == ECCurve_NIST_K283 */
/* ECCurve_SECG_CHAR2_283R1 == ECCurve_NIST_B283 */
/* ECCurve_SECG_CHAR2_409K1 == ECCurve_NIST_K409 */
/* ECCurve_SECG_CHAR2_409R1 == ECCurve_NIST_B409 */
/* ECCurve_SECG_CHAR2_571K1 == ECCurve_NIST_K571 */
/* ECCurve_SECG_CHAR2_571R1 == ECCurve_NIST_B571 */
/* WTLS curves */
ECCurve_WTLS_1, /* not supported */
/* there is no WTLS 2 curve */
/* ECCurve_WTLS_3 == ECCurve_NIST_K163 */
/* ECCurve_WTLS_4 == ECCurve_SECG_CHAR2_113R1 */
/* ECCurve_WTLS_5 == ECCurve_X9_62_CHAR2_PNB163V1 */
/* ECCurve_WTLS_6 == ECCurve_SECG_PRIME_112R1 */
/* ECCurve_WTLS_7 == ECCurve_SECG_PRIME_160R1 */
ECCurve_WTLS_8, /* not supported */
ECCurve_WTLS_9, /* not supported */
/* ECCurve_WTLS_10 == ECCurve_NIST_K233 */
/* ECCurve_WTLS_11 == ECCurve_NIST_B233 */
/* ECCurve_WTLS_12 == ECCurve_NIST_P224 */
ECCurve25519,
ECCurve_pastLastCurve
} ECCurveName;
/* Aliased named curves */
#define ECCurve_X9_62_PRIME_192V1 ECCurve_NIST_P192 /* not supported */
#define ECCurve_X9_62_PRIME_256V1 ECCurve_NIST_P256
#define ECCurve_SECG_PRIME_192R1 ECCurve_NIST_P192 /* not supported */
#define ECCurve_SECG_PRIME_224R1 ECCurve_NIST_P224 /* not supported */
#define ECCurve_SECG_PRIME_256R1 ECCurve_NIST_P256
#define ECCurve_SECG_PRIME_384R1 ECCurve_NIST_P384
#define ECCurve_SECG_PRIME_521R1 ECCurve_NIST_P521
#define ECCurve_SECG_CHAR2_163K1 ECCurve_NIST_K163 /* not supported */
#define ECCurve_SECG_CHAR2_163R2 ECCurve_NIST_B163 /* not supported */
#define ECCurve_SECG_CHAR2_233K1 ECCurve_NIST_K233 /* not supported */
#define ECCurve_SECG_CHAR2_233R1 ECCurve_NIST_B233 /* not supported */
#define ECCurve_SECG_CHAR2_283K1 ECCurve_NIST_K283 /* not supported */
#define ECCurve_SECG_CHAR2_283R1 ECCurve_NIST_B283 /* not supported */
#define ECCurve_SECG_CHAR2_409K1 ECCurve_NIST_K409 /* not supported */
#define ECCurve_SECG_CHAR2_409R1 ECCurve_NIST_B409 /* not supported */
#define ECCurve_SECG_CHAR2_571K1 ECCurve_NIST_K571 /* not supported */
#define ECCurve_SECG_CHAR2_571R1 ECCurve_NIST_B571 /* not supported */
#define ECCurve_WTLS_3 ECCurve_NIST_K163 /* not supported */
#define ECCurve_WTLS_4 ECCurve_SECG_CHAR2_113R1 /* not supported */
#define ECCurve_WTLS_5 ECCurve_X9_62_CHAR2_PNB163V1 /* not supported */
#define ECCurve_WTLS_6 ECCurve_SECG_PRIME_112R1 /* not supported */
#define ECCurve_WTLS_7 ECCurve_SECG_PRIME_160R1 /* not supported */
#define ECCurve_WTLS_10 ECCurve_NIST_K233 /* not supported */
#define ECCurve_WTLS_11 ECCurve_NIST_B233 /* not supported */
#define ECCurve_WTLS_12 ECCurve_NIST_P224 /* not supported */
#endif /* __ecl_exp_h_ */

63
openflow/usr/include/nss/hasht.h Normal file
View File

@@ -0,0 +1,63 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _HASHT_H_
#define _HASHT_H_
#include "prtypes.h"
/* Opaque objects */
typedef struct SECHashObjectStr SECHashObject;
typedef struct HASHContextStr HASHContext;
/*
* The hash functions the security library supports
* NOTE the order must match the definition of SECHashObjects[]!
*/
typedef enum {
HASH_AlgNULL = 0,
HASH_AlgMD2 = 1,
HASH_AlgMD5 = 2,
HASH_AlgSHA1 = 3,
HASH_AlgSHA256 = 4,
HASH_AlgSHA384 = 5,
HASH_AlgSHA512 = 6,
HASH_AlgSHA224 = 7,
HASH_AlgTOTAL
} HASH_HashType;
/*
* Number of bytes each hash algorithm produces
*/
#define MD2_LENGTH 16
#define MD5_LENGTH 16
#define SHA1_LENGTH 20
#define SHA224_LENGTH 28
#define SHA256_LENGTH 32
#define SHA384_LENGTH 48
#define SHA512_LENGTH 64
#define HASH_LENGTH_MAX SHA512_LENGTH
/*
* Structure to hold hash computation info and routines
*/
struct SECHashObjectStr {
unsigned int length; /* hash output length (in bytes) */
void *(*create)(void);
void *(*clone)(void *);
void (*destroy)(void *, PRBool);
void (*begin)(void *);
void (*update)(void *, const unsigned char *, unsigned int);
void (*end)(void *, unsigned char *, unsigned int *, unsigned int);
unsigned int blocklength; /* hash input block size (in bytes) */
HASH_HashType type;
void (*end_raw)(void *, unsigned char *, unsigned int *, unsigned int);
};
struct HASHContextStr {
const struct SECHashObjectStr *hashobj;
void *hash_context;
};
#endif /* _HASHT_H_ */

77
openflow/usr/include/nss/jar-ds.h Normal file
View File

@@ -0,0 +1,77 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __JAR_DS_h_
#define __JAR_DS_h_
/* Typedefs */
typedef struct ZZLinkStr ZZLink;
typedef struct ZZListStr ZZList;
/*
** Circular linked list. Each link contains a pointer to the object that
** is actually in the list.
*/
struct ZZLinkStr {
ZZLink *next;
ZZLink *prev;
JAR_Item *thing;
};
struct ZZListStr {
ZZLink link;
};
#define ZZ_InitList(lst) \
{ \
(lst)->link.next = &(lst)->link; \
(lst)->link.prev = &(lst)->link; \
(lst)->link.thing = 0; \
}
#define ZZ_ListEmpty(lst) ((lst)->link.next == &(lst)->link)
#define ZZ_ListHead(lst) ((lst)->link.next)
#define ZZ_ListTail(lst) ((lst)->link.prev)
#define ZZ_ListIterDone(lst, lnk) ((lnk) == &(lst)->link)
#define ZZ_AppendLink(lst, lnk) \
{ \
(lnk)->next = &(lst)->link; \
(lnk)->prev = (lst)->link.prev; \
(lst)->link.prev->next = (lnk); \
(lst)->link.prev = (lnk); \
}
#define ZZ_InsertLink(lst, lnk) \
{ \
(lnk)->next = (lst)->link.next; \
(lnk)->prev = &(lst)->link; \
(lst)->link.next->prev = (lnk); \
(lst)->link.next = (lnk); \
}
#define ZZ_RemoveLink(lnk) \
{ \
(lnk)->next->prev = (lnk)->prev; \
(lnk)->prev->next = (lnk)->next; \
(lnk)->next = 0; \
(lnk)->prev = 0; \
}
extern ZZLink *
ZZ_NewLink(JAR_Item *thing);
extern void
ZZ_DestroyLink(ZZLink *link);
extern ZZList *
ZZ_NewList(void);
extern void
ZZ_DestroyList(ZZList *list);
#endif /* __JAR_DS_h_ */

372
openflow/usr/include/nss/jar.h Normal file
View File

@@ -0,0 +1,372 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __JAR_h_
#define __JAR_h_
/*
* In general, any functions that return pointers
* have memory owned by the caller.
*
*/
/* security includes */
#include "cert.h"
#include "hasht.h"
/* nspr 2.0 includes */
#include "prio.h"
#define ZHUGEP
#include <stdio.h>
/* various types */
typedef enum {
jarTypeMF = 2,
jarTypeSF = 3,
jarTypeMeta = 6,
jarTypePhy = 7,
jarTypeSign = 10,
jarTypeSect = 11,
jarTypeOwner = 13
} jarType;
/* void data in ZZList's contain JAR_Item type */
typedef struct JAR_Item_ {
char *pathname; /* relative. inside zip file */
jarType type; /* various types */
size_t size; /* size of data below */
void *data; /* totally opaque */
} JAR_Item;
/* hashes */
typedef enum {
jarHashNone = 0,
jarHashBad = 1,
jarHashPresent = 2
} jarHash;
typedef struct JAR_Digest_ {
jarHash md5_status;
unsigned char md5[MD5_LENGTH];
jarHash sha1_status;
unsigned char sha1[SHA1_LENGTH];
} JAR_Digest;
/* physical archive formats */
typedef enum {
jarArchGuess = 0,
jarArchNone = 1,
jarArchZip = 2,
jarArchTar = 3
} jarArch;
#include "jar-ds.h"
struct JAR_;
typedef int jar_settable_callback_fn(int status, struct JAR_ *jar,
const char *metafile, char *pathname,
char *errortext);
/* jar object */
typedef struct JAR_ {
jarArch format; /* physical archive format */
char *url; /* Where it came from */
char *filename; /* Disk location */
FILE *fp; /* For multiple extractions */
/* JAR_FILE */
/* various linked lists */
ZZList *manifest; /* Digests of MF sections */
ZZList *hashes; /* Digests of actual signed files */
ZZList *phy; /* Physical layout of JAR file */
ZZList *metainfo; /* Global metainfo */
JAR_Digest *globalmeta; /* digest of .MF global portion */
/* Below will change to a linked list to support multiple sigs */
int pkcs7; /* Enforced opaqueness */
int valid; /* PKCS7 signature validated */
ZZList *signers; /* the above, per signer */
/* Window context, very necessary for PKCS11 now */
void *mw; /* MWContext window context */
/* Signal callback function */
jar_settable_callback_fn *signal;
} JAR;
/*
* Iterator
*
* Context for iterative operations. Certain operations
* require iterating multiple linked lists because of
* multiple signers. "nextsign" is used for this purpose.
*
*/
typedef struct JAR_Context_ {
JAR *jar; /* Jar we are searching */
char *pattern; /* Regular expression */
jarType finding; /* Type of item to find */
ZZLink *next; /* Next item in find */
ZZLink *nextsign; /* Next signer, sometimes */
} JAR_Context;
typedef struct JAR_Signer_ {
int pkcs7; /* Enforced opaqueness */
int valid; /* PKCS7 signature validated */
char *owner; /* name of .RSA file */
JAR_Digest *digest; /* of .SF file */
ZZList *sf; /* Linked list of .SF file contents */
ZZList *certs; /* Signing information */
} JAR_Signer;
/* Meta informaton, or "policy", from the manifest file.
Right now just one tuple per JAR_Item. */
typedef struct JAR_Metainfo_ {
char *header;
char *info;
} JAR_Metainfo;
/* This should not be global */
typedef struct JAR_Physical_ {
unsigned char compression;
unsigned long offset;
unsigned long length;
unsigned long uncompressed_length;
#if defined(XP_UNIX) || defined(XP_BEOS)
PRUint16 mode;
#endif
} JAR_Physical;
typedef struct JAR_Cert_ {
size_t length;
void *key;
CERTCertificate *cert;
} JAR_Cert;
/* certificate stuff */
typedef enum {
jarCertCompany = 1,
jarCertCA = 2,
jarCertSerial = 3,
jarCertExpires = 4,
jarCertNickname = 5,
jarCertFinger = 6,
jarCertJavaHack = 100
} jarCert;
/* callback types */
#define JAR_CB_SIGNAL 1
/*
* This is the base for the JAR error codes. It will
* change when these are incorporated into allxpstr.c,
* but right now they won't let me put them there.
*
*/
#ifndef SEC_ERR_BASE
#define SEC_ERR_BASE (-0x2000)
#endif
#define JAR_BASE SEC_ERR_BASE + 300
/* Jar specific error definitions */
#define JAR_ERR_GENERAL (JAR_BASE + 1)
#define JAR_ERR_FNF (JAR_BASE + 2)
#define JAR_ERR_CORRUPT (JAR_BASE + 3)
#define JAR_ERR_MEMORY (JAR_BASE + 4)
#define JAR_ERR_DISK (JAR_BASE + 5)
#define JAR_ERR_ORDER (JAR_BASE + 6)
#define JAR_ERR_SIG (JAR_BASE + 7)
#define JAR_ERR_METADATA (JAR_BASE + 8)
#define JAR_ERR_ENTRY (JAR_BASE + 9)
#define JAR_ERR_HASH (JAR_BASE + 10)
#define JAR_ERR_PK7 (JAR_BASE + 11)
#define JAR_ERR_PNF (JAR_BASE + 12)
/* Function declarations */
extern JAR *JAR_new(void);
extern void PR_CALLBACK JAR_destroy(JAR *jar);
extern char *JAR_get_error(int status);
extern int JAR_set_callback(int type, JAR *jar, jar_settable_callback_fn *fn);
extern void
JAR_init_callbacks(char *(*string_cb)(int),
void *(*find_cx)(void),
void *(*init_cx)(void));
/*
* JAR_set_context
*
* PKCS11 may require a password to be entered by the user
* before any crypto routines may be called. This will require
* a window context if used from inside Mozilla.
*
* Call this routine with your context before calling
* verifying or signing. If you have no context, call with NULL
* and one will be chosen for you.
*
*/
int JAR_set_context(JAR *jar, void /*MWContext*/ *mw);
/*
* Iterative operations
*
* JAR_find sets up for repeated calls with JAR_find_next.
* I never liked findfirst and findnext, this is nicer.
*
* Pattern contains a relative pathname to match inside the
* archive. It is currently assumed to be "*".
*
* To use:
*
* JAR_Item *item;
* JAR_find (jar, "*.class", jarTypeMF);
* while (JAR_find_next (jar, &item) >= 0)
* { do stuff }
*
*/
/* Replacement functions with an external context */
extern JAR_Context *JAR_find(JAR *jar, char *pattern, jarType type);
extern int JAR_find_next(JAR_Context *ctx, JAR_Item **it);
extern void JAR_find_end(JAR_Context *ctx);
/*
* Function to parse manifest file:
*
* Many signatures may be attached to a single filename located
* inside the zip file. We only support one.
*
* Several manifests may be included in the zip file.
*
* You must pass the MANIFEST.MF file before any .SF files.
*
* Right now this returns a big ole list, privately in the jar structure.
* If you need to traverse it, use JAR_find if possible.
*
* The path is needed to determine what type of binary signature is
* being passed, though it is technically not needed for manifest files.
*
* When parsing an ASCII file, null terminate the ASCII raw_manifest
* prior to sending it, and indicate a length of 0. For binary digital
* signatures only, indicate the true length of the signature.
* (This is legacy behavior.)
*
* You may free the manifest after parsing it.
*
*/
extern int
JAR_parse_manifest(JAR *jar, char *raw_manifest, long length, const char *path,
const char *url);
/*
* Verify data (nonstreaming). The signature is actually
* checked by JAR_parse_manifest or JAR_pass_archive.
*
*/
extern JAR_Digest *PR_CALLBACK
JAR_calculate_digest(void *data, long length);
extern int PR_CALLBACK
JAR_verify_digest(JAR *jar, const char *name, JAR_Digest *dig);
extern int
JAR_digest_file(char *filename, JAR_Digest *dig);
/*
* Meta information
*
* Currently, since this call does not support passing of an owner
* (certificate, or physical name of the .sf file), it is restricted to
* returning information located in the manifest.mf file.
*
* Meta information is a name/value pair inside the archive file. Here,
* the name is passed in *header and value returned in **info.
*
* Pass a NULL as the name to retrieve metainfo from the global section.
*
* Data is returned in **info, of size *length. The return value
* will indicate if no data was found.
*
*/
extern int
JAR_get_metainfo(JAR *jar, char *name, char *header, void **info,
unsigned long *length);
extern char *JAR_get_filename(JAR *jar);
extern char *JAR_get_url(JAR *jar);
/* save the certificate with this fingerprint in persistent
storage, somewhere, for retrieval in a future session when there
is no corresponding JAR structure. */
extern int PR_CALLBACK
JAR_stash_cert(JAR *jar, long keylen, void *key);
/* retrieve a certificate presumably stashed with the above
function, but may be any certificate. Type is &CERTCertificate */
CERTCertificate *
JAR_fetch_cert(long length, void *key);
/*
* New functions to handle archives alone
* (call JAR_new beforehand)
*
* JAR_pass_archive acts much like parse_manifest. Certificates
* are returned in the JAR structure but as opaque data. When calling
* JAR_verified_extract you still need to decide which of these
* certificates to honor.
*
* Code to examine a JAR structure is in jarbert.c. You can obtain both
* a list of filenames and certificates from traversing the linked list.
*
*/
extern int
JAR_pass_archive(JAR *jar, jarArch format, char *filename, const char *url);
/*
* Same thing, but don't check signatures
*/
extern int
JAR_pass_archive_unverified(JAR *jar, jarArch format, char *filename,
const char *url);
/*
* Extracts a relative pathname from the archive and places it
* in the filename specified.
*
* Call JAR_set_nailed if you want to keep the file descriptors
* open between multiple calls to JAR_verify_extract.
*
*/
extern int
JAR_verified_extract(JAR *jar, char *path, char *outpath);
/*
* JAR_extract does no crypto checking. This can be used if you
* need to extract a manifest file or signature, etc.
*
*/
extern int
JAR_extract(JAR *jar, char *path, char *outpath);
#endif /* __JAR_h_ */

76
openflow/usr/include/nss/jarfile.h Normal file
View File

@@ -0,0 +1,76 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* JARFILE.H
*
* Certain constants and structures for the archive format.
*
*/
/* ZIP */
struct ZipLocal { /* 30 bytes */
char signature[4];
char word[2];
char bitflag[2];
char method[2];
char time[2];
char date[2];
char crc32[4];
char size[4];
char orglen[4];
char filename_len[2];
char extrafield_len[2];
};
struct ZipCentral { /* 46 bytes */
char signature[4];
char version_made_by[2];
char version[2];
char bitflag[2];
char method[2];
char time[2];
char date[2];
char crc32[4];
char size[4];
char orglen[4];
char filename_len[2];
char extrafield_len[2];
char commentfield_len[2];
char diskstart_number[2];
char internal_attributes[2];
char external_attributes[4];
char localhdr_offset[4];
};
struct ZipEnd { /* 22 bytes */
char signature[4];
char disk_nr[2];
char start_central_dir[2];
char total_entries_disk[2];
char total_entries_archive[2];
char central_dir_size[4];
char offset_central_dir[4];
char commentfield_len[2];
};
#define LSIG 0x04034B50l
#define CSIG 0x02014B50l
#define ESIG 0x06054B50l
/* TAR */
union TarEntry { /* 512 bytes */
struct header { /* 257 bytes */
char filename[100];
char mode[8];
char uid[8];
char gid[8];
char size[12];
char time[12];
char checksum[8];
char linkflag;
char linkname[100];
} val;
char buffer[512];
};

12
openflow/usr/include/nss/key.h Normal file
View File

@@ -0,0 +1,12 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* This header is deprecated. Please include keyhi.h instead. */
#ifndef _KEY_H_
#define _KEY_H_
#include "keyhi.h"
#endif /* _KEY_H_ */

271
openflow/usr/include/nss/keyhi.h Normal file
View File

@@ -0,0 +1,271 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _KEYHI_H_
#define _KEYHI_H_
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "secdert.h"
#include "keythi.h"
#include "certt.h"
/*#include "secpkcs5.h" */
SEC_BEGIN_PROTOS
/*
** Destroy a subject-public-key-info object.
*/
extern void SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki);
/*
** Copy subject-public-key-info "src" to "dst". "dst" is filled in
** appropriately (memory is allocated for each of the sub objects).
*/
extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PLArenaPool *arena,
CERTSubjectPublicKeyInfo *dst,
CERTSubjectPublicKeyInfo *src);
/*
** Update the PQG parameters for a cert's public key.
** Only done for DSA certs
*/
extern SECStatus
SECKEY_UpdateCertPQG(CERTCertificate *subjectCert);
/*
** Return the number of bits in the provided big integer. This assumes that the
** SECItem contains a big-endian number and counts from the first non-zero bit.
*/
extern unsigned SECKEY_BigIntegerBitLength(const SECItem *number);
/*
** Return the strength of the public key in bytes
*/
extern unsigned SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk);
/*
** Return the strength of the public key in bits
*/
extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
/*
** Return the length of the signature in bytes
*/
extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);
/*
** Make a copy of the private key "privKey"
*/
extern SECKEYPrivateKey *SECKEY_CopyPrivateKey(const SECKEYPrivateKey *privKey);
/*
** Make a copy of the public key "pubKey"
*/
extern SECKEYPublicKey *SECKEY_CopyPublicKey(const SECKEYPublicKey *pubKey);
/*
** Convert a private key "privateKey" into a public key
*/
extern SECKEYPublicKey *SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privateKey);
/*
* create a new RSA key pair. The private Key is returned...
*/
SECKEYPrivateKey *SECKEY_CreateRSAPrivateKey(int keySizeInBits,
SECKEYPublicKey **pubk, void *cx);
/*
* create a new DH key pair. The private Key is returned...
*/
SECKEYPrivateKey *SECKEY_CreateDHPrivateKey(SECKEYDHParams *param,
SECKEYPublicKey **pubk, void *cx);
/*
* create a new EC key pair. The private Key is returned...
*/
SECKEYPrivateKey *SECKEY_CreateECPrivateKey(SECKEYECParams *param,
SECKEYPublicKey **pubk, void *cx);
/*
** Create a subject-public-key-info based on a public key.
*/
extern CERTSubjectPublicKeyInfo *
SECKEY_CreateSubjectPublicKeyInfo(const SECKEYPublicKey *k);
/*
** Convert a base64 ascii encoded DER public key and challenge to spki,
** and verify the signature and challenge data are correct
*/
extern CERTSubjectPublicKeyInfo *
SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge,
void *cx);
/*
** Encode a CERTSubjectPublicKeyInfo structure. into a
** DER encoded subject public key info.
*/
SECItem *
SECKEY_EncodeDERSubjectPublicKeyInfo(const SECKEYPublicKey *pubk);
/*
** Decode a DER encoded subject public key info into a
** CERTSubjectPublicKeyInfo structure.
*/
extern CERTSubjectPublicKeyInfo *
SECKEY_DecodeDERSubjectPublicKeyInfo(const SECItem *spkider);
/*
** Convert a base64 ascii encoded DER subject public key info to our
** internal format.
*/
extern CERTSubjectPublicKeyInfo *
SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(const char *spkistr);
/*
* extract the public key from a subject Public Key info structure.
* (used by JSS).
*/
extern SECKEYPublicKey *
SECKEY_ExtractPublicKey(const CERTSubjectPublicKeyInfo *);
/*
** Destroy a private key object.
** "key" the object
*/
extern void SECKEY_DestroyPrivateKey(SECKEYPrivateKey *key);
/*
** Destroy a public key object.
** "key" the object
*/
extern void SECKEY_DestroyPublicKey(SECKEYPublicKey *key);
/* Destroy and zero out a private key info structure. for now this
* function zero's out memory allocated in an arena for the key
* since PORT_FreeArena does not currently do this.
*
* NOTE -- If a private key info is allocated in an arena, one should
* not call this function with freeit = PR_FALSE. The function should
* destroy the arena.
*/
extern void
SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk, PRBool freeit);
/* Destroy and zero out an encrypted private key info.
*
* NOTE -- If a encrypted private key info is allocated in an arena, one should
* not call this function with freeit = PR_FALSE. The function should
* destroy the arena.
*/
extern void
SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
PRBool freeit);
/* Copy private key info structure.
* poolp is the arena into which the contents of from is to be copied.
* NULL is a valid entry.
* to is the destination private key info
* from is the source private key info
* if either from or to is NULL or an error occurs, SECFailure is
* returned. otherwise, SECSuccess is returned.
*/
extern SECStatus
SECKEY_CopyPrivateKeyInfo(PLArenaPool *poolp,
SECKEYPrivateKeyInfo *to,
const SECKEYPrivateKeyInfo *from);
extern SECStatus
SECKEY_CacheStaticFlags(SECKEYPrivateKey *key);
/* Copy encrypted private key info structure.
* poolp is the arena into which the contents of from is to be copied.
* NULL is a valid entry.
* to is the destination encrypted private key info
* from is the source encrypted private key info
* if either from or to is NULL or an error occurs, SECFailure is
* returned. otherwise, SECSuccess is returned.
*/
extern SECStatus
SECKEY_CopyEncryptedPrivateKeyInfo(PLArenaPool *poolp,
SECKEYEncryptedPrivateKeyInfo *to,
const SECKEYEncryptedPrivateKeyInfo *from);
/*
* Accessor functions for key type of public and private keys.
*/
KeyType SECKEY_GetPrivateKeyType(const SECKEYPrivateKey *privKey);
KeyType SECKEY_GetPublicKeyType(const SECKEYPublicKey *pubKey);
/*
* Creates a PublicKey from its DER encoding.
* Currently only supports RSA, DSA, and DH keys.
*/
SECKEYPublicKey *
SECKEY_ImportDERPublicKey(const SECItem *derKey, CK_KEY_TYPE type);
SECKEYPrivateKeyList *
SECKEY_NewPrivateKeyList(void);
void
SECKEY_DestroyPrivateKeyList(SECKEYPrivateKeyList *keys);
void
SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node);
SECStatus
SECKEY_AddPrivateKeyToListTail(SECKEYPrivateKeyList *list,
SECKEYPrivateKey *key);
#define PRIVKEY_LIST_HEAD(l) ((SECKEYPrivateKeyListNode *)PR_LIST_HEAD(&l->list))
#define PRIVKEY_LIST_NEXT(n) ((SECKEYPrivateKeyListNode *)n->links.next)
#define PRIVKEY_LIST_END(n, l) (((void *)n) == ((void *)&l->list))
SECKEYPublicKeyList *
SECKEY_NewPublicKeyList(void);
void
SECKEY_DestroyPublicKeyList(SECKEYPublicKeyList *keys);
void
SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node);
SECStatus
SECKEY_AddPublicKeyToListTail(SECKEYPublicKeyList *list,
SECKEYPublicKey *key);
#define PUBKEY_LIST_HEAD(l) ((SECKEYPublicKeyListNode *)PR_LIST_HEAD(&l->list))
#define PUBKEY_LIST_NEXT(n) ((SECKEYPublicKeyListNode *)n->links.next)
#define PUBKEY_LIST_END(n, l) (((void *)n) == ((void *)&l->list))
/*
* Length in bits of the EC's field size. This is also the length of
* the x and y coordinates of EC points, such as EC public keys and
* base points.
*
* Return 0 on failure (unknown EC domain parameters).
*/
extern int SECKEY_ECParamsToKeySize(const SECItem *params);
/*
* Length in bits of the EC base point order, usually denoted n. This
* is also the length of EC private keys and ECDSA signature components
* r and s.
*
* Return 0 on failure (unknown EC domain parameters).
*/
extern int SECKEY_ECParamsToBasePointOrderLen(const SECItem *params);
/*
* Returns the object identifier of the curve, of the provided
* elliptic curve parameters structures.
*
* Return 0 on failure (unknown EC domain parameters).
*/
SECOidTag SECKEY_GetECCOid(const SECKEYECParams *params);
SEC_END_PROTOS
#endif /* _KEYHI_H_ */

10
openflow/usr/include/nss/keyt.h Normal file
View File

@@ -0,0 +1,10 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _KEYT_H_
#define _KEYT_H_
#include "keythi.h"
#endif /* _KEYT_H_ */

247
openflow/usr/include/nss/keythi.h Normal file
View File

@@ -0,0 +1,247 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _KEYTHI_H_
#define _KEYTHI_H_ 1
#include "eccutil.h"
#include "plarena.h"
#include "pkcs11t.h"
#include "secmodt.h"
#include "prclist.h"
/*
** RFC 4055 Section 1.2 specifies three different RSA key types.
**
** rsaKey maps to keys with SEC_OID_PKCS1_RSA_ENCRYPTION and can be used for
** both encryption and signatures with old (PKCS #1 v1.5) and new (PKCS #1
** v2.1) padding schemes.
**
** rsaPssKey maps to keys with SEC_OID_PKCS1_RSA_PSS_SIGNATURE and may only
** be used for signatures with PSS padding (PKCS #1 v2.1).
**
** rsaOaepKey maps to keys with SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION and may only
** be used for encryption with OAEP padding (PKCS #1 v2.1).
*/
typedef enum {
nullKey = 0,
rsaKey = 1,
dsaKey = 2,
fortezzaKey = 3, /* deprecated */
dhKey = 4,
keaKey = 5, /* deprecated */
ecKey = 6,
rsaPssKey = 7,
rsaOaepKey = 8
} KeyType;
/*
** Template Definitions
**/
SEC_BEGIN_PROTOS
extern const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[];
extern const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[];
extern const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[];
extern const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[];
extern const SEC_ASN1Template SECKEY_DHParamKeyTemplate[];
extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[];
extern const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[];
/* Windows DLL accessor functions */
SEC_ASN1_CHOOSER_DECLARE(SECKEY_DSAPublicKeyTemplate)
SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPublicKeyTemplate)
SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPSSParamsTemplate)
SEC_END_PROTOS
/*
** RSA Public Key structures
** member names from PKCS#1, section 7.1
*/
struct SECKEYRSAPublicKeyStr {
PLArenaPool *arena;
SECItem modulus;
SECItem publicExponent;
};
typedef struct SECKEYRSAPublicKeyStr SECKEYRSAPublicKey;
/*
** RSA-PSS parameters
*/
struct SECKEYRSAPSSParamsStr {
SECAlgorithmID *hashAlg;
SECAlgorithmID *maskAlg;
SECItem saltLength;
SECItem trailerField;
};
typedef struct SECKEYRSAPSSParamsStr SECKEYRSAPSSParams;
/*
** DSA Public Key and related structures
*/
struct SECKEYPQGParamsStr {
PLArenaPool *arena;
SECItem prime; /* p */
SECItem subPrime; /* q */
SECItem base; /* g */
/* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
};
typedef struct SECKEYPQGParamsStr SECKEYPQGParams;
struct SECKEYDSAPublicKeyStr {
SECKEYPQGParams params;
SECItem publicValue;
};
typedef struct SECKEYDSAPublicKeyStr SECKEYDSAPublicKey;
/*
** Diffie-Hellman Public Key structure
** Structure member names suggested by PKCS#3.
*/
struct SECKEYDHParamsStr {
PLArenaPool *arena;
SECItem prime; /* p */
SECItem base; /* g */
};
typedef struct SECKEYDHParamsStr SECKEYDHParams;
struct SECKEYDHPublicKeyStr {
PLArenaPool *arena;
SECItem prime;
SECItem base;
SECItem publicValue;
};
typedef struct SECKEYDHPublicKeyStr SECKEYDHPublicKey;
/*
** Elliptic curve Public Key structure
** The PKCS#11 layer needs DER encoding of ANSI X9.62
** parameters value
*/
typedef SECItem SECKEYECParams;
struct SECKEYECPublicKeyStr {
SECKEYECParams DEREncodedParams;
int size; /* size in bits */
SECItem publicValue; /* encoded point */
ECPointEncoding encoding; /* deprecated, ignored */
};
typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey;
/*
** FORTEZZA Public Key structures
*/
struct SECKEYFortezzaPublicKeyStr {
int KEAversion;
int DSSversion;
unsigned char KMID[8];
SECItem clearance;
SECItem KEApriviledge;
SECItem DSSpriviledge;
SECItem KEAKey;
SECItem DSSKey;
SECKEYPQGParams params;
SECKEYPQGParams keaParams;
};
typedef struct SECKEYFortezzaPublicKeyStr SECKEYFortezzaPublicKey;
#define KEAprivilege KEApriviledge /* corrected spelling */
#define DSSprivilege DSSpriviledge /* corrected spelling */
struct SECKEYDiffPQGParamsStr {
SECKEYPQGParams DiffKEAParams;
SECKEYPQGParams DiffDSAParams;
};
typedef struct SECKEYDiffPQGParamsStr SECKEYDiffPQGParams;
struct SECKEYPQGDualParamsStr {
SECKEYPQGParams CommParams;
SECKEYDiffPQGParams DiffParams;
};
typedef struct SECKEYPQGDualParamsStr SECKEYPQGDualParams;
struct SECKEYKEAParamsStr {
PLArenaPool *arena;
SECItem hash;
};
typedef struct SECKEYKEAParamsStr SECKEYKEAParams;
struct SECKEYKEAPublicKeyStr {
SECKEYKEAParams params;
SECItem publicValue;
};
typedef struct SECKEYKEAPublicKeyStr SECKEYKEAPublicKey;
/*
** A Generic public key object.
*/
struct SECKEYPublicKeyStr {
PLArenaPool *arena;
KeyType keyType;
PK11SlotInfo *pkcs11Slot;
CK_OBJECT_HANDLE pkcs11ID;
union {
SECKEYRSAPublicKey rsa;
SECKEYDSAPublicKey dsa;
SECKEYDHPublicKey dh;
SECKEYKEAPublicKey kea;
SECKEYFortezzaPublicKey fortezza;
SECKEYECPublicKey ec;
} u;
};
typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
/* bit flag definitions for staticflags */
#define SECKEY_Attributes_Cached 0x1 /* bit 0 states \
whether attributes are cached */
#define SECKEY_CKA_PRIVATE (1U << 1) /* bit 1 is the value of CKA_PRIVATE */
#define SECKEY_CKA_ALWAYS_AUTHENTICATE (1U << 2)
#define SECKEY_ATTRIBUTES_CACHED(key) \
(0 != (key->staticflags & SECKEY_Attributes_Cached))
#define SECKEY_ATTRIBUTE_VALUE(key, attribute) \
(0 != (key->staticflags & SECKEY_##attribute))
#define SECKEY_HAS_ATTRIBUTE_SET(key, attribute) \
(0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)
#define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \
(0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
/*
** A generic key structure
*/
struct SECKEYPrivateKeyStr {
PLArenaPool *arena;
KeyType keyType;
PK11SlotInfo *pkcs11Slot; /* pkcs11 slot this key lives in */
CK_OBJECT_HANDLE pkcs11ID; /* ID of pkcs11 object */
PRBool pkcs11IsTemp; /* temp pkcs11 object, delete it when done */
void *wincx; /* context for errors and pw prompts */
PRUint32 staticflags; /* bit flag of cached PKCS#11 attributes */
};
typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey;
typedef struct {
PRCList links;
SECKEYPrivateKey *key;
} SECKEYPrivateKeyListNode;
typedef struct {
PRCList list;
PLArenaPool *arena;
} SECKEYPrivateKeyList;
typedef struct {
PRCList links;
SECKEYPublicKey *key;
} SECKEYPublicKeyListNode;
typedef struct {
PRCList list;
PLArenaPool *arena;
} SECKEYPublicKeyList;
#endif /* _KEYTHI_H_ */

71
openflow/usr/include/nss/lowkeyi.h Normal file
View File

@@ -0,0 +1,71 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _LOWKEYI_H_
#define _LOWKEYI_H_
#include "prtypes.h"
#include "seccomon.h"
#include "secoidt.h"
#include "lowkeyti.h"
SEC_BEGIN_PROTOS
/*
* See bugzilla bug 125359
* Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
* all of the templates above that en/decode into integers must be converted
* from ASN.1's signed integer type. This is done by marking either the
* source or destination (encoding or decoding, respectively) type as
* siUnsignedInteger.
*/
extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
#ifndef NSS_DISABLE_ECC
extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_ecparams_for_asn1(ECParams *params);
#endif /* NSS_DISABLE_ECC */
/*
** Destroy a private key object.
** "key" the object
** "freeit" if PR_TRUE then free the object as well as its sub-objects
*/
extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
/*
** Destroy a public key object.
** "key" the object
** "freeit" if PR_TRUE then free the object as well as its sub-objects
*/
extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
/*
** Return the modulus length of "pubKey".
*/
extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey);
/*
** Return the modulus length of "privKey".
*/
extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey);
/*
** Convert a low private key "privateKey" into a public low key
*/
extern NSSLOWKEYPublicKey *
nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
/* Make a copy of a low private key in it's own arena.
* a return of NULL indicates an error.
*/
extern NSSLOWKEYPrivateKey *
nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey);
SEC_END_PROTOS
#endif /* _LOWKEYI_H_ */

93
openflow/usr/include/nss/lowkeyti.h Normal file
View File

@@ -0,0 +1,93 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _LOWKEYTI_H_
#define _LOWKEYTI_H_ 1
#include "blapit.h"
#include "prtypes.h"
#include "plarena.h"
#include "secitem.h"
#include "secasn1t.h"
#include "secoidt.h"
/*
** Typedef for callback to get a password "key".
*/
extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
#ifndef NSS_DISABLE_ECC
#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */
extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
#endif /* NSS_DISABLE_ECC */
extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
/*
* PKCS #8 attributes
*/
struct NSSLOWKEYAttributeStr {
SECItem attrType;
SECItem *attrValue;
};
typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute;
/*
** A PKCS#8 private key info object
*/
struct NSSLOWKEYPrivateKeyInfoStr {
PLArenaPool *arena;
SECItem version;
SECAlgorithmID algorithm;
SECItem privateKey;
NSSLOWKEYAttribute **attributes;
};
typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */
typedef enum {
NSSLOWKEYNullKey = 0,
NSSLOWKEYRSAKey = 1,
NSSLOWKEYDSAKey = 2,
NSSLOWKEYDHKey = 4,
NSSLOWKEYECKey = 5
} NSSLOWKEYType;
/*
** An RSA public key object.
*/
struct NSSLOWKEYPublicKeyStr {
PLArenaPool *arena;
NSSLOWKEYType keyType;
union {
RSAPublicKey rsa;
DSAPublicKey dsa;
DHPublicKey dh;
ECPublicKey ec;
} u;
};
typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey;
/*
** Low Level private key object
** This is only used by the raw Crypto engines (crypto), keydb (keydb),
** and PKCS #11. Everyone else uses the high level key structure.
*/
struct NSSLOWKEYPrivateKeyStr {
PLArenaPool *arena;
NSSLOWKEYType keyType;
union {
RSAPrivateKey rsa;
DSAPrivateKey dsa;
DHPrivateKey dh;
ECPrivateKey ec;
} u;
};
typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey;
#endif /* _LOWKEYTI_H_ */

322
openflow/usr/include/nss/nss.h Normal file
View File

@@ -0,0 +1,322 @@
/*
* NSS utility functions
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __nss_h_
#define __nss_h_
/* The private macro _NSS_CUSTOMIZED is for NSS internal use only. */
#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
#define _NSS_CUSTOMIZED " (Customized build)"
#else
#define _NSS_CUSTOMIZED
#endif
/*
* NSS's major version, minor version, patch level, build number, and whether
* this is a beta release.
*
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.28.4" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 28
#define NSS_VPATCH 4
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED
#include "seccomon.h"
typedef struct NSSInitParametersStr NSSInitParameters;
/*
* parameters used to initialize softoken. Mostly strings used to
* internationalize softoken. Memory for the strings are owned by the caller,
* who is free to free them once NSS_ContextInit returns. If the string
* parameter is NULL (as opposed to empty, zero length), then the softoken
* default is used. These are equivalent to the parameters for
* PK11_ConfigurePKCS11().
*
* field names match their equivalent parameter names for softoken strings
* documented at https://developer.mozilla.org/en/PKCS11_Module_Specs.
*
* minPWLen
* Minimum password length in bytes.
* manufacturerID
* Override the default manufactureID value for the module returned in
* the CK_INFO, CK_SLOT_INFO, and CK_TOKEN_INFO structures with an
* internationalize string (UTF8). This value will be truncated at 32
* bytes (not including the trailing NULL, partial UTF8 characters will be
* dropped).
* libraryDescription
* Override the default libraryDescription value for the module returned in
* the CK_INFO structure with an internationalize string (UTF8). This value
* will be truncated at 32 bytes(not including the trailing NULL, partial
* UTF8 characters will be dropped).
* cryptoTokenDescription
* Override the default label value for the internal crypto token returned
* in the CK_TOKEN_INFO structure with an internationalize string (UTF8).
* This value will be truncated at 32 bytes (not including the trailing
* NULL, partial UTF8 characters will be dropped).
* dbTokenDescription
* Override the default label value for the internal DB token returned in
* the CK_TOKEN_INFO structure with an internationalize string (UTF8). This
* value will be truncated at 32 bytes (not including the trailing NULL,
* partial UTF8 characters will be dropped).
* FIPSTokenDescription
* Override the default label value for the internal FIPS token returned in
* the CK_TOKEN_INFO structure with an internationalize string (UTF8). This
* value will be truncated at 32 bytes (not including the trailing NULL,
* partial UTF8 characters will be dropped).
* cryptoSlotDescription
* Override the default slotDescription value for the internal crypto token
* returned in the CK_SLOT_INFO structure with an internationalize string
* (UTF8). This value will be truncated at 64 bytes (not including the
* trailing NULL, partial UTF8 characters will be dropped).
* dbSlotDescription
* Override the default slotDescription value for the internal DB token
* returned in the CK_SLOT_INFO structure with an internationalize string
* (UTF8). This value will be truncated at 64 bytes (not including the
* trailing NULL, partial UTF8 characters will be dropped).
* FIPSSlotDescription
* Override the default slotDecription value for the internal FIPS token
* returned in the CK_SLOT_INFO structure with an internationalize string
* (UTF8). This value will be truncated at 64 bytes (not including the
* trailing NULL, partial UTF8 characters will be dropped).
*
*/
struct NSSInitParametersStr {
unsigned int length; /* allow this structure to grow in the future,
* must be set */
PRBool passwordRequired;
int minPWLen;
char *manufactureID; /* variable names for strings match the */
char *libraryDescription; /* parameter name in softoken */
char *cryptoTokenDescription;
char *dbTokenDescription;
char *FIPSTokenDescription;
char *cryptoSlotDescription;
char *dbSlotDescription;
char *FIPSSlotDescription;
};
SEC_BEGIN_PROTOS
/*
* Return a boolean that indicates whether the underlying library
* will perform as the caller expects.
*
* The only argument is a string, which should be the version
* identifier of the NSS library. That string will be compared
* against a string that represents the actual build version of
* the NSS library.
*/
extern PRBool NSS_VersionCheck(const char *importedVersion);
/*
* Returns a const string of the NSS library version.
*/
extern const char *NSS_GetVersion(void);
/*
* Open the Cert, Key, and Security Module databases, read only.
* Initialize the Random Number Generator.
* Does not initialize the cipher policies or enables.
* Default policy settings disallow all ciphers.
*/
extern SECStatus NSS_Init(const char *configdir);
/*
* Returns whether NSS has already been initialized or not.
*/
extern PRBool NSS_IsInitialized(void);
/*
* Open the Cert, Key, and Security Module databases, read/write.
* Initialize the Random Number Generator.
* Does not initialize the cipher policies or enables.
* Default policy settings disallow all ciphers.
*/
extern SECStatus NSS_InitReadWrite(const char *configdir);
/*
* Open the Cert, Key, and Security Module databases, read/write.
* Initialize the Random Number Generator.
* Does not initialize the cipher policies or enables.
* Default policy settings disallow all ciphers.
*
* This allows using application defined prefixes for the cert and key db's
* and an alternate name for the secmod database. NOTE: In future releases,
* the database prefixes my not necessarily map to database names.
*
* configdir - base directory where all the cert, key, and module datbases live.
* certPrefix - prefix added to the beginning of the cert database example: "
* "https-server1-"
* keyPrefix - prefix added to the beginning of the key database example: "
* "https-server1-"
* secmodName - name of the security module database (usually "secmod.db").
* flags - change the open options of NSS_Initialize as follows:
* NSS_INIT_READONLY - Open the databases read only.
* NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just
* initialize the volatile certdb.
* NSS_INIT_NOMODDB - Don't open the security module DB, just
* initialize the PKCS #11 module.
* NSS_INIT_FORCEOPEN - Continue to force initializations even if the
* databases cannot be opened.
* NSS_INIT_NOROOTINIT - Don't try to look for the root certs module
* automatically.
* NSS_INIT_OPTIMIZESPACE - Use smaller tables and caches.
* NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are
* thread-safe, ie. that support locking - either OS
* locking or NSS-provided locks . If a PKCS#11
* module isn't thread-safe, don't serialize its
* calls; just don't load it instead. This is necessary
* if another piece of code is using the same PKCS#11
* modules that NSS is accessing without going through
* NSS, for example the Java SunPKCS11 provider.
* NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED
* error when loading PKCS#11 modules. This is necessary
* if another piece of code is using the same PKCS#11
* modules that NSS is accessing without going through
* NSS, for example Java SunPKCS11 provider.
* NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any
* PKCS#11 module. This may be necessary in order to
* ensure continuous operation and proper shutdown
* sequence if another piece of code is using the same
* PKCS#11 modules that NSS is accessing without going
* through NSS, for example Java SunPKCS11 provider.
* The following limitation applies when this is set :
* SECMOD_WaitForAnyTokenEvent will not use
* C_WaitForSlotEvent, in order to prevent the need for
* C_Finalize. This call will be emulated instead.
* NSS_INIT_RESERVED - Currently has no effect, but may be used in the
* future to trigger better cooperation between PKCS#11
* modules used by both NSS and the Java SunPKCS11
* provider. This should occur after a new flag is defined
* for C_Initialize by the PKCS#11 working group.
* NSS_INIT_COOPERATE - Sets 4 recommended options for applications that
* use both NSS and the Java SunPKCS11 provider.
*
* Also NOTE: This is not the recommended method for initializing NSS.
* The preferred method is NSS_init().
*/
#define NSS_INIT_READONLY 0x1
#define NSS_INIT_NOCERTDB 0x2
#define NSS_INIT_NOMODDB 0x4
#define NSS_INIT_FORCEOPEN 0x8
#define NSS_INIT_NOROOTINIT 0x10
#define NSS_INIT_OPTIMIZESPACE 0x20
#define NSS_INIT_PK11THREADSAFE 0x40
#define NSS_INIT_PK11RELOAD 0x80
#define NSS_INIT_NOPK11FINALIZE 0x100
#define NSS_INIT_RESERVED 0x200
#define NSS_INIT_COOPERATE NSS_INIT_PK11THREADSAFE | \
NSS_INIT_PK11RELOAD | \
NSS_INIT_NOPK11FINALIZE | \
NSS_INIT_RESERVED
#define SECMOD_DB "secmod.db"
typedef struct NSSInitContextStr NSSInitContext;
extern SECStatus NSS_Initialize(const char *configdir,
const char *certPrefix, const char *keyPrefix,
const char *secmodName, PRUint32 flags);
extern NSSInitContext *NSS_InitContext(const char *configdir,
const char *certPrefix, const char *keyPrefix,
const char *secmodName, NSSInitParameters *initParams, PRUint32 flags);
extern SECStatus NSS_ShutdownContext(NSSInitContext *);
/*
* same as NSS_Init, but checks to see if we need to merge an
* old database in.
* updatedir is the directory where the old database lives.
* updCertPrefix is the certPrefix for the old database.
* updKeyPrefix is the keyPrefix for the old database.
* updateID is a unique identifier chosen by the application for
* the specific database.
* updatName is the name the user will be prompted for when
* asking to authenticate to the old database */
extern SECStatus NSS_InitWithMerge(const char *configdir,
const char *certPrefix, const char *keyPrefix, const char *secmodName,
const char *updatedir, const char *updCertPrefix,
const char *updKeyPrefix, const char *updateID,
const char *updateName, PRUint32 flags);
/*
* initialize NSS without a creating cert db's, key db's, or secmod db's.
*/
SECStatus NSS_NoDB_Init(const char *configdir);
/*
* Allow applications and libraries to register with NSS so that they are called
* when NSS shuts down.
*
* void *appData application specific data passed in by the application at
* NSS_RegisterShutdown() time.
* void *nssData is NULL in this release, but is reserved for future versions of
* NSS to pass some future status information * back to the shutdown function.
*
* If the shutdown function returns SECFailure,
* Shutdown will still complete, but NSS_Shutdown() will return SECFailure.
*/
typedef SECStatus (*NSS_ShutdownFunc)(void *appData, void *nssData);
/*
* Register a shutdown function.
*/
SECStatus NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
/*
* Remove an existing shutdown function (you may do this if your library is
* complete and going away, but NSS is still running).
*/
SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
/* Available options for NSS_OptionSet() and NSS_OptionGet().
*/
#define NSS_RSA_MIN_KEY_SIZE 0x001
#define NSS_DH_MIN_KEY_SIZE 0x002
#define NSS_DSA_MIN_KEY_SIZE 0x004
#define NSS_TLS_VERSION_MIN_POLICY 0x008
#define NSS_TLS_VERSION_MAX_POLICY 0x009
#define NSS_DTLS_VERSION_MIN_POLICY 0x00a
#define NSS_DTLS_VERSION_MAX_POLICY 0x00b
/*
* Set and get global options for the NSS library.
*/
SECStatus NSS_OptionSet(PRInt32 which, PRInt32 value);
SECStatus NSS_OptionGet(PRInt32 which, PRInt32 *value);
/*
* Close the Cert, Key databases.
*/
extern SECStatus NSS_Shutdown(void);
/*
* set the PKCS #11 strings for the internal token.
*/
void PK11_ConfigurePKCS11(const char *man, const char *libdesc,
const char *tokdesc, const char *ptokdesc, const char *slotdesc,
const char *pslotdesc, const char *fslotdesc, const char *fpslotdesc,
int minPwd, int pwRequired);
/*
* Dump the contents of the certificate cache and the temporary cert store.
* Use to detect leaked references of certs at shutdown time.
*/
void nss_DumpCertificateCacheInfo(void);
SEC_END_PROTOS
#endif /* RC_INVOKED */
#endif /* __nss_h_ */

94
openflow/usr/include/nss/nssb64.h Normal file
View File

@@ -0,0 +1,94 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Public prototypes for base64 encoding/decoding.
*/
#ifndef _NSSB64_H_
#define _NSSB64_H_
#include "utilrename.h"
#include "seccomon.h"
#include "nssb64t.h"
SEC_BEGIN_PROTOS
/*
* Functions to start a base64 decoding/encoding context.
*/
extern NSSBase64Decoder *
NSSBase64Decoder_Create(PRInt32 (*output_fn)(void *, const unsigned char *,
PRInt32),
void *output_arg);
extern NSSBase64Encoder *
NSSBase64Encoder_Create(PRInt32 (*output_fn)(void *, const char *, PRInt32),
void *output_arg);
/*
* Push data through the decoder/encoder, causing the output_fn (provided
* to Create) to be called with the decoded/encoded data.
*/
extern SECStatus
NSSBase64Decoder_Update(NSSBase64Decoder *data, const char *buffer,
PRUint32 size);
extern SECStatus
NSSBase64Encoder_Update(NSSBase64Encoder *data, const unsigned char *buffer,
PRUint32 size);
/*
* When you're done processing, call this to close the context.
* If "abort_p" is false, then calling this may cause the output_fn
* to be called one last time (as the last buffered data is flushed out).
*/
extern SECStatus
NSSBase64Decoder_Destroy(NSSBase64Decoder *data, PRBool abort_p);
extern SECStatus
NSSBase64Encoder_Destroy(NSSBase64Encoder *data, PRBool abort_p);
/*
* Perform base64 decoding from an ascii string "inStr" to an Item.
* The length of the input must be provided as "inLen". The Item
* may be provided (as "outItemOpt"); you can also pass in a NULL
* and the Item will be allocated for you.
*
* In any case, the data within the Item will be allocated for you.
* All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
* If "arenaOpt" is NULL, standard allocation (heap) will be used and
* you will want to free the result via SECITEM_FreeItem.
*
* Return value is NULL on error, the Item (allocated or provided) otherwise.
*/
extern SECItem *
NSSBase64_DecodeBuffer(PLArenaPool *arenaOpt, SECItem *outItemOpt,
const char *inStr, unsigned int inLen);
/*
* Perform base64 encoding of binary data "inItem" to an ascii string.
* The output buffer may be provided (as "outStrOpt"); you can also pass
* in a NULL and the buffer will be allocated for you. The result will
* be null-terminated, and if the buffer is provided, "maxOutLen" must
* specify the maximum length of the buffer and will be checked to
* supply sufficient space space for the encoded result. (If "outStrOpt"
* is NULL, "maxOutLen" is ignored.)
*
* If "outStrOpt" is NULL, allocation will happen out of the passed-in
* "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
* will be used.
*
* Return value is NULL on error, the output buffer (allocated or provided)
* otherwise.
*/
extern char *
NSSBase64_EncodeItem(PLArenaPool *arenaOpt, char *outStrOpt,
unsigned int maxOutLen, SECItem *inItem);
SEC_END_PROTOS
#endif /* _NSSB64_H_ */

15
openflow/usr/include/nss/nssb64t.h Normal file
View File

@@ -0,0 +1,15 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Public data structures for base64 encoding/decoding.
*/
#ifndef _NSSB64T_H_
#define _NSSB64T_H_
#include "utilrename.h"
typedef struct NSSBase64DecoderStr NSSBase64Decoder;
typedef struct NSSBase64EncoderStr NSSBase64Encoder;
#endif /* _NSSB64T_H_ */

233
openflow/usr/include/nss/nssbase.h Normal file
View File

@@ -0,0 +1,233 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSBASE_H
#define NSSBASE_H
/*
* nssbase.h
*
* This header file contains the prototypes of the basic public
* NSS routines.
*/
#ifndef NSSBASET_H
#include "nssbaset.h"
#endif /* NSSBASET_H */
PR_BEGIN_EXTERN_C
/*
* NSSArena
*
* The public methods relating to this type are:
*
* NSSArena_Create -- constructor
* NSSArena_Destroy
* NSS_ZAlloc
* NSS_ZRealloc
* NSS_ZFreeIf
*/
/*
* NSSArena_Create
*
* This routine creates a new memory arena. This routine may return
* NULL upon error, in which case it will have created an error stack.
*
* The top-level error may be one of the following values:
* NSS_ERROR_NO_MEMORY
*
* Return value:
* NULL upon error
* A pointer to an NSSArena upon success
*/
NSS_EXTERN NSSArena *NSSArena_Create(void);
extern const NSSError NSS_ERROR_NO_MEMORY;
/*
* NSSArena_Destroy
*
* This routine will destroy the specified arena, freeing all memory
* allocated from it. This routine returns a PRStatus value; if
* successful, it will return PR_SUCCESS. If unsuccessful, it will
* create an error stack and return PR_FAILURE.
*
* The top-level error may be one of the following values:
* NSS_ERROR_INVALID_ARENA
*
* Return value:
* PR_SUCCESS upon success
* PR_FAILURE upon failure
*/
NSS_EXTERN PRStatus NSSArena_Destroy(NSSArena *arena);
extern const NSSError NSS_ERROR_INVALID_ARENA;
/*
* The error stack
*
* The public methods relating to the error stack are:
*
* NSS_GetError
* NSS_GetErrorStack
*/
/*
* NSS_GetError
*
* This routine returns the highest-level (most general) error set
* by the most recent NSS library routine called by the same thread
* calling this routine.
*
* This routine cannot fail. It may return NSS_ERROR_NO_ERROR, which
* indicates that the previous NSS library call did not set an error.
*
* Return value:
* 0 if no error has been set
* A nonzero error number
*/
NSS_EXTERN NSSError NSS_GetError(void);
extern const NSSError NSS_ERROR_NO_ERROR;
/*
* NSS_GetErrorStack
*
* This routine returns a pointer to an array of NSSError values,
* containingthe entire sequence or "stack" of errors set by the most
* recent NSS library routine called by the same thread calling this
* routine. NOTE: the caller DOES NOT OWN the memory pointed to by
* the return value. The pointer will remain valid until the calling
* thread calls another NSS routine. The lowest-level (most specific)
* error is first in the array, and the highest-level is last. The
* array is zero-terminated. This routine may return NULL upon error;
* this indicates a low-memory situation.
*
* Return value:
* NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
* A NON-caller-owned pointer to an array of NSSError values
*/
NSS_EXTERN NSSError *NSS_GetErrorStack(void);
/*
* NSS_ZNEW
*
* This preprocessor macro will allocate memory for a new object
* of the specified type with nss_ZAlloc, and will cast the
* return value appropriately. If the optional arena argument is
* non-null, the memory will be obtained from that arena; otherwise,
* the memory will be obtained from the heap. This routine may
* return NULL upon error, in which case it will have set an error
* upon the error stack.
*
* The error may be one of the following values:
* NSS_ERROR_INVALID_ARENA
* NSS_ERROR_NO_MEMORY
*
* Return value:
* NULL upon error
* A pointer to the new segment of zeroed memory
*/
#define NSS_ZNEW(arenaOpt, type) ((type *)NSS_ZAlloc((arenaOpt), sizeof(type)))
/*
* NSS_ZNEWARRAY
*
* This preprocessor macro will allocate memory for an array of
* new objects, and will cast the return value appropriately.
* If the optional arena argument is non-null, the memory will
* be obtained from that arena; otherwise, the memory will be
* obtained from the heap. This routine may return NULL upon
* error, in which case it will have set an error upon the error
* stack. The array size may be specified as zero.
*
* The error may be one of the following values:
* NSS_ERROR_INVALID_ARENA
* NSS_ERROR_NO_MEMORY
*
* Return value:
* NULL upon error
* A pointer to the new segment of zeroed memory
*/
#define NSS_ZNEWARRAY(arenaOpt, type, quantity) \
((type *)NSS_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
/*
* NSS_ZAlloc
*
* This routine allocates and zeroes a section of memory of the
* size, and returns to the caller a pointer to that memory. If
* the optional arena argument is non-null, the memory will be
* obtained from that arena; otherwise, the memory will be obtained
* from the heap. This routine may return NULL upon error, in
* which case it will have set an error upon the error stack. The
* value specified for size may be zero; in which case a valid
* zero-length block of memory will be allocated. This block may
* be expanded by calling NSS_ZRealloc.
*
* The error may be one of the following values:
* NSS_ERROR_INVALID_ARENA
* NSS_ERROR_NO_MEMORY
* NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
*
* Return value:
* NULL upon error
* A pointer to the new segment of zeroed memory
*/
NSS_EXTERN void *NSS_ZAlloc(NSSArena *arenaOpt, PRUint32 size);
/*
* NSS_ZRealloc
*
* This routine reallocates a block of memory obtained by calling
* nss_ZAlloc or nss_ZRealloc. The portion of memory
* between the new and old sizes -- which is either being newly
* obtained or released -- is in either case zeroed. This routine
* may return NULL upon failure, in which case it will have placed
* an error on the error stack.
*
* The error may be one of the following values:
* NSS_ERROR_INVALID_POINTER
* NSS_ERROR_NO_MEMORY
* NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
*
* Return value:
* NULL upon error
* A pointer to the replacement segment of memory
*/
NSS_EXTERN void *NSS_ZRealloc(void *pointer, PRUint32 newSize);
/*
* NSS_ZFreeIf
*
* If the specified pointer is non-null, then the region of memory
* to which it points -- which must have been allocated with
* nss_ZAlloc -- will be zeroed and released. This routine
* returns a PRStatus value; if successful, it will return PR_SUCCESS.
* If unsuccessful, it will set an error on the error stack and return
* PR_FAILURE.
*
* The error may be one of the following values:
* NSS_ERROR_INVALID_POINTER
*
* Return value:
* PR_SUCCESS
* PR_FAILURE
*/
NSS_EXTERN PRStatus NSS_ZFreeIf(void *pointer);
PR_END_EXTERN_C
#endif /* NSSBASE_H */

118
openflow/usr/include/nss/nssbaset.h Normal file
View File

@@ -0,0 +1,118 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSBASET_H
#define NSSBASET_H
/*
* nssbaset.h
*
* This file contains the most low-level, fundamental public types.
*/
#include "nspr.h"
#include "nssilock.h"
/*
* NSS_EXTERN, NSS_IMPLEMENT, NSS_EXTERN_DATA, NSS_IMPLEMENT_DATA
*
* NSS has its own versions of these NSPR macros, in a form which
* does not confuse ctags and other related utilities. NSPR
* defines these macros to take the type as an argument, because
* of certain OS requirements on platforms not supported by NSS.
*/
#define DUMMY /* dummy */
#define NSS_EXTERN extern
#define NSS_EXTERN_DATA extern
#define NSS_IMPLEMENT
#define NSS_IMPLEMENT_DATA
PR_BEGIN_EXTERN_C
/*
* NSSError
*
* Calls to NSS routines may result in one or more errors being placed
* on the calling thread's "error stack." Every possible error that
* may be returned from a function is declared where the function is
* prototyped. All errors are of the following type.
*/
typedef PRInt32 NSSError;
/*
* NSSArena
*
* Arenas are logical sets of heap memory, from which memory may be
* allocated. When an arena is destroyed, all memory allocated within
* that arena is implicitly freed. These arenas are thread-safe:
* an arena pointer may be used by multiple threads simultaneously.
* However, as they are not backed by shared memory, they may only be
* used within one process.
*/
struct NSSArenaStr;
typedef struct NSSArenaStr NSSArena;
/*
* NSSItem
*
* This is the basic type used to refer to an unconstrained datum of
* arbitrary size.
*/
struct NSSItemStr {
void *data;
PRUint32 size;
};
typedef struct NSSItemStr NSSItem;
/*
* NSSBER
*
* Data packed according to the Basic Encoding Rules of ASN.1.
*/
typedef NSSItem NSSBER;
/*
* NSSDER
*
* Data packed according to the Distinguished Encoding Rules of ASN.1;
* this form is also known as the Canonical Encoding Rules form (CER).
*/
typedef NSSBER NSSDER;
/*
* NSSBitString
*
* Some ASN.1 types use "bit strings," which are passed around as
* octet strings but whose length is counted in bits. We use this
* typedef of NSSItem to point out the occasions when the length
* is counted in bits, not octets.
*/
typedef NSSItem NSSBitString;
/*
* NSSUTF8
*
* Character strings encoded in UTF-8, as defined by RFC 2279.
*/
typedef char NSSUTF8;
/*
* NSSASCII7
*
* Character strings guaranteed to be 7-bit ASCII.
*/
typedef char NSSASCII7;
PR_END_EXTERN_C
#endif /* NSSBASET_H */

1854
openflow/usr/include/nss/nssck.api Normal file
View File

File diff suppressed because it is too large Load Diff

60
openflow/usr/include/nss/nssckbi.h Normal file
View File

@@ -0,0 +1,60 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSCKBI_H
#define NSSCKBI_H
/*
* NSS BUILTINS Version numbers.
*
* These are the version numbers for the builtins module packaged with
* this release on NSS. To determine the version numbers of the builtin
* module you are using, use the appropriate PKCS #11 calls.
*
* These version numbers detail changes to the PKCS #11 interface. They map
* to the PKCS #11 spec versions.
*/
#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
/* These version numbers detail the changes
* to the list of trusted certificates.
*
* The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
* for each NSS minor release AND whenever we change the list of
* trusted certificates. 10 minor versions are allocated for each
* NSS 3.x branch as follows, allowing us to change the list of
* trusted certificates up to 9 times on each branch.
* - NSS 3.5 branch: 3-9
* - NSS 3.6 branch: 10-19
* - NSS 3.7 branch: 20-29
* - NSS 3.8 branch: 30-39
* - NSS 3.9 branch: 40-49
* - NSS 3.10 branch: 50-59
* - NSS 3.11 branch: 60-69
* ...
* - NSS 3.12 branch: 70-89
* - NSS 3.13 branch: 90-99
* - NSS 3.14 branch: 100-109
* ...
* - NSS 3.29 branch: 250-255
*
* NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
* whether we may use its full range (0-255) or only 0-99 because
* of the comment in the CK_VERSION type definition.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 11
#define NSS_BUILTINS_LIBRARY_VERSION "2.11"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
/* These version numbers detail the semantic changes to ckbi itself
* (new PKCS #11 objects), etc. */
#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
#endif /* NSSCKBI_H */

10
openflow/usr/include/nss/nssckepv.h Normal file
View File

@@ -0,0 +1,10 @@
/* THIS IS A GENERATED FILE */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSCKEPV_H
#define NSSCKEPV_H
#include "pkcs11.h"
#endif /* NSSCKEPV_H */

11
openflow/usr/include/nss/nssckft.h Normal file
View File

@@ -0,0 +1,11 @@
/* THIS IS A GENERATED FILE */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _NSSCKFT_H_
#define _NSSCKFT_H_ 1
#include "pkcs11t.h"
#endif /* _NSSCKFT_H_ */

462
openflow/usr/include/nss/nssckfw.h Normal file
View File

@@ -0,0 +1,462 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSCKFW_H
#define NSSCKFW_H
/*
* nssckfw.h
*
* This file prototypes the publicly available calls of the
* NSS Cryptoki Framework.
*/
#ifndef NSSBASET_H
#include "nssbaset.h"
#endif /* NSSBASET_H */
#ifndef NSSCKT_H
#include "nssckt.h"
#endif /* NSSCKT_H */
#ifndef NSSCKFWT_H
#include "nssckfwt.h"
#endif /* NSSCKFWT_H */
/*
* NSSCKFWInstance
*
* NSSCKFWInstance_GetMDInstance
* NSSCKFWInstance_GetArena
* NSSCKFWInstance_MayCreatePthreads
* NSSCKFWInstance_CreateMutex
* NSSCKFWInstance_GetConfigurationData
* NSSCKFWInstance_GetInitArgs
* NSSCKFWInstance_DestroySessionHandle
* NSSCKFWInstance_FindSessionHandle
*/
/*
* NSSCKFWInstance_GetMDInstance
*
*/
NSS_EXTERN NSSCKMDInstance *
NSSCKFWInstance_GetMDInstance(
NSSCKFWInstance *fwInstance);
/*
* NSSCKFWInstance_GetArena
*
*/
NSS_EXTERN NSSArena *
NSSCKFWInstance_GetArena(
NSSCKFWInstance *fwInstance,
CK_RV *pError);
/*
* NSSCKFWInstance_MayCreatePthreads
*
*/
NSS_EXTERN CK_BBOOL
NSSCKFWInstance_MayCreatePthreads(
NSSCKFWInstance *fwInstance);
/*
* NSSCKFWInstance_CreateMutex
*
*/
NSS_EXTERN NSSCKFWMutex *
NSSCKFWInstance_CreateMutex(
NSSCKFWInstance *fwInstance,
NSSArena *arena,
CK_RV *pError);
/*
* NSSCKFWInstance_GetConfigurationData
*
*/
NSS_EXTERN NSSUTF8 *
NSSCKFWInstance_GetConfigurationData(
NSSCKFWInstance *fwInstance);
/*
* NSSCKFWInstance_GetInitArgs
*
*/
NSS_EXTERN CK_C_INITIALIZE_ARGS_PTR
NSSCKFWInstance_GetInitArgs(
NSSCKFWInstance *fwInstance);
/*
* nssCKFWInstance_DestroySessionHandle
*
*/
NSS_EXTERN void
NSSCKFWInstance_DestroySessionHandle(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession);
/*
* nssCKFWInstance_FindSessionHandle
*
*/
NSS_EXTERN CK_SESSION_HANDLE
NSSCKFWInstance_FindSessionHandle(
NSSCKFWInstance *fwInstance,
NSSCKFWSession *fwSession);
/*
* NSSCKFWSlot
*
* NSSCKFWSlot_GetMDSlot
* NSSCKFWSlot_GetFWInstance
* NSSCKFWSlot_GetMDInstance
* NSSCKFWSlot_GetSlotID
*
*/
/*
* NSSCKFWSlot_GetMDSlot
*
*/
NSS_EXTERN NSSCKMDSlot *
NSSCKFWSlot_GetMDSlot(
NSSCKFWSlot *fwSlot);
/*
* NSSCKFWSlot_GetFWInstance
*
*/
NSS_EXTERN NSSCKFWInstance *
NSSCKFWSlot_GetFWInstance(
NSSCKFWSlot *fwSlot);
/*
* NSSCKFWSlot_GetMDInstance
*
*/
NSS_EXTERN NSSCKMDInstance *
NSSCKFWSlot_GetMDInstance(
NSSCKFWSlot *fwSlot);
/*
* NSSCKFWSlot_GetSlotID
*
*/
NSS_EXTERN CK_SLOT_ID
NSSCKFWSlot_GetSlotID(
NSSCKFWSlot *fwSlot);
/*
* NSSCKFWToken
*
* NSSCKFWToken_GetMDToken
* NSSCKFWToken_GetFWSlot
* NSSCKFWToken_GetMDSlot
* NSSCKFWToken_GetSessionState
*
*/
/*
* NSSCKFWToken_GetMDToken
*
*/
NSS_EXTERN NSSCKMDToken *
NSSCKFWToken_GetMDToken(
NSSCKFWToken *fwToken);
/*
* NSSCKFWToken_GetArena
*
*/
NSS_EXTERN NSSArena *
NSSCKFWToken_GetArena(
NSSCKFWToken *fwToken,
CK_RV *pError);
/*
* NSSCKFWToken_GetFWSlot
*
*/
NSS_EXTERN NSSCKFWSlot *
NSSCKFWToken_GetFWSlot(
NSSCKFWToken *fwToken);
/*
* NSSCKFWToken_GetMDSlot
*
*/
NSS_EXTERN NSSCKMDSlot *
NSSCKFWToken_GetMDSlot(
NSSCKFWToken *fwToken);
/*
* NSSCKFWToken_GetSessionState
*
*/
NSS_EXTERN CK_STATE
NSSCKFWToken_GetSessionState(
NSSCKFWToken *fwToken);
/*
* NSSCKFWMechanism
*
* NSSKCFWMechanism_GetMDMechanism
* NSSCKFWMechanism_GetParameter
*
*/
/*
* NSSKCFWMechanism_GetMDMechanism
*
*/
NSS_EXTERN NSSCKMDMechanism *
NSSCKFWMechanism_GetMDMechanism(
NSSCKFWMechanism *fwMechanism);
/*
* NSSCKFWMechanism_GetParameter
*
*/
NSS_EXTERN NSSItem *
NSSCKFWMechanism_GetParameter(
NSSCKFWMechanism *fwMechanism);
/*
* NSSCKFWSession
*
* NSSCKFWSession_GetMDSession
* NSSCKFWSession_GetArena
* NSSCKFWSession_CallNotification
* NSSCKFWSession_IsRWSession
* NSSCKFWSession_IsSO
* NSSCKFWSession_GetCurrentCryptoOperation
* NSSCKFWSession_GetFWSlot
*
*/
/*
* NSSCKFWSession_GetMDSession
*
*/
NSS_EXTERN NSSCKMDSession *
NSSCKFWSession_GetMDSession(
NSSCKFWSession *fwSession);
/*
* NSSCKFWSession_GetArena
*
*/
NSS_EXTERN NSSArena *
NSSCKFWSession_GetArena(
NSSCKFWSession *fwSession,
CK_RV *pError);
/*
* NSSCKFWSession_CallNotification
*
*/
NSS_EXTERN CK_RV
NSSCKFWSession_CallNotification(
NSSCKFWSession *fwSession,
CK_NOTIFICATION event);
/*
* NSSCKFWSession_IsRWSession
*
*/
NSS_EXTERN CK_BBOOL
NSSCKFWSession_IsRWSession(
NSSCKFWSession *fwSession);
/*
* NSSCKFWSession_IsSO
*
*/
NSS_EXTERN CK_BBOOL
NSSCKFWSession_IsSO(
NSSCKFWSession *fwSession);
/*
* NSSCKFWSession_GetCurrentCryptoOperation
*
*/
NSS_EXTERN NSSCKFWCryptoOperation *
NSSCKFWSession_GetCurrentCryptoOperation(
NSSCKFWSession *fwSession,
NSSCKFWCryptoOperationState state);
/*
* NSSCKFWSession_GetFWSlot
*
*/
NSS_EXTERN NSSCKFWSlot *
NSSCKFWSession_GetFWSlot(
NSSCKFWSession *fwSession);
/*
* NSSCKFWObject
*
* NSSCKFWObject_GetMDObject
* NSSCKFWObject_GetArena
* NSSCKFWObject_IsTokenObject
* NSSCKFWObject_GetAttributeCount
* NSSCKFWObject_GetAttributeTypes
* NSSCKFWObject_GetAttributeSize
* NSSCKFWObject_GetAttribute
* NSSCKFWObject_GetObjectSize
*/
/*
* NSSCKFWObject_GetMDObject
*
*/
NSS_EXTERN NSSCKMDObject *
NSSCKFWObject_GetMDObject(
NSSCKFWObject *fwObject);
/*
* NSSCKFWObject_GetArena
*
*/
NSS_EXTERN NSSArena *
NSSCKFWObject_GetArena(
NSSCKFWObject *fwObject,
CK_RV *pError);
/*
* NSSCKFWObject_IsTokenObject
*
*/
NSS_EXTERN CK_BBOOL
NSSCKFWObject_IsTokenObject(
NSSCKFWObject *fwObject);
/*
* NSSCKFWObject_GetAttributeCount
*
*/
NSS_EXTERN CK_ULONG
NSSCKFWObject_GetAttributeCount(
NSSCKFWObject *fwObject,
CK_RV *pError);
/*
* NSSCKFWObject_GetAttributeTypes
*
*/
NSS_EXTERN CK_RV
NSSCKFWObject_GetAttributeTypes(
NSSCKFWObject *fwObject,
CK_ATTRIBUTE_TYPE_PTR typeArray,
CK_ULONG ulCount);
/*
* NSSCKFWObject_GetAttributeSize
*
*/
NSS_EXTERN CK_ULONG
NSSCKFWObject_GetAttributeSize(
NSSCKFWObject *fwObject,
CK_ATTRIBUTE_TYPE attribute,
CK_RV *pError);
/*
* NSSCKFWObject_GetAttribute
*
*/
NSS_EXTERN NSSItem *
NSSCKFWObject_GetAttribute(
NSSCKFWObject *fwObject,
CK_ATTRIBUTE_TYPE attribute,
NSSItem *itemOpt,
NSSArena *arenaOpt,
CK_RV *pError);
/*
* NSSCKFWObject_GetObjectSize
*
*/
NSS_EXTERN CK_ULONG
NSSCKFWObject_GetObjectSize(
NSSCKFWObject *fwObject,
CK_RV *pError);
/*
* NSSCKFWFindObjects
*
* NSSCKFWFindObjects_GetMDFindObjects
*
*/
/*
* NSSCKFWFindObjects_GetMDFindObjects
*
*/
NSS_EXTERN NSSCKMDFindObjects *
NSSCKFWFindObjects_GetMDFindObjects(
NSSCKFWFindObjects *);
/*
* NSSCKFWMutex
*
* NSSCKFWMutex_Destroy
* NSSCKFWMutex_Lock
* NSSCKFWMutex_Unlock
*
*/
/*
* NSSCKFWMutex_Destroy
*
*/
NSS_EXTERN CK_RV
NSSCKFWMutex_Destroy(
NSSCKFWMutex *mutex);
/*
* NSSCKFWMutex_Lock
*
*/
NSS_EXTERN CK_RV
NSSCKFWMutex_Lock(
NSSCKFWMutex *mutex);
/*
* NSSCKFWMutex_Unlock
*
*/
NSS_EXTERN CK_RV
NSSCKFWMutex_Unlock(
NSSCKFWMutex *mutex);
#endif /* NSSCKFW_H */

879
openflow/usr/include/nss/nssckfwc.h Normal file
View File

@@ -0,0 +1,879 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSCKFWC_H
#define NSSCKFWC_H
/*
* nssckfwc.h
*
* This file prototypes all of the NSS Cryptoki Framework "wrapper"
* which implement the PKCS#11 API. Technically, these are public
* routines (with capital "NSS" prefixes), since they are called
* from (generated) code within a Module using the Framework.
* However, they should not be called except from those generated
* calls. Hence, the prototypes have been split out into this file.
*/
#ifndef NSSCKT_H
#include "nssckt.h"
#endif /* NSSCKT_H */
#ifndef NSSCKFWT_H
#include "nssckfwt.h"
#endif /* NSSCKFWT_H */
#ifndef NSSCKMDT_H
#include "nssckmdt.h"
#endif /* NSSCKMDT_H */
/*
* NSSCKFWC_Initialize
* NSSCKFWC_Finalize
* NSSCKFWC_GetInfo
* -- NSSCKFWC_GetFunctionList -- see the API insert file
* NSSCKFWC_GetSlotList
* NSSCKFWC_GetSlotInfo
* NSSCKFWC_GetTokenInfo
* NSSCKFWC_WaitForSlotEvent
* NSSCKFWC_GetMechanismList
* NSSCKFWC_GetMechanismInfo
* NSSCKFWC_InitToken
* NSSCKFWC_InitPIN
* NSSCKFWC_SetPIN
* NSSCKFWC_OpenSession
* NSSCKFWC_CloseSession
* NSSCKFWC_CloseAllSessions
* NSSCKFWC_GetSessionInfo
* NSSCKFWC_GetOperationState
* NSSCKFWC_SetOperationState
* NSSCKFWC_Login
* NSSCKFWC_Logout
* NSSCKFWC_CreateObject
* NSSCKFWC_CopyObject
* NSSCKFWC_DestroyObject
* NSSCKFWC_GetObjectSize
* NSSCKFWC_GetAttributeValue
* NSSCKFWC_SetAttributeValue
* NSSCKFWC_FindObjectsInit
* NSSCKFWC_FindObjects
* NSSCKFWC_FindObjectsFinal
* NSSCKFWC_EncryptInit
* NSSCKFWC_Encrypt
* NSSCKFWC_EncryptUpdate
* NSSCKFWC_EncryptFinal
* NSSCKFWC_DecryptInit
* NSSCKFWC_Decrypt
* NSSCKFWC_DecryptUpdate
* NSSCKFWC_DecryptFinal
* NSSCKFWC_DigestInit
* NSSCKFWC_Digest
* NSSCKFWC_DigestUpdate
* NSSCKFWC_DigestKey
* NSSCKFWC_DigestFinal
* NSSCKFWC_SignInit
* NSSCKFWC_Sign
* NSSCKFWC_SignUpdate
* NSSCKFWC_SignFinal
* NSSCKFWC_SignRecoverInit
* NSSCKFWC_SignRecover
* NSSCKFWC_VerifyInit
* NSSCKFWC_Verify
* NSSCKFWC_VerifyUpdate
* NSSCKFWC_VerifyFinal
* NSSCKFWC_VerifyRecoverInit
* NSSCKFWC_VerifyRecover
* NSSCKFWC_DigestEncryptUpdate
* NSSCKFWC_DecryptDigestUpdate
* NSSCKFWC_SignEncryptUpdate
* NSSCKFWC_DecryptVerifyUpdate
* NSSCKFWC_GenerateKey
* NSSCKFWC_GenerateKeyPair
* NSSCKFWC_WrapKey
* NSSCKFWC_UnwrapKey
* NSSCKFWC_DeriveKey
* NSSCKFWC_SeedRandom
* NSSCKFWC_GenerateRandom
* NSSCKFWC_GetFunctionStatus
* NSSCKFWC_CancelFunction
*/
/*
* NSSCKFWC_Initialize
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_Initialize(
NSSCKFWInstance **pFwInstance,
NSSCKMDInstance *mdInstance,
CK_VOID_PTR pInitArgs);
/*
* NSSCKFWC_Finalize
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_Finalize(
NSSCKFWInstance **pFwInstance);
/*
* NSSCKFWC_GetInfo
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetInfo(
NSSCKFWInstance *fwInstance,
CK_INFO_PTR pInfo);
/*
* C_GetFunctionList is implemented entirely in the Module's file which
* includes the Framework API insert file. It requires no "actual"
* NSSCKFW routine.
*/
/*
* NSSCKFWC_GetSlotList
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetSlotList(
NSSCKFWInstance *fwInstance,
CK_BBOOL tokenPresent,
CK_SLOT_ID_PTR pSlotList,
CK_ULONG_PTR pulCount);
/*
* NSSCKFWC_GetSlotInfo
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetSlotInfo(
NSSCKFWInstance *fwInstance,
CK_SLOT_ID slotID,
CK_SLOT_INFO_PTR pInfo);
/*
* NSSCKFWC_GetTokenInfo
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetTokenInfo(
NSSCKFWInstance *fwInstance,
CK_SLOT_ID slotID,
CK_TOKEN_INFO_PTR pInfo);
/*
* NSSCKFWC_WaitForSlotEvent
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_WaitForSlotEvent(
NSSCKFWInstance *fwInstance,
CK_FLAGS flags,
CK_SLOT_ID_PTR pSlot,
CK_VOID_PTR pReserved);
/*
* NSSCKFWC_GetMechanismList
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetMechanismList(
NSSCKFWInstance *fwInstance,
CK_SLOT_ID slotID,
CK_MECHANISM_TYPE_PTR pMechanismList,
CK_ULONG_PTR pulCount);
/*
* NSSCKFWC_GetMechanismInfo
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetMechanismInfo(
NSSCKFWInstance *fwInstance,
CK_SLOT_ID slotID,
CK_MECHANISM_TYPE type,
CK_MECHANISM_INFO_PTR pInfo);
/*
* NSSCKFWC_InitToken
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_InitToken(
NSSCKFWInstance *fwInstance,
CK_SLOT_ID slotID,
CK_CHAR_PTR pPin,
CK_ULONG ulPinLen,
CK_CHAR_PTR pLabel);
/*
* NSSCKFWC_InitPIN
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_InitPIN(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_CHAR_PTR pPin,
CK_ULONG ulPinLen);
/*
* NSSCKFWC_SetPIN
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SetPIN(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_CHAR_PTR pOldPin,
CK_ULONG ulOldLen,
CK_CHAR_PTR pNewPin,
CK_ULONG ulNewLen);
/*
* NSSCKFWC_OpenSession
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_OpenSession(
NSSCKFWInstance *fwInstance,
CK_SLOT_ID slotID,
CK_FLAGS flags,
CK_VOID_PTR pApplication,
CK_NOTIFY Notify,
CK_SESSION_HANDLE_PTR phSession);
/*
* NSSCKFWC_CloseSession
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_CloseSession(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession);
/*
* NSSCKFWC_CloseAllSessions
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_CloseAllSessions(
NSSCKFWInstance *fwInstance,
CK_SLOT_ID slotID);
/*
* NSSCKFWC_GetSessionInfo
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetSessionInfo(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_SESSION_INFO_PTR pInfo);
/*
* NSSCKFWC_GetOperationState
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetOperationState(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pOperationState,
CK_ULONG_PTR pulOperationStateLen);
/*
* NSSCKFWC_SetOperationState
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SetOperationState(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pOperationState,
CK_ULONG ulOperationStateLen,
CK_OBJECT_HANDLE hEncryptionKey,
CK_OBJECT_HANDLE hAuthenticationKey);
/*
* NSSCKFWC_Login
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_Login(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_USER_TYPE userType,
CK_CHAR_PTR pPin,
CK_ULONG ulPinLen);
/*
* NSSCKFWC_Logout
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_Logout(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession);
/*
* NSSCKFWC_CreateObject
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_CreateObject(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount,
CK_OBJECT_HANDLE_PTR phObject);
/*
* NSSCKFWC_CopyObject
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_CopyObject(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount,
CK_OBJECT_HANDLE_PTR phNewObject);
/*
* NSSCKFWC_DestroyObject
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DestroyObject(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject);
/*
* NSSCKFWC_GetObjectSize
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetObjectSize(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ULONG_PTR pulSize);
/*
* NSSCKFWC_GetAttributeValue
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetAttributeValue(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount);
/*
* NSSCKFWC_SetAttributeValue
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SetAttributeValue(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount);
/*
* NSSCKFWC_FindObjectsInit
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_FindObjectsInit(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount);
/*
* NSSCKFWC_FindObjects
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_FindObjects(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE_PTR phObject,
CK_ULONG ulMaxObjectCount,
CK_ULONG_PTR pulObjectCount);
/*
* NSSCKFWC_FindObjectsFinal
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_FindObjectsFinal(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession);
/*
* NSSCKFWC_EncryptInit
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_EncryptInit(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey);
/*
* NSSCKFWC_Encrypt
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_Encrypt(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pData,
CK_ULONG ulDataLen,
CK_BYTE_PTR pEncryptedData,
CK_ULONG_PTR pulEncryptedDataLen);
/*
* NSSCKFWC_EncryptUpdate
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_EncryptUpdate(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pPart,
CK_ULONG ulPartLen,
CK_BYTE_PTR pEncryptedPart,
CK_ULONG_PTR pulEncryptedPartLen);
/*
* NSSCKFWC_EncryptFinal
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_EncryptFinal(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pLastEncryptedPart,
CK_ULONG_PTR pulLastEncryptedPartLen);
/*
* NSSCKFWC_DecryptInit
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DecryptInit(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey);
/*
* NSSCKFWC_Decrypt
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_Decrypt(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pEncryptedData,
CK_ULONG ulEncryptedDataLen,
CK_BYTE_PTR pData,
CK_ULONG_PTR pulDataLen);
/*
* NSSCKFWC_DecryptUpdate
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DecryptUpdate(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pEncryptedPart,
CK_ULONG ulEncryptedPartLen,
CK_BYTE_PTR pPart,
CK_ULONG_PTR pulPartLen);
/*
* NSSCKFWC_DecryptFinal
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DecryptFinal(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pLastPart,
CK_ULONG_PTR pulLastPartLen);
/*
* NSSCKFWC_DigestInit
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DigestInit(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism);
/*
* NSSCKFWC_Digest
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_Digest(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pData,
CK_ULONG ulDataLen,
CK_BYTE_PTR pDigest,
CK_ULONG_PTR pulDigestLen);
/*
* NSSCKFWC_DigestUpdate
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DigestUpdate(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pData,
CK_ULONG ulDataLen);
/*
* NSSCKFWC_DigestKey
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DigestKey(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hKey);
/*
* NSSCKFWC_DigestFinal
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DigestFinal(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pDigest,
CK_ULONG_PTR pulDigestLen);
/*
* NSSCKFWC_SignInit
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SignInit(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey);
/*
* NSSCKFWC_Sign
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_Sign(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pData,
CK_ULONG ulDataLen,
CK_BYTE_PTR pSignature,
CK_ULONG_PTR pulSignatureLen);
/*
* NSSCKFWC_SignUpdate
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SignUpdate(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pPart,
CK_ULONG ulPartLen);
/*
* NSSCKFWC_SignFinal
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SignFinal(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pSignature,
CK_ULONG_PTR pulSignatureLen);
/*
* NSSCKFWC_SignRecoverInit
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SignRecoverInit(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey);
/*
* NSSCKFWC_SignRecover
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SignRecover(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pData,
CK_ULONG ulDataLen,
CK_BYTE_PTR pSignature,
CK_ULONG_PTR pulSignatureLen);
/*
* NSSCKFWC_VerifyInit
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_VerifyInit(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey);
/*
* NSSCKFWC_Verify
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_Verify(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pData,
CK_ULONG ulDataLen,
CK_BYTE_PTR pSignature,
CK_ULONG ulSignatureLen);
/*
* NSSCKFWC_VerifyUpdate
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_VerifyUpdate(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pPart,
CK_ULONG ulPartLen);
/*
* NSSCKFWC_VerifyFinal
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_VerifyFinal(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pSignature,
CK_ULONG ulSignatureLen);
/*
* NSSCKFWC_VerifyRecoverInit
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_VerifyRecoverInit(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey);
/*
* NSSCKFWC_VerifyRecover
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_VerifyRecover(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pSignature,
CK_ULONG ulSignatureLen,
CK_BYTE_PTR pData,
CK_ULONG_PTR pulDataLen);
/*
* NSSCKFWC_DigestEncryptUpdate
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DigestEncryptUpdate(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pPart,
CK_ULONG ulPartLen,
CK_BYTE_PTR pEncryptedPart,
CK_ULONG_PTR pulEncryptedPartLen);
/*
* NSSCKFWC_DecryptDigestUpdate
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DecryptDigestUpdate(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pEncryptedPart,
CK_ULONG ulEncryptedPartLen,
CK_BYTE_PTR pPart,
CK_ULONG_PTR pulPartLen);
/*
* NSSCKFWC_SignEncryptUpdate
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SignEncryptUpdate(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pPart,
CK_ULONG ulPartLen,
CK_BYTE_PTR pEncryptedPart,
CK_ULONG_PTR pulEncryptedPartLen);
/*
* NSSCKFWC_DecryptVerifyUpdate
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DecryptVerifyUpdate(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pEncryptedPart,
CK_ULONG ulEncryptedPartLen,
CK_BYTE_PTR pPart,
CK_ULONG_PTR pulPartLen);
/*
* NSSCKFWC_GenerateKey
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GenerateKey(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount,
CK_OBJECT_HANDLE_PTR phKey);
/*
* NSSCKFWC_GenerateKeyPair
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GenerateKeyPair(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_ATTRIBUTE_PTR pPublicKeyTemplate,
CK_ULONG ulPublicKeyAttributeCount,
CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
CK_ULONG ulPrivateKeyAttributeCount,
CK_OBJECT_HANDLE_PTR phPublicKey,
CK_OBJECT_HANDLE_PTR phPrivateKey);
/*
* NSSCKFWC_WrapKey
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_WrapKey(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hWrappingKey,
CK_OBJECT_HANDLE hKey,
CK_BYTE_PTR pWrappedKey,
CK_ULONG_PTR pulWrappedKeyLen);
/*
* NSSCKFWC_UnwrapKey
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_UnwrapKey(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hUnwrappingKey,
CK_BYTE_PTR pWrappedKey,
CK_ULONG ulWrappedKeyLen,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_OBJECT_HANDLE_PTR phKey);
/*
* NSSCKFWC_DeriveKey
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_DeriveKey(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hBaseKey,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_OBJECT_HANDLE_PTR phKey);
/*
* NSSCKFWC_SeedRandom
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_SeedRandom(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pSeed,
CK_ULONG ulSeedLen);
/*
* NSSCKFWC_GenerateRandom
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GenerateRandom(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pRandomData,
CK_ULONG ulRandomLen);
/*
* NSSCKFWC_GetFunctionStatus
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_GetFunctionStatus(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession);
/*
* NSSCKFWC_CancelFunction
*
*/
NSS_EXTERN CK_RV
NSSCKFWC_CancelFunction(
NSSCKFWInstance *fwInstance,
CK_SESSION_HANDLE hSession);
#endif /* NSSCKFWC_H */

109
openflow/usr/include/nss/nssckfwt.h Normal file
View File

@@ -0,0 +1,109 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSCKFWT_H
#define NSSCKFWT_H
/*
* nssckfwt.h
*
* This file declares the public types used by the NSS Cryptoki Framework.
*/
/*
* NSSCKFWInstance
*
*/
struct NSSCKFWInstanceStr;
typedef struct NSSCKFWInstanceStr NSSCKFWInstance;
/*
* NSSCKFWSlot
*
*/
struct NSSCKFWSlotStr;
typedef struct NSSCKFWSlotStr NSSCKFWSlot;
/*
* NSSCKFWToken
*
*/
struct NSSCKFWTokenStr;
typedef struct NSSCKFWTokenStr NSSCKFWToken;
/*
* NSSCKFWMechanism
*
*/
struct NSSCKFWMechanismStr;
typedef struct NSSCKFWMechanismStr NSSCKFWMechanism;
/*
* NSSCKFWCryptoOperation
*
*/
struct NSSCKFWCryptoOperationStr;
typedef struct NSSCKFWCryptoOperationStr NSSCKFWCryptoOperation;
/*
* NSSCKFWSession
*
*/
struct NSSCKFWSessionStr;
typedef struct NSSCKFWSessionStr NSSCKFWSession;
/*
* NSSCKFWObject
*
*/
struct NSSCKFWObjectStr;
typedef struct NSSCKFWObjectStr NSSCKFWObject;
/*
* NSSCKFWFindObjects
*
*/
struct NSSCKFWFindObjectsStr;
typedef struct NSSCKFWFindObjectsStr NSSCKFWFindObjects;
/*
* NSSCKFWMutex
*
*/
struct NSSCKFWMutexStr;
typedef struct NSSCKFWMutexStr NSSCKFWMutex;
typedef enum {
SingleThreaded,
MultiThreaded
} CryptokiLockingState;
/* used as an index into an array, make sure it starts at '0' */
typedef enum {
NSSCKFWCryptoOperationState_EncryptDecrypt = 0,
NSSCKFWCryptoOperationState_SignVerify,
NSSCKFWCryptoOperationState_Digest,
NSSCKFWCryptoOperationState_Max
} NSSCKFWCryptoOperationState;
typedef enum {
NSSCKFWCryptoOperationType_Encrypt,
NSSCKFWCryptoOperationType_Decrypt,
NSSCKFWCryptoOperationType_Digest,
NSSCKFWCryptoOperationType_Sign,
NSSCKFWCryptoOperationType_Verify,
NSSCKFWCryptoOperationType_SignRecover,
NSSCKFWCryptoOperationType_VerifyRecover
} NSSCKFWCryptoOperationType;
#endif /* NSSCKFWT_H */

10
openflow/usr/include/nss/nssckg.h Normal file
View File

@@ -0,0 +1,10 @@
/* THIS IS A GENERATED FILE */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSCKG_H
#define NSSCKG_H
#include "pkcs11.h"
#endif /* NSSCKG_H */

1904
openflow/usr/include/nss/nssckmdt.h Normal file
View File

File diff suppressed because it is too large Load Diff

12
openflow/usr/include/nss/nssckt.h Normal file
View File

@@ -0,0 +1,12 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _NSSCKT_H_
#define _NSSCKT_H_ 1
#include "pkcs11t.h"
typedef CK_ATTRIBUTE_TYPE CK_PTR CK_ATTRIBUTE_TYPE_PTR;
#define CK_ENTRY
#endif /* _NSSCKT_H_ */

191
openflow/usr/include/nss/nssilckt.h Normal file
View File

@@ -0,0 +1,191 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
** nssilock.h - Instrumented locking functions for NSS
**
** Description:
** nssilock provides instrumentation for locks and monitors in
** the NSS libraries. The instrumentation, when enabled, causes
** each call to the instrumented function to record data about
** the call to an external file. The external file
** subsequently used to extract performance data and other
** statistical information about the operation of locks used in
** the nss library.
**
** To enable compilation with instrumentation, build NSS with
** the compile time switch NEED_NSS_ILOCK defined.
**
** say: "gmake OS_CFLAGS+=-DNEED_NSS_ILOCK" at make time.
**
** At runtime, to enable recording from nssilock, one or more
** environment variables must be set. For each nssILockType to
** be recorded, an environment variable of the form NSS_ILOCK_x
** must be set to 1. For example:
**
** set NSS_ILOCK_Cert=1
**
** nssilock uses PRLOG is used to record to trace data. The
** PRLogModule name associated with nssilock data is: "nssilock".
** To enable recording of nssilock data you will need to set the
** environment variable NSPR_LOG_MODULES to enable
** recording for the nssilock log module. Similarly, you will
** need to set the environment variable NSPR_LOG_FILE to specify
** the filename to receive the recorded data. See prlog.h for usage.
** Example:
**
** export NSPR_LOG_MODULES=nssilock:6
** export NSPR_LOG_FILE=xxxLogfile
**
** Operation:
** nssilock wraps calls to NSPR's PZLock and PZMonitor functions
** with similarly named functions: PZ_NewLock(), etc. When NSS is
** built with lock instrumentation enabled, the PZ* functions are
** compiled into NSS; when lock instrumentation is disabled,
** calls to PZ* functions are directly mapped to PR* functions
** and the instrumentation arguments to the PZ* functions are
** compiled away.
**
**
** File Format:
** The format of the external file is implementation
** dependent. Where NSPR's PR_LOG() function is used, the file
** contains data defined for PR_LOG() plus the data written by
** the wrapped function. On some platforms and under some
** circumstances, platform dependent logging or
** instrumentation probes may be used. In any case, the
** relevant data provided by the lock instrumentation is:
**
** lockType, func, address, duration, line, file [heldTime]
**
** where:
**
** lockType: a character representation of nssILockType for the
** call. e.g. ... "cert"
**
** func: the function doing the tracing. e.g. "NewLock"
**
** address: address of the instrumented lock or monitor
**
** duration: is how long was spent in the instrumented function,
** in PRIntervalTime "ticks".
**
** line: the line number within the calling function
**
** file: the file from which the call was made
**
** heldTime: how long the lock/monitor was held. field
** present only for PZ_Unlock() and PZ_ExitMonitor().
**
** Design Notes:
** The design for lock instrumentation was influenced by the
** need to gather performance data on NSS 3.x. It is intended
** that the effort to modify NSS to use lock instrumentation
** be minimized. Existing calls to locking functions need only
** have their names changed to the instrumentation function
** names.
**
** Private NSS Interface:
** nssilock.h defines a private interface for use by NSS.
** nssilock.h is experimental in nature and is subject to
** change or revocation without notice. ... Don't mess with
** it.
**
*/
/*
* $Id:
*/
#ifndef _NSSILCKT_H_
#define _NSSILCKT_H_
#include "utilrename.h"
#include "prtypes.h"
#include "prmon.h"
#include "prlock.h"
#include "prcvar.h"
typedef enum {
nssILockArena = 0,
nssILockSession = 1,
nssILockObject = 2,
nssILockRefLock = 3,
nssILockCert = 4,
nssILockCertDB = 5,
nssILockDBM = 6,
nssILockCache = 7,
nssILockSSL = 8,
nssILockList = 9,
nssILockSlot = 10,
nssILockFreelist = 11,
nssILockOID = 12,
nssILockAttribute = 13,
nssILockPK11cxt = 14, /* pk11context */
nssILockRWLock = 15,
nssILockOther = 16,
nssILockSelfServ = 17,
nssILockKeyDB = 18,
nssILockLast /* don't use this one! */
} nssILockType;
/*
** conditionally compile in nssilock features
*/
#if defined(NEED_NSS_ILOCK)
/*
** Declare operation type enumerator
** enumerations identify the function being performed
*/
typedef enum {
FlushTT = 0,
NewLock = 1,
Lock = 2,
Unlock = 3,
DestroyLock = 4,
NewCondVar = 5,
WaitCondVar = 6,
NotifyCondVar = 7,
NotifyAllCondVar = 8,
DestroyCondVar = 9,
NewMonitor = 10,
EnterMonitor = 11,
ExitMonitor = 12,
Notify = 13,
NotifyAll = 14,
Wait = 15,
DestroyMonitor = 16
} nssILockOp;
/*
** Declare the trace record
*/
struct pzTrace_s {
PRUint32 threadID; /* PR_GetThreadID() */
nssILockOp op; /* operation being performed */
nssILockType ltype; /* lock type identifier */
PRIntervalTime callTime; /* time spent in function */
PRIntervalTime heldTime; /* lock held time, or -1 */
void *lock; /* address of lock structure */
PRIntn line; /* line number */
char file[24]; /* filename */
};
/*
** declare opaque types. See: nssilock.c
*/
typedef struct pzlock_s PZLock;
typedef struct pzcondvar_s PZCondVar;
typedef struct pzmonitor_s PZMonitor;
#else /* NEED_NSS_ILOCK */
#define PZLock PRLock
#define PZCondVar PRCondVar
#define PZMonitor PRMonitor
#endif /* NEED_NSS_ILOCK */
#endif /* _NSSILCKT_H_ */

267
openflow/usr/include/nss/nssilock.h Normal file
View File

@@ -0,0 +1,267 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
** nssilock.h - Instrumented locking functions for NSS
**
** Description:
** nssilock provides instrumentation for locks and monitors in
** the NSS libraries. The instrumentation, when enabled, causes
** each call to the instrumented function to record data about
** the call to an external file. The external file
** subsequently used to extract performance data and other
** statistical information about the operation of locks used in
** the nss library.
**
** To enable compilation with instrumentation, build NSS with
** the compile time switch NEED_NSS_ILOCK defined.
**
** say: "gmake OS_CFLAGS+=-DNEED_NSS_ILOCK" at make time.
**
** At runtime, to enable recording from nssilock, one or more
** environment variables must be set. For each nssILockType to
** be recorded, an environment variable of the form NSS_ILOCK_x
** must be set to 1. For example:
**
** set NSS_ILOCK_Cert=1
**
** nssilock uses PRLOG is used to record to trace data. The
** PRLogModule name associated with nssilock data is: "nssilock".
** To enable recording of nssilock data you will need to set the
** environment variable NSPR_LOG_MODULES to enable
** recording for the nssilock log module. Similarly, you will
** need to set the environment variable NSPR_LOG_FILE to specify
** the filename to receive the recorded data. See prlog.h for usage.
** Example:
**
** export NSPR_LOG_MODULES=nssilock:6
** export NSPR_LOG_FILE=xxxLogfile
**
** Operation:
** nssilock wraps calls to NSPR's PZLock and PZMonitor functions
** with similarly named functions: PZ_NewLock(), etc. When NSS is
** built with lock instrumentation enabled, the PZ* functions are
** compiled into NSS; when lock instrumentation is disabled,
** calls to PZ* functions are directly mapped to PR* functions
** and the instrumentation arguments to the PZ* functions are
** compiled away.
**
**
** File Format:
** The format of the external file is implementation
** dependent. Where NSPR's PR_LOG() function is used, the file
** contains data defined for PR_LOG() plus the data written by
** the wrapped function. On some platforms and under some
** circumstances, platform dependent logging or
** instrumentation probes may be used. In any case, the
** relevant data provided by the lock instrumentation is:
**
** lockType, func, address, duration, line, file [heldTime]
**
** where:
**
** lockType: a character representation of nssILockType for the
** call. e.g. ... "cert"
**
** func: the function doing the tracing. e.g. "NewLock"
**
** address: address of the instrumented lock or monitor
**
** duration: is how long was spent in the instrumented function,
** in PRIntervalTime "ticks".
**
** line: the line number within the calling function
**
** file: the file from which the call was made
**
** heldTime: how long the lock/monitor was held. field
** present only for PZ_Unlock() and PZ_ExitMonitor().
**
** Design Notes:
** The design for lock instrumentation was influenced by the
** need to gather performance data on NSS 3.x. It is intended
** that the effort to modify NSS to use lock instrumentation
** be minimized. Existing calls to locking functions need only
** have their names changed to the instrumentation function
** names.
**
** Private NSS Interface:
** nssilock.h defines a private interface for use by NSS.
** nssilock.h is experimental in nature and is subject to
** change or revocation without notice. ... Don't mess with
** it.
**
*/
/*
* $Id:
*/
#ifndef _NSSILOCK_H_
#define _NSSILOCK_H_
#include "utilrename.h"
#include "prtypes.h"
#include "prmon.h"
#include "prlock.h"
#include "prcvar.h"
#include "nssilckt.h"
PR_BEGIN_EXTERN_C
#if defined(NEED_NSS_ILOCK)
#define PZ_NewLock(t) pz_NewLock((t), __FILE__, __LINE__)
extern PZLock *
pz_NewLock(
nssILockType ltype,
char *file,
PRIntn line);
#define PZ_Lock(k) pz_Lock((k), __FILE__, __LINE__)
extern void
pz_Lock(
PZLock *lock,
char *file,
PRIntn line);
#define PZ_Unlock(k) pz_Unlock((k), __FILE__, __LINE__)
extern PRStatus
pz_Unlock(
PZLock *lock,
char *file,
PRIntn line);
#define PZ_DestroyLock(k) pz_DestroyLock((k), __FILE__, __LINE__)
extern void
pz_DestroyLock(
PZLock *lock,
char *file,
PRIntn line);
#define PZ_NewCondVar(l) pz_NewCondVar((l), __FILE__, __LINE__)
extern PZCondVar *
pz_NewCondVar(
PZLock *lock,
char *file,
PRIntn line);
#define PZ_DestroyCondVar(v) pz_DestroyCondVar((v), __FILE__, __LINE__)
extern void
pz_DestroyCondVar(
PZCondVar *cvar,
char *file,
PRIntn line);
#define PZ_WaitCondVar(v, t) pz_WaitCondVar((v), (t), __FILE__, __LINE__)
extern PRStatus
pz_WaitCondVar(
PZCondVar *cvar,
PRIntervalTime timeout,
char *file,
PRIntn line);
#define PZ_NotifyCondVar(v) pz_NotifyCondVar((v), __FILE__, __LINE__)
extern PRStatus
pz_NotifyCondVar(
PZCondVar *cvar,
char *file,
PRIntn line);
#define PZ_NotifyAllCondVar(v) pz_NotifyAllCondVar((v), __FILE__, __LINE__)
extern PRStatus
pz_NotifyAllCondVar(
PZCondVar *cvar,
char *file,
PRIntn line);
#define PZ_NewMonitor(t) pz_NewMonitor((t), __FILE__, __LINE__)
extern PZMonitor *
pz_NewMonitor(
nssILockType ltype,
char *file,
PRIntn line);
#define PZ_DestroyMonitor(m) pz_DestroyMonitor((m), __FILE__, __LINE__)
extern void
pz_DestroyMonitor(
PZMonitor *mon,
char *file,
PRIntn line);
#define PZ_EnterMonitor(m) pz_EnterMonitor((m), __FILE__, __LINE__)
extern void
pz_EnterMonitor(
PZMonitor *mon,
char *file,
PRIntn line);
#define PZ_ExitMonitor(m) pz_ExitMonitor((m), __FILE__, __LINE__)
extern PRStatus
pz_ExitMonitor(
PZMonitor *mon,
char *file,
PRIntn line);
#define PZ_InMonitor(m) (PZ_GetMonitorEntryCount(m) > 0)
#define PZ_GetMonitorEntryCount(m) pz_GetMonitorEntryCount((m), __FILE__, __LINE__)
extern PRIntn
pz_GetMonitorEntryCount(
PZMonitor *mon,
char *file,
PRIntn line);
#define PZ_Wait(m, i) pz_Wait((m), ((i)), __FILE__, __LINE__)
extern PRStatus
pz_Wait(
PZMonitor *mon,
PRIntervalTime ticks,
char *file,
PRIntn line);
#define PZ_Notify(m) pz_Notify((m), __FILE__, __LINE__)
extern PRStatus
pz_Notify(
PZMonitor *mon,
char *file,
PRIntn line);
#define PZ_NotifyAll(m) pz_NotifyAll((m), __FILE__, __LINE__)
extern PRStatus
pz_NotifyAll(
PZMonitor *mon,
char *file,
PRIntn line);
#define PZ_TraceFlush() pz_TraceFlush()
extern void pz_TraceFlush(void);
#else /* NEED_NSS_ILOCK */
#define PZ_NewLock(t) PR_NewLock()
#define PZ_DestroyLock(k) PR_DestroyLock((k))
#define PZ_Lock(k) PR_Lock((k))
#define PZ_Unlock(k) PR_Unlock((k))
#define PZ_NewCondVar(l) PR_NewCondVar((l))
#define PZ_DestroyCondVar(v) PR_DestroyCondVar((v))
#define PZ_WaitCondVar(v, t) PR_WaitCondVar((v), (t))
#define PZ_NotifyCondVar(v) PR_NotifyCondVar((v))
#define PZ_NotifyAllCondVar(v) PR_NotifyAllCondVar((v))
#define PZ_NewMonitor(t) PR_NewMonitor()
#define PZ_DestroyMonitor(m) PR_DestroyMonitor((m))
#define PZ_EnterMonitor(m) PR_EnterMonitor((m))
#define PZ_ExitMonitor(m) PR_ExitMonitor((m))
#define PZ_InMonitor(m) PR_InMonitor((m))
#define PZ_Wait(m, t) PR_Wait(((m)), ((t)))
#define PZ_Notify(m) PR_Notify((m))
#define PZ_NotifyAll(m) PR_Notify((m))
#define PZ_TraceFlush() /* nothing */
#endif /* NEED_NSS_ILOCK */
PR_END_EXTERN_C
#endif /* _NSSILOCK_H_ */

10
openflow/usr/include/nss/nsslocks.h Normal file
View File

@@ -0,0 +1,10 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* nsslocks.h - threadsafe functions to initialize lock pointers.
*
* NOTE - The interfaces formerly in this header were private and are now all
* obsolete.
*/

33
openflow/usr/include/nss/nsslowhash.h Normal file
View File

@@ -0,0 +1,33 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Provide FIPS validated hashing for applications that only need hashing.
* NOTE: mac'ing requires keys and will not work in this interface.
* Also NOTE: this only works with Hashing. Only the FIPS interface is enabled.
*/
#ifndef _NSSLOWHASH_H_
#define _NSSLOWHASH_H_
typedef struct NSSLOWInitContextStr NSSLOWInitContext;
typedef struct NSSLOWHASHContextStr NSSLOWHASHContext;
NSSLOWInitContext *NSSLOW_Init(void);
void NSSLOW_Shutdown(NSSLOWInitContext *context);
void NSSLOW_Reset(NSSLOWInitContext *context);
NSSLOWHASHContext *NSSLOWHASH_NewContext(
NSSLOWInitContext *initContext,
HASH_HashType hashType);
void NSSLOWHASH_Begin(NSSLOWHASHContext *context);
void NSSLOWHASH_Update(NSSLOWHASHContext *context,
const unsigned char *buf,
unsigned int len);
void NSSLOWHASH_End(NSSLOWHASHContext *context,
unsigned char *buf,
unsigned int *ret, unsigned int len);
void NSSLOWHASH_Destroy(NSSLOWHASHContext *context);
unsigned int NSSLOWHASH_Length(NSSLOWHASHContext *context);
#endif

132
openflow/usr/include/nss/nssrwlk.h Normal file
View File

@@ -0,0 +1,132 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
** File: nsrwlock.h
** Description: API to basic reader-writer lock functions of NSS.
** These are re-entrant reader writer locks; that is,
** If I hold the write lock, I can ask for it and get it again.
** If I hold the write lock, I can also ask for and get a read lock.
** I can then release the locks in any order (read or write).
** I must release each lock type as many times as I acquired it.
** Otherwise, these are normal reader/writer locks.
**
** For deadlock detection, locks should be ranked, and no lock may be aquired
** while I hold a lock of higher rank number.
** If you don't want that feature, always use NSS_RWLOCK_RANK_NONE.
** Lock name is for debugging, and is optional (may be NULL)
**/
#ifndef nssrwlk_h___
#define nssrwlk_h___
#include "utilrename.h"
#include "prtypes.h"
#include "nssrwlkt.h"
#define NSS_RWLOCK_RANK_NONE 0
/* SEC_BEGIN_PROTOS */
PR_BEGIN_EXTERN_C
/***********************************************************************
** FUNCTION: NSSRWLock_New
** DESCRIPTION:
** Returns a pointer to a newly created reader-writer lock object.
** INPUTS: Lock rank
** Lock name
** OUTPUTS: void
** RETURN: NSSRWLock*
** If the lock cannot be created because of resource constraints, NULL
** is returned.
**
***********************************************************************/
extern NSSRWLock *NSSRWLock_New(PRUint32 lock_rank, const char *lock_name);
/***********************************************************************
** FUNCTION: NSSRWLock_AtomicCreate
** DESCRIPTION:
** Given the address of a NULL pointer to a NSSRWLock,
** atomically initializes that pointer to a newly created NSSRWLock.
** Returns the value placed into that pointer, or NULL.
**
** INPUTS: address of NSRWLock pointer
** Lock rank
** Lock name
** OUTPUTS: NSSRWLock*
** RETURN: NSSRWLock*
** If the lock cannot be created because of resource constraints,
** the pointer will be left NULL.
**
***********************************************************************/
extern NSSRWLock *
nssRWLock_AtomicCreate(NSSRWLock **prwlock,
PRUint32 lock_rank,
const char *lock_name);
/***********************************************************************
** FUNCTION: NSSRWLock_Destroy
** DESCRIPTION:
** Destroys a given RW lock object.
** INPUTS: NSSRWLock *lock - Lock to be freed.
** OUTPUTS: void
** RETURN: None
***********************************************************************/
extern void NSSRWLock_Destroy(NSSRWLock *lock);
/***********************************************************************
** FUNCTION: NSSRWLock_LockRead
** DESCRIPTION:
** Apply a read lock (non-exclusive) on a RWLock
** INPUTS: NSSRWLock *lock - Lock to be read-locked.
** OUTPUTS: void
** RETURN: None
***********************************************************************/
extern void NSSRWLock_LockRead(NSSRWLock *lock);
/***********************************************************************
** FUNCTION: NSSRWLock_LockWrite
** DESCRIPTION:
** Apply a write lock (exclusive) on a RWLock
** INPUTS: NSSRWLock *lock - Lock to write-locked.
** OUTPUTS: void
** RETURN: None
***********************************************************************/
extern void NSSRWLock_LockWrite(NSSRWLock *lock);
/***********************************************************************
** FUNCTION: NSSRWLock_UnlockRead
** DESCRIPTION:
** Release a Read lock. Unlocking an unlocked lock has undefined results.
** INPUTS: NSSRWLock *lock - Lock to unlocked.
** OUTPUTS: void
** RETURN: void
***********************************************************************/
extern void NSSRWLock_UnlockRead(NSSRWLock *lock);
/***********************************************************************
** FUNCTION: NSSRWLock_UnlockWrite
** DESCRIPTION:
** Release a Write lock. Unlocking an unlocked lock has undefined results.
** INPUTS: NSSRWLock *lock - Lock to unlocked.
** OUTPUTS: void
** RETURN: void
***********************************************************************/
extern void NSSRWLock_UnlockWrite(NSSRWLock *lock);
/***********************************************************************
** FUNCTION: NSSRWLock_HaveWriteLock
** DESCRIPTION:
** Tells caller whether the current thread holds the write lock, or not.
** INPUTS: NSSRWLock *lock - Lock to test.
** OUTPUTS: void
** RETURN: PRBool PR_TRUE IFF the current thread holds the write lock.
***********************************************************************/
extern PRBool NSSRWLock_HaveWriteLock(NSSRWLock *rwlock);
/* SEC_END_PROTOS */
PR_END_EXTERN_C
#endif /* nsrwlock_h___ */

19
openflow/usr/include/nss/nssrwlkt.h Normal file
View File

@@ -0,0 +1,19 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef nssrwlkt_h___
#define nssrwlkt_h___
#include "utilrename.h"
#include "nssilock.h"
/*
* NSSRWLock --
*
* The reader writer lock, NSSRWLock, is an opaque object to the clients
* of NSS. All routines operate on a pointer to this opaque entity.
*/
typedef struct nssRWLockStr NSSRWLock;
#endif /* nsrwlock_h___ */

41
openflow/usr/include/nss/nssutil.h Normal file
View File

@@ -0,0 +1,41 @@
/*
* NSS utility functions
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __nssutil_h_
#define __nssutil_h_
#ifndef RC_INVOKED
#include "seccomon.h"
#endif
/*
* NSS utilities's major version, minor version, patch level, build number,
* and whether this is a beta release.
*
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.28.4"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 28
#define NSSUTIL_VPATCH 4
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS
/*
* Returns a const string of the UTIL library version.
*/
extern const char *NSSUTIL_GetVersion(void);
extern SECStatus
NSS_InitializePRErrorTable(void);
SEC_END_PROTOS
#endif /* __nssutil_h_ */

723
openflow/usr/include/nss/ocsp.h Normal file
View File

@@ -0,0 +1,723 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Interface to the OCSP implementation.
*/
#ifndef _OCSP_H_
#define _OCSP_H_
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "keyt.h"
#include "certt.h"
#include "ocspt.h"
/************************************************************************/
SEC_BEGIN_PROTOS
/*
* This function registers the HttpClient with whose functions the
* HttpClientFcn structure has been populated as the default Http
* client.
*
* The function table must be a global object.
* The caller must ensure that NSS will be able to call
* the registered functions for the lifetime of the process.
*/
extern SECStatus
SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable);
/*
* This function obtains the HttpClient which has been registered
* by an earlier call to SEC_RegisterDefaultHttpClient.
*/
extern const SEC_HttpClientFcn *
SEC_GetRegisteredHttpClient(void);
/*
* Sets parameters that control NSS' internal OCSP cache.
* maxCacheEntries, special varlues are:
* -1 disable cache
* 0 unlimited cache entries
* minimumSecondsToNextFetchAttempt:
* whenever an OCSP request was attempted or completed over the network,
* wait at least this number of seconds before trying to fetch again.
* maximumSecondsToNextFetchAttempt:
* this is the maximum age of a cached response we allow, until we try
* to fetch an updated response, even if the OCSP responder expects
* that newer information update will not be available yet.
*/
extern SECStatus
CERT_OCSPCacheSettings(PRInt32 maxCacheEntries,
PRUint32 minimumSecondsToNextFetchAttempt,
PRUint32 maximumSecondsToNextFetchAttempt);
/*
* Set the desired behaviour on OCSP failures.
* See definition of ocspFailureMode for allowed choices.
*/
extern SECStatus
CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode);
/*
* Configure the maximum time NSS will wait for an OCSP response.
*/
extern SECStatus
CERT_SetOCSPTimeout(PRUint32 seconds);
/*
* Removes all items currently stored in the OCSP cache.
*/
extern SECStatus
CERT_ClearOCSPCache(void);
/*
* FUNCTION: CERT_EnableOCSPChecking
* Turns on OCSP checking for the given certificate database.
* INPUTS:
* CERTCertDBHandle *handle
* Certificate database for which OCSP checking will be enabled.
* RETURN:
* Returns SECFailure if an error occurred (likely only problem
* allocating memory); SECSuccess otherwise.
*/
extern SECStatus
CERT_EnableOCSPChecking(CERTCertDBHandle *handle);
/*
* FUNCTION: CERT_DisableOCSPChecking
* Turns off OCSP checking for the given certificate database.
* This routine disables OCSP checking. Though it will return
* SECFailure if OCSP checking is not enabled, it is "safe" to
* call it that way and just ignore the return value, if it is
* easier to just call it than to "remember" whether it is enabled.
* INPUTS:
* CERTCertDBHandle *handle
* Certificate database for which OCSP checking will be disabled.
* RETURN:
* Returns SECFailure if an error occurred (usually means that OCSP
* checking was not enabled or status contexts were not initialized --
* error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
*/
extern SECStatus
CERT_DisableOCSPChecking(CERTCertDBHandle *handle);
/*
* FUNCTION: CERT_SetOCSPDefaultResponder
* Specify the location and cert of the default responder.
* If OCSP checking is already enabled *and* use of a default responder
* is also already enabled, all OCSP checking from now on will go directly
* to the specified responder. If OCSP checking is not enabled, or if
* it is but use of a default responder is not enabled, the information
* will be recorded and take effect whenever both are enabled.
* INPUTS:
* CERTCertDBHandle *handle
* Cert database on which OCSP checking should use the default responder.
* const char *url
* The location of the default responder (e.g. "http://foo.com:80/ocsp")
* Note that the location will not be tested until the first attempt
* to send a request there.
* const char *name
* The nickname of the cert to trust (expected) to sign the OCSP responses.
* If the corresponding cert cannot be found, SECFailure is returned.
* RETURN:
* Returns SECFailure if an error occurred; SECSuccess otherwise.
* The most likely error is that the cert for "name" could not be found
* (probably SEC_ERROR_UNKNOWN_CERT). Other errors are low-level (no memory,
* bad database, etc.).
*/
extern SECStatus
CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
const char *url, const char *name);
/*
* FUNCTION: CERT_EnableOCSPDefaultResponder
* Turns on use of a default responder when OCSP checking.
* If OCSP checking is already enabled, this will make subsequent checks
* go directly to the default responder. (The location of the responder
* and the nickname of the responder cert must already be specified.)
* If OCSP checking is not enabled, this will be recorded and take effect
* whenever it is enabled.
* INPUTS:
* CERTCertDBHandle *handle
* Cert database on which OCSP checking should use the default responder.
* RETURN:
* Returns SECFailure if an error occurred; SECSuccess otherwise.
* No errors are especially likely unless the caller did not previously
* perform a successful call to SetOCSPDefaultResponder (in which case
* the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
*/
extern SECStatus
CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle);
/*
* FUNCTION: CERT_DisableOCSPDefaultResponder
* Turns off use of a default responder when OCSP checking.
* (Does nothing if use of a default responder is not enabled.)
* INPUTS:
* CERTCertDBHandle *handle
* Cert database on which OCSP checking should stop using a default
* responder.
* RETURN:
* Returns SECFailure if an error occurred; SECSuccess otherwise.
* Errors very unlikely (like random memory corruption...).
*/
extern SECStatus
CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
/* If forcePost is set, OCSP requests will only be sent using the HTTP POST
* method. When forcePost is not set, OCSP requests will be sent using the
* HTTP GET method, with a fallback to POST when we fail to receive a response
* and/or when we receive an uncacheable response like "Unknown."
*
* The default is to use GET and fallback to POST.
*/
extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost);
/*
* -------------------------------------------------------
* The Functions above are those expected to be used by a client
* providing OCSP status checking along with every cert verification.
* The functions below are for OCSP testing, debugging, or clients
* or servers performing more specialized OCSP tasks.
* -------------------------------------------------------
*/
/*
* FUNCTION: CERT_CreateOCSPRequest
* Creates a CERTOCSPRequest, requesting the status of the certs in
* the given list.
* INPUTS:
* CERTCertList *certList
* A list of certs for which status will be requested.
* Note that all of these certificates should have the same issuer,
* or it's expected the response will be signed by a trusted responder.
* If the certs need to be broken up into multiple requests, that
* must be handled by the caller (and thus by having multiple calls
* to this routine), who knows about where the request(s) are being
* sent and whether there are any trusted responders in place.
* PRTime time
* Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* but has no effect on the request itself.
* PRBool addServiceLocator
* If true, the Service Locator extension should be added to the
* single request(s) for each cert.
* CERTCertificate *signerCert
* If non-NULL, means sign the request using this cert. Otherwise,
* do not sign.
* XXX note that request signing is not yet supported; see comment in code
* RETURN:
* A pointer to a CERTOCSPRequest structure containing an OCSP request
* for the cert list. On error, null is returned, with an error set
* indicating the reason. This is likely SEC_ERROR_UNKNOWN_ISSUER.
* (The issuer is needed to create a request for the certificate.)
* Other errors are low-level problems (no memory, bad database, etc.).
*/
extern CERTOCSPRequest *
CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
PRBool addServiceLocator,
CERTCertificate *signerCert);
/*
* FUNCTION: CERT_AddOCSPAcceptableResponses
* Add the AcceptableResponses extension to an OCSP Request.
* INPUTS:
* CERTOCSPRequest *request
* The request to which the extension should be added.
* SECOidTag responseType0, ...
* A list (of one or more) of SECOidTag -- each of the response types
* to be added. The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
* (This marks the end of the list, and it must be specified because a
* client conforming to the OCSP standard is required to handle the basic
* response type.) The OIDs are not checked in any way.
* RETURN:
* SECSuccess if the extension is added; SECFailure if anything goes wrong.
* All errors are internal or low-level problems (e.g. no memory).
*/
extern SECStatus
CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
SECOidTag responseType0, ...);
/*
* FUNCTION: CERT_EncodeOCSPRequest
* DER encodes an OCSP Request, possibly adding a signature as well.
* XXX Signing is not yet supported, however; see comments in code.
* INPUTS:
* PLArenaPool *arena
* The return value is allocated from here.
* If a NULL is passed in, allocation is done from the heap instead.
* CERTOCSPRequest *request
* The request to be encoded.
* void *pwArg
* Pointer to argument for password prompting, if needed. (Definitely
* not needed if not signing.)
* RETURN:
* Returns a NULL on error and a pointer to the SECItem with the
* encoded value otherwise. Any error is likely to be low-level
* (e.g. no memory).
*/
extern SECItem *
CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
void *pwArg);
/*
* FUNCTION: CERT_DecodeOCSPRequest
* Decode a DER encoded OCSP Request.
* INPUTS:
* SECItem *src
* Pointer to a SECItem holding DER encoded OCSP Request.
* RETURN:
* Returns a pointer to a CERTOCSPRequest containing the decoded request.
* On error, returns NULL. Most likely error is trouble decoding
* (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
*/
extern CERTOCSPRequest *
CERT_DecodeOCSPRequest(const SECItem *src);
/*
* FUNCTION: CERT_DestroyOCSPRequest
* Frees an OCSP Request structure.
* INPUTS:
* CERTOCSPRequest *request
* Pointer to CERTOCSPRequest to be freed.
* RETURN:
* No return value; no errors.
*/
extern void
CERT_DestroyOCSPRequest(CERTOCSPRequest *request);
/*
* FUNCTION: CERT_DecodeOCSPResponse
* Decode a DER encoded OCSP Response.
* INPUTS:
* SECItem *src
* Pointer to a SECItem holding DER encoded OCSP Response.
* RETURN:
* Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
* the caller is responsible for destroying it. Or NULL if error (either
* response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
* it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
* or a low-level or internal error occurred).
*/
extern CERTOCSPResponse *
CERT_DecodeOCSPResponse(const SECItem *src);
/*
* FUNCTION: CERT_DestroyOCSPResponse
* Frees an OCSP Response structure.
* INPUTS:
* CERTOCSPResponse *request
* Pointer to CERTOCSPResponse to be freed.
* RETURN:
* No return value; no errors.
*/
extern void
CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
/*
* FUNCTION: CERT_GetEncodedOCSPResponse
* Creates and sends a request to an OCSP responder, then reads and
* returns the (encoded) response.
* INPUTS:
* PLArenaPool *arena
* Pointer to arena from which return value will be allocated.
* If NULL, result will be allocated from the heap (and thus should
* be freed via SECITEM_FreeItem).
* CERTCertList *certList
* A list of certs for which status will be requested.
* Note that all of these certificates should have the same issuer,
* or it's expected the response will be signed by a trusted responder.
* If the certs need to be broken up into multiple requests, that
* must be handled by the caller (and thus by having multiple calls
* to this routine), who knows about where the request(s) are being
* sent and whether there are any trusted responders in place.
* const char *location
* The location of the OCSP responder (a URL).
* PRTime time
* Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* but has no other bearing on the operation.
* PRBool addServiceLocator
* If true, the Service Locator extension should be added to the
* single request(s) for each cert.
* CERTCertificate *signerCert
* If non-NULL, means sign the request using this cert. Otherwise,
* do not sign.
* void *pwArg
* Pointer to argument for password prompting, if needed. (Definitely
* not needed if not signing.)
* OUTPUTS:
* CERTOCSPRequest **pRequest
* Pointer in which to store the OCSP request created for the given
* list of certificates. It is only filled in if the entire operation
* is successful and the pointer is not null -- and in that case the
* caller is then reponsible for destroying it.
* RETURN:
* Returns a pointer to the SECItem holding the response.
* On error, returns null with error set describing the reason:
* SEC_ERROR_UNKNOWN_ISSUER
* SEC_ERROR_CERT_BAD_ACCESS_LOCATION
* SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
* Other errors are low-level problems (no memory, bad database, etc.).
*/
extern SECItem *
CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
const char *location, PRTime time,
PRBool addServiceLocator,
CERTCertificate *signerCert, void *pwArg,
CERTOCSPRequest **pRequest);
/*
* FUNCTION: CERT_VerifyOCSPResponseSignature
* Check the signature on an OCSP Response. Will also perform a
* verification of the signer's certificate. Note, however, that a
* successful verification does not make any statement about the
* signer's *authority* to provide status for the certificate(s),
* that must be checked individually for each certificate.
* INPUTS:
* CERTOCSPResponse *response
* Pointer to response structure with signature to be checked.
* CERTCertDBHandle *handle
* Pointer to CERTCertDBHandle for certificate DB to use for verification.
* void *pwArg
* Pointer to argument for password prompting, if needed.
* CERTCertificate *issuerCert
* Issuer of the certificate that generated the OCSP request.
* OUTPUTS:
* CERTCertificate **pSignerCert
* Pointer in which to store signer's certificate; only filled-in if
* non-null.
* RETURN:
* Returns SECSuccess when signature is valid, anything else means invalid.
* Possible errors set:
* SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
* SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
* SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
* SEC_ERROR_BAD_SIGNATURE - the signature did not verify
* Other errors are any of the many possible failures in cert verification
* (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
* verifying the signer's cert, or low-level problems (no memory, etc.)
*/
extern SECStatus
CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
CERTCertDBHandle *handle, void *pwArg,
CERTCertificate **pSignerCert,
CERTCertificate *issuerCert);
/*
* FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
* Get the value of the URI of the OCSP responder for the given cert.
* This is found in the (optional) Authority Information Access extension
* in the cert.
* INPUTS:
* CERTCertificate *cert
* The certificate being examined.
* RETURN:
* char *
* A copy of the URI for the OCSP method, if found. If either the
* extension is not present or it does not contain an entry for OCSP,
* SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
* Any other error will also result in a NULL being returned.
*
* This result should be freed (via PORT_Free) when no longer in use.
*/
extern char *
CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert);
/*
* FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack
* This function serves two purposes.
* 1) It registers the address of a callback function that will be
* called for certs that have no OCSP AIA extension, to see if the
* callback wishes to supply an alternative URL for such an OCSP inquiry.
* 2) It outputs the previously registered function's address to the
* address supplied by the caller, unless that is NULL.
* The registered callback function returns NULL, or an allocated string
* that may be subsequently freed by calling PORT_Free().
* RETURN:
* SECSuccess or SECFailure (if the library is not yet intialized)
*/
extern SECStatus
CERT_RegisterAlternateOCSPAIAInfoCallBack(
CERT_StringFromCertFcn newCallback,
CERT_StringFromCertFcn *oldCallback);
/*
* FUNCTION: CERT_ParseURL
* Parse a URI into hostname, port, and path. The scheme in the URI must
* be "http".
* INPUTS:
* const char *url
* The URI to be parsed
* OUTPUTS:
* char **pHostname
* Pointer to store the hostname obtained from the URI.
* This result should be freed (via PORT_Free) when no longer in use.
* PRUint16 *pPort
* Pointer to store the port number obtained from the URI.
* char **pPath
* Pointer to store the path obtained from the URI.
* This result should be freed (via PORT_Free) when no longer in use.
* RETURN:
* Returns SECSuccess when parsing was successful. Returns SECFailure when
* problems were encountered.
*/
extern SECStatus
CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath);
/*
* FUNCTION: CERT_CheckOCSPStatus
* Checks the status of a certificate via OCSP. Will only check status for
* a certificate that has an AIA (Authority Information Access) extension
* for OCSP *or* when a "default responder" is specified and enabled.
* (If no AIA extension for OCSP and no default responder in place, the
* cert is considered to have a good status and SECSuccess is returned.)
* INPUTS:
* CERTCertDBHandle *handle
* certificate DB of the cert that is being checked
* CERTCertificate *cert
* the certificate being checked
* XXX in the long term also need a boolean parameter that specifies
* whether to check the cert chain, as well; for now we check only
* the leaf (the specified certificate)
* PRTime time
* time for which status is to be determined
* void *pwArg
* argument for password prompting, if needed
* RETURN:
* Returns SECSuccess if an approved OCSP responder "knows" the cert
* *and* returns a non-revoked status for it; SECFailure otherwise,
* with an error set describing the reason:
*
* SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
* SEC_ERROR_OCSP_FUTURE_RESPONSE
* SEC_ERROR_OCSP_MALFORMED_REQUEST
* SEC_ERROR_OCSP_MALFORMED_RESPONSE
* SEC_ERROR_OCSP_OLD_RESPONSE
* SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
* SEC_ERROR_OCSP_SERVER_ERROR
* SEC_ERROR_OCSP_TRY_SERVER_LATER
* SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
* SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
* SEC_ERROR_OCSP_UNKNOWN_CERT
* SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
* SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
*
* SEC_ERROR_BAD_SIGNATURE
* SEC_ERROR_CERT_BAD_ACCESS_LOCATION
* SEC_ERROR_INVALID_TIME
* SEC_ERROR_REVOKED_CERTIFICATE
* SEC_ERROR_UNKNOWN_ISSUER
* SEC_ERROR_UNKNOWN_SIGNER
*
* Other errors are any of the many possible failures in cert verification
* (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
* verifying the signer's cert, or low-level problems (error allocating
* memory, error performing ASN.1 decoding, etc.).
*/
extern SECStatus
CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
PRTime time, void *pwArg);
/*
* FUNCTION: CERT_CacheOCSPResponseFromSideChannel
* First, this function checks the OCSP cache to see if a good response
* for the given certificate already exists. If it does, then the function
* returns successfully.
*
* If not, then it validates that the given OCSP response is a valid,
* good response for the given certificate and inserts it into the
* cache.
*
* This function is intended for use when OCSP responses are provided via a
* side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension).
*
* INPUTS:
* CERTCertDBHandle *handle
* certificate DB of the cert that is being checked
* CERTCertificate *cert
* the certificate being checked
* PRTime time
* time for which status is to be determined
* SECItem *encodedResponse
* the DER encoded bytes of the OCSP response
* void *pwArg
* argument for password prompting, if needed
* RETURN:
* SECSuccess if the cert was found in the cache, or if the OCSP response was
* found to be valid and inserted into the cache. SECFailure otherwise.
*/
extern SECStatus
CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
CERTCertificate *cert,
PRTime time,
const SECItem *encodedResponse,
void *pwArg);
/*
* FUNCTION: CERT_GetOCSPStatusForCertID
* Returns the OCSP status contained in the passed in parameter response
* that corresponds to the certID passed in.
* INPUTS:
* CERTCertDBHandle *handle
* certificate DB of the cert that is being checked
* CERTOCSPResponse *response
* the OCSP response we want to retrieve status from.
* CERTOCSPCertID *certID
* the ID we want to look for from the response.
* CERTCertificate *signerCert
* the certificate that was used to sign the OCSP response.
* must be obtained via a call to CERT_VerifyOCSPResponseSignature.
* PRTime time
* The time at which we're checking the status for.
* RETURN:
* Return values are the same as those for CERT_CheckOCSPStatus
*/
extern SECStatus
CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
CERTOCSPResponse *response,
CERTOCSPCertID *certID,
CERTCertificate *signerCert,
PRTime time);
/*
* FUNCTION CERT_GetOCSPResponseStatus
* Returns the response status for the response passed.
* INPUTS:
* CERTOCSPResponse *response
* The response to query for status
* RETURN:
* Returns SECSuccess if the response has a successful status value.
* Otherwise it returns SECFailure and sets one of the following error
* codes via PORT_SetError
* SEC_ERROR_OCSP_MALFORMED_REQUEST
* SEC_ERROR_OCSP_SERVER_ERROR
* SEC_ERROR_OCSP_TRY_SERVER_LATER
* SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
* SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
* SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
*/
extern SECStatus
CERT_GetOCSPResponseStatus(CERTOCSPResponse *response);
/*
* FUNCTION CERT_CreateOCSPCertID
* Returns the OCSP certID for the certificate passed in.
* INPUTS:
* CERTCertificate *cert
* The certificate for which to create the certID for.
* PRTime time
* The time at which the id is requested for. This is used
* to determine the appropriate issuer for the cert since
* the issuing CA may be an older expired certificate.
* RETURN:
* A new copy of a CERTOCSPCertID*. The memory for this certID
* should be freed by calling CERT_DestroyOCSPCertID when the
* certID is no longer necessary.
*/
extern CERTOCSPCertID *
CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time);
/*
* FUNCTION: CERT_DestroyOCSPCertID
* Frees the memory associated with the certID passed in.
* INPUTS:
* CERTOCSPCertID* certID
* The certID that the caller no longer needs and wants to
* free the associated memory.
* RETURN:
* SECSuccess if freeing the memory was successful. Returns
* SECFailure if the memory passed in was not allocated with
* a call to CERT_CreateOCSPCertID.
*/
extern SECStatus
CERT_DestroyOCSPCertID(CERTOCSPCertID *certID);
extern CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
CERTOCSPCertID *id,
PRTime thisUpdate,
const PRTime *nextUpdate);
extern CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
CERTOCSPCertID *id,
PRTime thisUpdate,
const PRTime *nextUpdate);
extern CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseRevoked(
PLArenaPool *arena,
CERTOCSPCertID *id,
PRTime thisUpdate,
const PRTime *nextUpdate,
PRTime revocationTime,
const CERTCRLEntryReasonCode *revocationReason);
extern SECItem *
CERT_CreateEncodedOCSPSuccessResponse(
PLArenaPool *arena,
CERTCertificate *responderCert,
CERTOCSPResponderIDType responderIDType,
PRTime producedAt,
CERTOCSPSingleResponse **responses,
void *wincx);
/*
* FUNCTION: CERT_CreateEncodedOCSPErrorResponse
* Creates an encoded OCSP response with an error response status.
* INPUTS:
* PLArenaPool *arena
* The return value is allocated from here.
* If a NULL is passed in, allocation is done from the heap instead.
* int error
* An NSS error code indicating an error response status. The error
* code is mapped to an OCSP response status as follows:
* SEC_ERROR_OCSP_MALFORMED_REQUEST -> malformedRequest
* SEC_ERROR_OCSP_SERVER_ERROR -> internalError
* SEC_ERROR_OCSP_TRY_SERVER_LATER -> tryLater
* SEC_ERROR_OCSP_REQUEST_NEEDS_SIG -> sigRequired
* SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST -> unauthorized
* where the OCSP response status is an enumerated type defined in
* RFC 2560:
* OCSPResponseStatus ::= ENUMERATED {
* successful (0), --Response has valid confirmations
* malformedRequest (1), --Illegal confirmation request
* internalError (2), --Internal error in issuer
* tryLater (3), --Try again later
* --(4) is not used
* sigRequired (5), --Must sign the request
* unauthorized (6) --Request unauthorized
* }
* RETURN:
* Returns a pointer to the SECItem holding the response.
* On error, returns null with error set describing the reason:
* SEC_ERROR_INVALID_ARGS
* Other errors are low-level problems (no memory, bad database, etc.).
*/
extern SECItem *
CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error);
/* Sends an OCSP request using the HTTP POST method to the location addressed
* by the URL in |location| parameter. The request body will be
* |encodedRequest|, which must be a valid encoded OCSP request. On success,
* the server's response is returned and the caller must free it using
* SECITEM_FreeItem. On failure, NULL is returned. No parsing or validation of
* the HTTP response is done.
*
* If a default HTTP client has been registered with
* SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an
* internal HTTP client is used.
*/
SECItem *CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest);
/************************************************************************/
SEC_END_PROTOS
#endif /* _OCSP_H_ */

301
openflow/usr/include/nss/ocspt.h Normal file
View File

@@ -0,0 +1,301 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Public header for exported OCSP types.
*/
#ifndef _OCSPT_H_
#define _OCSPT_H_
/*
* The following are all opaque types. If someone needs to get at
* a field within, then we need to fix the API. Try very hard not
* make the type available to them.
*/
typedef struct CERTOCSPRequestStr CERTOCSPRequest;
typedef struct CERTOCSPResponseStr CERTOCSPResponse;
/*
* XXX I think only those first two above should need to be exported,
* but until I know for certain I am leaving the rest of these here, too.
*/
typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
/*
* This interface is described in terms of an HttpClient which
* supports at least a specified set of functions. (An implementer may
* provide HttpClients with additional functionality accessible only to
* users with a particular implementation in mind.) The basic behavior
* is provided by defining a set of functions, listed in an
* SEC_HttpServerFcnStruct. If the implementor of a SpecificHttpClient
* registers his SpecificHttpClient as the default HttpClient, then his
* functions will be called by the user of an HttpClient, such as an
* OCSPChecker.
*
* The implementer of a specific HttpClient (e.g., the NSS-provided
* DefaultHttpClient), populates an SEC_HttpClientFcnStruct, uses it to
* register his client, and waits for his functions to be called.
*
* For future expandability, the SEC_HttpClientFcnStruct is defined as a
* union, with the version field acting as a selector. The proposed
* initial version of the structure is given following the definition
* of the union. The HttpClientState structure is implementation-
* dependent, and should be opaque to the user.
*/
typedef void *SEC_HTTP_SERVER_SESSION;
typedef void *SEC_HTTP_REQUEST_SESSION;
/*
* This function creates a SEC_HTTP_SERVER_SESSION object. The implementer of a
* specific HttpClient will allocate the necessary space, when this
* function is called, and will free it when the corresponding FreeFcn
* is called. The SEC_HTTP_SERVER_SESSION object is passed, as an opaque object,
* to subsequent calls.
*
* If the function returns SECSuccess, the returned SEC_HTTP_SERVER_SESSION
* must be cleaned up with a call to SEC_HttpServer_FreeSession,
* after processing is finished.
*/
typedef SECStatus (*SEC_HttpServer_CreateSessionFcn)(
const char *host,
PRUint16 portnum,
SEC_HTTP_SERVER_SESSION *pSession);
/*
* This function is called to allow the implementation to attempt to keep
* the connection alive. Depending on the underlying platform, it might
* immediately return SECSuccess without having performed any operations.
* (If a connection has not been kept alive, a subsequent call to
* SEC_HttpRequest_TrySendAndReceiveFcn should reopen the connection
* automatically.)
*
* If the connection uses nonblocking I/O, this function may return
* SECWouldBlock and store a nonzero value at "pPollDesc". In that case
* the caller may wait on the poll descriptor, and should call this function
* again until SECSuccess (and a zero value at "pPollDesc") is obtained.
*/
typedef SECStatus (*SEC_HttpServer_KeepAliveSessionFcn)(
SEC_HTTP_SERVER_SESSION session,
PRPollDesc **pPollDesc);
/*
* This function frees the client SEC_HTTP_SERVER_SESSION object, closes all
* SEC_HTTP_REQUEST_SESSIONs created for that server, discards all partial results,
* frees any memory that was allocated by the client, and invalidates any
* response pointers that might have been returned by prior server or request
* functions.
*/
typedef SECStatus (*SEC_HttpServer_FreeSessionFcn)(
SEC_HTTP_SERVER_SESSION session);
/*
* This function creates a SEC_HTTP_REQUEST_SESSION object. The implementer of a
* specific HttpClient will allocate the necessary space, when this
* function is called, and will free it when the corresponding FreeFcn
* is called. The SEC_HTTP_REQUEST_SESSION object is passed, as an opaque object,
* to subsequent calls.
*
* An implementation that does not support the requested protocol variant
* (usually "http", but could eventually allow "https") or request method
* should return SECFailure.
*
* Timeout values may include the constants PR_INTERVAL_NO_TIMEOUT (wait
* forever) or PR_INTERVAL_NO_WAIT (nonblocking I/O).
*
* If the function returns SECSuccess, the returned SEC_HTTP_REQUEST_SESSION
* must be cleaned up with a call to SEC_HttpRequest_FreeSession,
* after processing is finished.
*/
typedef SECStatus (*SEC_HttpRequest_CreateFcn)(
SEC_HTTP_SERVER_SESSION session,
const char *http_protocol_variant, /* usually "http" */
const char *path_and_query_string,
const char *http_request_method,
const PRIntervalTime timeout,
SEC_HTTP_REQUEST_SESSION *pRequest);
/*
* This function sets data to be sent to the server for an HTTP request
* of http_request_method == POST. If a particular implementation
* supports it, the details for the POST request can be set by calling
* this function, prior to activating the request with TrySendAndReceiveFcn.
*
* An implementation that does not support the POST method should
* implement a SetPostDataFcn function that returns immediately.
*
* Setting http_content_type is optional, the parameter may
* by NULL or the empty string.
*/
typedef SECStatus (*SEC_HttpRequest_SetPostDataFcn)(
SEC_HTTP_REQUEST_SESSION request,
const char *http_data,
const PRUint32 http_data_len,
const char *http_content_type);
/*
* This function sets an additional HTTP protocol request header.
* If a particular implementation supports it, one or multiple headers
* can be added to the request by calling this function once or multiple
* times, prior to activating the request with TryFcn.
*
* An implementation that does not support setting additional headers
* should implement an AddRequestHeaderFcn function that returns immediately.
*/
typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)(
SEC_HTTP_REQUEST_SESSION request,
const char *http_header_name,
const char *http_header_value);
/*
* This function initiates or continues an HTTP request. After
* parameters have been set with the Create function and, optionally,
* modified or enhanced with the AddParams function, this call creates
* the socket connection and initiates the communication.
*
* If a timeout value of zero is specified, indicating non-blocking
* I/O, the client creates a non-blocking socket, and returns a status
* of SECWouldBlock and a non-NULL PRPollDesc if the operation is not
* complete. In that case all other return parameters are undefined.
* The caller is expected to repeat the call, possibly after using
* PRPoll to determine that a completion has occurred, until a return
* value of SECSuccess (and a NULL value for pPollDesc) or a return
* value of SECFailure (indicating failure on the network level)
* is obtained.
*
* http_response_data_len is both input and output parameter.
* If a pointer to a PRUint32 is supplied, the http client is
* expected to check the given integer value and always set an out
* value, even on failure.
* An input value of zero means, the caller will accept any response len.
* A different input value indicates the maximum response value acceptable
* to the caller.
* If data is successfully read and the size is acceptable to the caller,
* the function will return SECSuccess and set http_response_data_len to
* the size of the block returned in http_response_data.
* If the data read from the http server is larger than the acceptable
* size, the function will return SECFailure.
* http_response_data_len will be set to a value different from zero to
* indicate the reason of the failure.
* An out value of "0" means, the failure was unrelated to the
* acceptable size.
* An out value of "1" means, the result data is larger than the
* accpeptable size, but the real size is not yet known to the http client
* implementation and it stopped retrieving it,
* Any other out value combined with a return value of SECFailure
* will indicate the actual size of the server data.
*
* The caller is permitted to provide NULL values for any of the
* http_response arguments, indicating the caller is not interested in
* those values. If the caller does provide an address, the HttpClient
* stores at that address a pointer to the corresponding argument, at
* the completion of the operation.
*
* All returned pointers will be owned by the the HttpClient
* implementation and will remain valid until the call to
* SEC_HttpRequest_FreeFcn.
*/
typedef SECStatus (*SEC_HttpRequest_TrySendAndReceiveFcn)(
SEC_HTTP_REQUEST_SESSION request,
PRPollDesc **pPollDesc,
PRUint16 *http_response_code,
const char **http_response_content_type,
const char **http_response_headers,
const char **http_response_data,
PRUint32 *http_response_data_len);
/*
* Calling CancelFcn asks for premature termination of the request.
*
* Future calls to SEC_HttpRequest_TrySendAndReceive should
* by avoided, but in this case the HttpClient implementation
* is expected to return immediately with SECFailure.
*
* After calling CancelFcn, a separate call to SEC_HttpRequest_FreeFcn
* is still necessary to free resources.
*/
typedef SECStatus (*SEC_HttpRequest_CancelFcn)(
SEC_HTTP_REQUEST_SESSION request);
/*
* Before calling this function, it must be assured the request
* has been completed, i.e. either SEC_HttpRequest_TrySendAndReceiveFcn has
* returned SECSuccess, or the request has been canceled with
* a call to SEC_HttpRequest_CancelFcn.
*
* This function frees the client state object, closes all sockets,
* discards all partial results, frees any memory that was allocated
* by the client, and invalidates all response pointers that might
* have been returned by SEC_HttpRequest_TrySendAndReceiveFcn
*/
typedef SECStatus (*SEC_HttpRequest_FreeFcn)(
SEC_HTTP_REQUEST_SESSION request);
typedef struct SEC_HttpClientFcnV1Struct {
SEC_HttpServer_CreateSessionFcn createSessionFcn;
SEC_HttpServer_KeepAliveSessionFcn keepAliveSessionFcn;
SEC_HttpServer_FreeSessionFcn freeSessionFcn;
SEC_HttpRequest_CreateFcn createFcn;
SEC_HttpRequest_SetPostDataFcn setPostDataFcn;
SEC_HttpRequest_AddHeaderFcn addHeaderFcn;
SEC_HttpRequest_TrySendAndReceiveFcn trySendAndReceiveFcn;
SEC_HttpRequest_CancelFcn cancelFcn;
SEC_HttpRequest_FreeFcn freeFcn;
} SEC_HttpClientFcnV1;
typedef struct SEC_HttpClientFcnStruct {
PRInt16 version;
union {
SEC_HttpClientFcnV1 ftable1;
/* SEC_HttpClientFcnV2 ftable2; */
/* ... */
} fcnTable;
} SEC_HttpClientFcn;
/*
* ocspMode_FailureIsVerificationFailure:
* This is the classic behaviour of NSS.
* Any OCSP failure is a verification failure (classic mode, default).
* Without a good response, OCSP networking will be retried each time
* it is required for verifying a cert.
*
* ocspMode_FailureIsNotAVerificationFailure:
* If we fail to obtain a valid OCSP response, consider the
* cert as good.
* Failed OCSP attempts might get cached and not retried until
* minimumSecondsToNextFetchAttempt.
* If we are able to obtain a valid response, the cert
* will be considered good, if either status is "good"
* or the cert was not yet revoked at verification time.
*
* Additional failure modes might be added in the future.
*/
typedef enum {
ocspMode_FailureIsVerificationFailure = 0,
ocspMode_FailureIsNotAVerificationFailure = 1
} SEC_OcspFailureMode;
/*
* A ResponderID identifies the responder -- or more correctly, the
* signer of the response. The ASN.1 definition of a ResponderID is:
*
* ResponderID ::= CHOICE {
* byName [1] EXPLICIT Name,
* byKey [2] EXPLICIT KeyHash }
*
* Because it is CHOICE, the type of identification used and the
* identification itself are actually encoded together. To represent
* this same information internally, we explicitly define a type and
* save it, along with the value, into a data structure.
*/
typedef enum {
ocspResponderID_other = -1, /* unknown kind of responderID */
ocspResponderID_byName = 1,
ocspResponderID_byKey = 2
} CERTOCSPResponderIDType;
#endif /* _OCSPT_H_ */

236
openflow/usr/include/nss/p12.h Normal file
View File

@@ -0,0 +1,236 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _P12_H_
#define _P12_H_
#include "secoid.h"
#include "key.h"
#include "secpkcs7.h"
#include "p12t.h"
typedef int(PR_CALLBACK *PKCS12OpenFunction)(void *arg);
typedef int(PR_CALLBACK *PKCS12ReadFunction)(void *arg,
unsigned char *buffer,
unsigned int *lenRead,
unsigned int maxLen);
typedef int(PR_CALLBACK *PKCS12WriteFunction)(void *arg,
unsigned char *buffer,
unsigned int *bufLen,
unsigned int *lenWritten);
typedef int(PR_CALLBACK *PKCS12CloseFunction)(void *arg);
typedef SECStatus(PR_CALLBACK *PKCS12UnicodeConvertFunction)(
PLArenaPool *arena,
SECItem *dest, SECItem *src,
PRBool toUnicode,
PRBool swapBytes);
typedef void(PR_CALLBACK *SEC_PKCS12EncoderOutputCallback)(
void *arg, const char *buf,
unsigned long len);
typedef void(PR_CALLBACK *SEC_PKCS12DecoderOutputCallback)(
void *arg, const char *buf,
unsigned long len);
/*
* In NSS 3.12 or later, 'arg' actually points to a CERTCertificate,
* the 'leafCert' variable in sec_pkcs12_validate_cert in p12d.c.
* See r1.35 of p12d.c ("Patch 2" in bug 321584).
*
* This callback might be called by SEC_PKCS12DecoderValidateBags each time
* a nickname collission is detected. The callback must return a new
* nickname. The returned SECItem should be of type siAsciiString,
* it should be allocated using:
* SECITEM_AllocItem(NULL, NULL, LENGTH_OF_NEW_NICKNAME + 1)
* and data must contain the new nickname as a zero terminated string.
*/
typedef SECItem *(PR_CALLBACK *SEC_PKCS12NicknameCollisionCallback)(
SECItem *old_nickname,
PRBool *cancel,
void *arg);
/*
* This callback is called by SEC_PKCS12DecoderRenameCertNicknames for each
* certificate found in the p12 source data.
*
* cert: A decoded certificate.
* default_nickname: The nickname as found in the source data.
* Will be NULL if source data doesn't have nickname.
* new_nickname: Output parameter that may contain the renamed nickname.
* arg: The user data that was passed to SEC_PKCS12DecoderRenameCertNicknames.
*
* If the callback accept that NSS will use a nickname based on the
* default_nickname (potentially resolving conflicts), then the callback
* must set *new_nickname to NULL.
*
* If the callback wishes to override the nickname, it must set *new_nickname
* to a new SECItem which should be allocated using
* SECITEM_AllocItem(NULL, NULL, LENGTH_OF_NEW_NICKNAME + 1)
* new_nickname->type should be set to siAsciiString, and new_nickname->data
* must contain the new nickname as a zero terminated string.
*
* A return value of SECFailure indicates that the renaming operation failed,
* and callback should release new_nickname before returning if it's already
* being allocated.
* Otherwise, the callback function must return SECSuccess, including use
* default nickname as mentioned above.
*/
typedef SECStatus(PR_CALLBACK *SEC_PKCS12NicknameRenameCallback)(
const CERTCertificate *cert,
const SECItem *default_nickname,
SECItem **new_nickname,
void *arg);
typedef SECStatus(PR_CALLBACK *digestOpenFn)(void *arg, PRBool readData);
typedef SECStatus(PR_CALLBACK *digestCloseFn)(void *arg, PRBool removeFile);
typedef int(PR_CALLBACK *digestIOFn)(void *arg, unsigned char *buf,
unsigned long len);
typedef struct SEC_PKCS12ExportContextStr SEC_PKCS12ExportContext;
typedef struct SEC_PKCS12SafeInfoStr SEC_PKCS12SafeInfo;
typedef struct SEC_PKCS12DecoderContextStr SEC_PKCS12DecoderContext;
typedef struct SEC_PKCS12DecoderItemStr SEC_PKCS12DecoderItem;
struct sec_PKCS12PasswordModeInfo {
SECItem *password;
SECOidTag algorithm;
};
struct sec_PKCS12PublicKeyModeInfo {
CERTCertificate *cert;
CERTCertDBHandle *certDb;
SECOidTag algorithm;
int keySize;
};
struct SEC_PKCS12DecoderItemStr {
SECItem *der;
SECOidTag type;
PRBool hasKey;
SECItem *friendlyName; /* UTF-8 string */
SECAlgorithmID *shroudAlg;
};
SEC_BEGIN_PROTOS
SEC_PKCS12SafeInfo *
SEC_PKCS12CreatePubKeyEncryptedSafe(SEC_PKCS12ExportContext *p12ctxt,
CERTCertDBHandle *certDb,
CERTCertificate *signer,
CERTCertificate **recipients,
SECOidTag algorithm, int keysize);
extern SEC_PKCS12SafeInfo *
SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt,
SECItem *pwitem, SECOidTag privAlg);
extern SEC_PKCS12SafeInfo *
SEC_PKCS12CreateUnencryptedSafe(SEC_PKCS12ExportContext *p12ctxt);
extern SECStatus
SEC_PKCS12AddPasswordIntegrity(SEC_PKCS12ExportContext *p12ctxt,
SECItem *pwitem, SECOidTag integAlg);
extern SECStatus
SEC_PKCS12AddPublicKeyIntegrity(SEC_PKCS12ExportContext *p12ctxt,
CERTCertificate *cert, CERTCertDBHandle *certDb,
SECOidTag algorithm, int keySize);
extern SEC_PKCS12ExportContext *
SEC_PKCS12CreateExportContext(SECKEYGetPasswordKey pwfn, void *pwfnarg,
PK11SlotInfo *slot, void *wincx);
extern SECStatus
SEC_PKCS12AddCert(SEC_PKCS12ExportContext *p12ctxt,
SEC_PKCS12SafeInfo *safe, void *nestedDest,
CERTCertificate *cert, CERTCertDBHandle *certDb,
SECItem *keyId, PRBool includeCertChain);
extern SECStatus
SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt,
SEC_PKCS12SafeInfo *safe,
void *nestedDest, CERTCertificate *cert,
PRBool shroudKey, SECOidTag algorithm, SECItem *pwitem,
SECItem *keyId, SECItem *nickName);
extern SECStatus
SEC_PKCS12AddCertOrChainAndKey(SEC_PKCS12ExportContext *p12ctxt,
void *certSafe, void *certNestedDest,
CERTCertificate *cert, CERTCertDBHandle *certDb,
void *keySafe, void *keyNestedDest, PRBool shroudKey,
SECItem *pwitem, SECOidTag algorithm,
PRBool includeCertChain);
extern SECStatus
SEC_PKCS12AddCertAndKey(SEC_PKCS12ExportContext *p12ctxt,
void *certSafe, void *certNestedDest,
CERTCertificate *cert, CERTCertDBHandle *certDb,
void *keySafe, void *keyNestedDest,
PRBool shroudKey, SECItem *pwitem, SECOidTag algorithm);
extern void *
SEC_PKCS12CreateNestedSafeContents(SEC_PKCS12ExportContext *p12ctxt,
void *baseSafe, void *nestedDest);
extern SECStatus
SEC_PKCS12Encode(SEC_PKCS12ExportContext *p12exp,
SEC_PKCS12EncoderOutputCallback output, void *outputarg);
extern void
SEC_PKCS12DestroyExportContext(SEC_PKCS12ExportContext *p12exp);
extern SEC_PKCS12DecoderContext *
SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
digestOpenFn dOpen, digestCloseFn dClose,
digestIOFn dRead, digestIOFn dWrite, void *dArg);
extern SECStatus
SEC_PKCS12DecoderSetTargetTokenCAs(SEC_PKCS12DecoderContext *p12dcx,
SECPKCS12TargetTokenCAs tokenCAs);
extern SECStatus
SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx, unsigned char *data,
unsigned long len);
extern void
SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx);
extern SECStatus
SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx);
extern SECStatus
SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
SEC_PKCS12NicknameCollisionCallback nicknameCb);
/*
* SEC_PKCS12DecoderRenameCertNicknames() can be used to change
* certificate nicknames in SEC_PKCS12DecoderContext, prior to calling
* SEC_PKCS12DecoderImportBags.
*
* arg: User-defined data that will be passed to nicknameCb.
*
* If SEC_PKCS12DecoderRenameCertNicknames() is called after calling
* SEC_PKCS12DecoderValidateBags(), then only the certificate nickname
* will be changed.
* If SEC_PKCS12DecoderRenameCertNicknames() is called prior to calling
* SEC_PKCS12DecoderValidateBags(), then SEC_PKCS12DecoderValidateBags()
* will change the nickname of the corresponding private key, too.
*/
extern SECStatus
SEC_PKCS12DecoderRenameCertNicknames(SEC_PKCS12DecoderContext *p12dcx,
SEC_PKCS12NicknameRenameCallback nicknameCb,
void *arg);
extern SECStatus
SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx);
CERTCertList *
SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx);
SECStatus
SEC_PKCS12DecoderIterateInit(SEC_PKCS12DecoderContext *p12dcx);
SECStatus
SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx,
const SEC_PKCS12DecoderItem **ipp);
SEC_END_PROTOS
#endif

25
openflow/usr/include/nss/p12plcy.h Normal file
View File

@@ -0,0 +1,25 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _P12PLCY_H_
#define _P12PLCY_H_
#include "secoid.h"
#include "ciferfam.h"
SEC_BEGIN_PROTOS
/* for the algid specified, can we decrypt it ? */
extern PRBool SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid);
/* is encryption allowed? */
extern PRBool SEC_PKCS12IsEncryptionAllowed(void);
/* enable a cipher for encryption/decryption */
extern SECStatus SEC_PKCS12EnableCipher(long which, int on);
/* return the preferred cipher for encryption */
extern SECStatus SEC_PKCS12SetPreferredCipher(long which, int on);
SEC_END_PROTOS
#endif

155
openflow/usr/include/nss/p12t.h Normal file
View File

@@ -0,0 +1,155 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _P12T_H_
#define _P12T_H_
#include "secoid.h"
#include "key.h"
#include "pkcs11.h"
#include "secpkcs7.h"
#include "secdig.h" /* for SGNDigestInfo */
#include "pkcs12t.h"
#define SEC_PKCS12_VERSION 3
/* structure declarations */
typedef struct sec_PKCS12PFXItemStr sec_PKCS12PFXItem;
typedef struct sec_PKCS12MacDataStr sec_PKCS12MacData;
typedef struct sec_PKCS12AuthenticatedSafeStr sec_PKCS12AuthenticatedSafe;
typedef struct sec_PKCS12SafeContentsStr sec_PKCS12SafeContents;
typedef struct sec_PKCS12SafeBagStr sec_PKCS12SafeBag;
typedef struct sec_PKCS12PKCS8ShroudedKeyBagStr sec_PKCS12PKCS8ShroudedKeyBag;
typedef struct sec_PKCS12CertBagStr sec_PKCS12CertBag;
typedef struct sec_PKCS12CRLBagStr sec_PKCS12CRLBag;
typedef struct sec_PKCS12SecretBag sec_PKCS12SecretBag;
typedef struct sec_PKCS12AttributeStr sec_PKCS12Attribute;
struct sec_PKCS12CertBagStr {
/* what type of cert is stored? */
SECItem bagID;
/* certificate information */
union {
SECItem x509Cert;
SECItem SDSICert;
} value;
};
struct sec_PKCS12CRLBagStr {
/* what type of cert is stored? */
SECItem bagID;
/* certificate information */
union {
SECItem x509CRL;
} value;
};
struct sec_PKCS12SecretBag {
/* what type of secret? */
SECItem secretType;
/* secret information. ssshhhh be vewy vewy quiet. */
SECItem secretContent;
};
struct sec_PKCS12AttributeStr {
SECItem attrType;
SECItem **attrValue;
};
struct sec_PKCS12SafeBagStr {
/* What type of bag are we using? */
SECItem safeBagType;
/* Dependent upon the type of bag being used. */
union {
SECKEYPrivateKeyInfo *pkcs8KeyBag;
SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
sec_PKCS12CertBag *certBag;
sec_PKCS12CRLBag *crlBag;
sec_PKCS12SecretBag *secretBag;
sec_PKCS12SafeContents *safeContents;
} safeBagContent;
sec_PKCS12Attribute **attribs;
/* used locally */
SECOidData *bagTypeTag;
PLArenaPool *arena;
unsigned int nAttribs;
/* used for validation/importing */
PRBool problem, noInstall, validated, hasKey, unused, installed;
int error;
PRBool swapUnicodeBytes;
PK11SlotInfo *slot;
SECItem *pwitem;
PRBool oldBagType;
SECPKCS12TargetTokenCAs tokenCAs;
};
struct sec_PKCS12SafeContentsStr {
sec_PKCS12SafeBag **safeBags;
SECItem **encodedSafeBags;
/* used locally */
PLArenaPool *arena;
unsigned int bagCount;
};
struct sec_PKCS12MacDataStr {
SGNDigestInfo safeMac;
SECItem macSalt;
SECItem iter;
};
struct sec_PKCS12PFXItemStr {
SECItem version;
/* Content type will either be Data (password integrity mode)
* or signedData (public-key integrity mode)
*/
SEC_PKCS7ContentInfo *authSafe;
SECItem encodedAuthSafe;
/* Only present in password integrity mode */
sec_PKCS12MacData macData;
SECItem encodedMacData;
};
struct sec_PKCS12AuthenticatedSafeStr {
/* Content type will either be encryptedData (password privacy mode)
* or envelopedData (public-key privacy mode)
*/
SEC_PKCS7ContentInfo **safes;
SECItem **encodedSafes;
/* used locally */
unsigned int safeCount;
SECItem dummySafe;
};
extern const SEC_ASN1Template sec_PKCS12PFXItemTemplate[];
extern const SEC_ASN1Template sec_PKCS12MacDataTemplate[];
extern const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[];
extern const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[];
extern const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[];
extern const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[];
extern const SEC_ASN1Template sec_PKCS12CertBagTemplate[];
extern const SEC_ASN1Template sec_PKCS12CRLBagTemplate[];
extern const SEC_ASN1Template sec_PKCS12SecretBagTemplate[];
extern const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[];
extern const SEC_ASN1Template sec_PKCS12PointerToCRLBagTemplate[];
extern const SEC_ASN1Template sec_PKCS12PointerToSecretBagTemplate[];
extern const SEC_ASN1Template sec_PKCS12PointerToSafeContentsTemplate[];
extern const SEC_ASN1Template sec_PKCS12AttributeTemplate[];
extern const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[];
extern const SEC_ASN1Template sec_PKCS12SafeBagTemplate[];
#endif

15
openflow/usr/include/nss/pk11func.h Normal file
View File

@@ -0,0 +1,15 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _PK11FUNC_H_
#define _PK11FUNC_H_
/*
* The original pk11func.h had a mix of public and private functions.
* Continue to provide those for backward compatibility. New code should
* include pk11pub.h instead of pk11func.h.
*/
#include "pk11pub.h"
#include "pk11priv.h"
#endif

135
openflow/usr/include/nss/pk11pqg.h Normal file
View File

@@ -0,0 +1,135 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* Thse functions are stub functions which will get replaced with calls through
* PKCS #11.
*/
#ifndef _PK11PQG_H_
#define _PK11PQG_H_ 1
#include "blapit.h"
SEC_BEGIN_PROTOS
/* Generate PQGParams and PQGVerify structs.
* Length of seed and length of h both equal length of P.
* All lengths are specified by "j", according to the table above.
*/
extern SECStatus PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams,
PQGVerify **pVfy);
/* Generate PQGParams and PQGVerify structs.
* Length of P specified by j. Length of h will match length of P.
* Length of SEED in bytes specified in seedBytes.
* seedBbytes must be in the range [20..255] or an error will result.
*/
extern SECStatus PK11_PQG_ParamGenSeedLen(unsigned int j,
unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy);
/* Generate PQGParams and PQGVerify structs.
* Length of P specified by L.
* if L is greater than 1024 then the resulting verify parameters will be
* DSA2.
* Length of Q specified by N. If zero, The PKCS #11 module will
* pick an appropriately sized Q for L. If N is specified and L = 1024, then
* the resulting verify parameters will be DSA2, Otherwise DSA1 parameters
* will be returned.
* Length of SEED in bytes specified in seedBytes.
*
* The underlying PKCS #11 module will check the values for L, N,
* and seedBytes. The rules for softoken are:
*
* If L <= 1024, then L must be between 512 and 1024 in increments of 64 bits.
* If L <= 1024, then N must be 0 or 160.
* If L >= 1024, then L and N must match the following table:
* L=1024 N=0 or 160
* L=2048 N=0 or 224
* L=2048 N=256
* L=3072 N=0 or 256
* if L <= 1024
* seedBbytes must be in the range [20..256].
* if L >= 1024
* seedBbytes must be in the range [20..L/16].
*/
extern SECStatus
PK11_PQG_ParamGenV2(unsigned int L, unsigned int N, unsigned int seedBytes,
PQGParams **pParams, PQGVerify **pVfy);
/* Test PQGParams for validity as DSS PQG values.
* If vfy is non-NULL, test PQGParams to make sure they were generated
* using the specified seed, counter, and h values.
*
* Return value indicates whether Verification operation ran successfully
* to completion, but does not indicate if PQGParams are valid or not.
* If return value is SECSuccess, then *pResult has these meanings:
* SECSuccess: PQGParams are valid.
* SECFailure: PQGParams are invalid.
*
* Verify the following 12 facts about PQG counter SEED g and h
* These tests are specified in FIPS 186-3 Appendix A.1.1.1, A.1.1.3, and A.2.2
* PQG_VerifyParams in softoken/freebl will automatically choose the
* appropriate test.
*/
extern SECStatus PK11_PQG_VerifyParams(const PQGParams *params,
const PQGVerify *vfy, SECStatus *result);
extern void PK11_PQG_DestroyParams(PQGParams *params);
extern void PK11_PQG_DestroyVerify(PQGVerify *vfy);
/**************************************************************************
* Return a pointer to a new PQGParams struct that is constructed from *
* copies of the arguments passed in. *
* Return NULL on failure. *
**************************************************************************/
extern PQGParams *PK11_PQG_NewParams(const SECItem *prime, const SECItem *subPrime, const SECItem *base);
/**************************************************************************
* Fills in caller's "prime" SECItem with the prime value in params.
* Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);
**************************************************************************/
extern SECStatus PK11_PQG_GetPrimeFromParams(const PQGParams *params,
SECItem *prime);
/**************************************************************************
* Fills in caller's "subPrime" SECItem with the prime value in params.
* Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);
**************************************************************************/
extern SECStatus PK11_PQG_GetSubPrimeFromParams(const PQGParams *params,
SECItem *subPrime);
/**************************************************************************
* Fills in caller's "base" SECItem with the base value in params.
* Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);
**************************************************************************/
extern SECStatus PK11_PQG_GetBaseFromParams(const PQGParams *params,
SECItem *base);
/**************************************************************************
* Return a pointer to a new PQGVerify struct that is constructed from *
* copies of the arguments passed in. *
* Return NULL on failure. *
**************************************************************************/
extern PQGVerify *PK11_PQG_NewVerify(unsigned int counter,
const SECItem *seed, const SECItem *h);
/**************************************************************************
* Returns "counter" value from the PQGVerify.
**************************************************************************/
extern unsigned int PK11_PQG_GetCounterFromVerify(const PQGVerify *verify);
/**************************************************************************
* Fills in caller's "seed" SECItem with the seed value in verify.
* Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);
**************************************************************************/
extern SECStatus PK11_PQG_GetSeedFromVerify(const PQGVerify *verify,
SECItem *seed);
/**************************************************************************
* Fills in caller's "h" SECItem with the h value in verify.
* Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);
**************************************************************************/
extern SECStatus PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem *h);
SEC_END_PROTOS
#endif

187
openflow/usr/include/nss/pk11priv.h Normal file
View File

@@ -0,0 +1,187 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _PK11PRIV_H_
#define _PK11PRIV_H_
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "secdert.h"
#include "keyt.h"
#include "certt.h"
#include "pkcs11t.h"
#include "secmodt.h"
#include "seccomon.h"
#include "pkcs7t.h"
#include "cmsreclist.h"
/*
* These are the private NSS functions. They are not exported by nss.def, and
* are not callable outside nss3.dll.
*/
SEC_BEGIN_PROTOS
/************************************************************
* Generic Slot Lists Management
************************************************************/
PK11SlotList *PK11_NewSlotList(void);
PK11SlotList *PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,
PRBool needRW, void *wincx);
SECStatus PK11_AddSlotToList(PK11SlotList *list, PK11SlotInfo *slot, PRBool sorted);
SECStatus PK11_DeleteSlotFromList(PK11SlotList *list, PK11SlotListElement *le);
PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
PK11SlotInfo *slot);
PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE type);
/************************************************************
* Generic Slot Management
************************************************************/
CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject);
SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type, PLArenaPool *arena, SECItem *result);
CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type);
char *PK11_MakeString(PLArenaPool *arena, char *space, char *staticSring,
int stringLen);
int PK11_MapError(CK_RV error);
CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot);
void PK11_RestoreROSession(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession);
PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot,
CK_SESSION_HANDLE session_handle);
PK11SlotInfo *PK11_NewSlotInfo(SECMODModule *mod);
void PK11_EnterSlotMonitor(PK11SlotInfo *);
void PK11_ExitSlotMonitor(PK11SlotInfo *);
void PK11_CleanKeyList(PK11SlotInfo *slot);
/************************************************************
* Slot Password Management
************************************************************/
SECStatus PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
PRBool loadCerts, void *wincx, PRBool alreadyLocked,
PRBool contextSpecific);
SECStatus PK11_VerifyPW(PK11SlotInfo *slot, char *pw);
void PK11_HandlePasswordCheck(PK11SlotInfo *slot, void *wincx);
void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func);
/************************************************************
* Manage the built-In Slot Lists
************************************************************/
SECStatus PK11_InitSlotLists(void);
void PK11_DestroySlotLists(void);
PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type);
void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count);
void PK11_ClearSlotList(PK11SlotInfo *slot);
/******************************************************************
* Slot initialization
******************************************************************/
SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts);
void PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot);
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
PK11SlotInfo *pk11_SwapInternalKeySlot(PK11SlotInfo *slot);
void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot);
/*********************************************************************
* Mechanism Mapping functions
*********************************************************************/
void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
CK_MECHANISM_TYPE keygen, CK_MECHANISM_TYPE pad,
int ivLen, int blocksize);
CK_MECHANISM_TYPE PK11_GetKeyMechanism(CK_KEY_TYPE type);
CK_MECHANISM_TYPE PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size);
/**********************************************************************
* Symetric, Public, and Private Keys
**********************************************************************/
/* Key Generation specialized for SDR (fixed DES3 key) */
PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx);
SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType,
CK_OBJECT_HANDLE id);
CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
void *wincx, PK11SlotInfo **pSlot);
PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
/**********************************************************************
* Certs
**********************************************************************/
SECStatus PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot,
SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg);
SECKEYPrivateKey *PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname,
PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount,
void *wincx);
CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer,
CK_OBJECT_CLASS o_class);
CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type,
PRBool haslock);
CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count);
int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert,
SECStatus (*callback)(CERTCertificate *, void *), void *arg);
SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
SECStatus (*callback)(CERTCertificate *, void *), void *arg);
SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx);
/**********************************************************************
* Crypto Contexts
**********************************************************************/
PK11Context *PK11_CreateContextByRawKey(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
SECItem *key, SECItem *param, void *wincx);
PRBool PK11_HashOK(SECOidTag hashAlg);
/**********************************************************************
* Functions which are deprecated....
**********************************************************************/
SECItem *
PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *handle,
SECItem *derName, int type, char **url);
CK_OBJECT_HANDLE
PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl,
SECItem *name, char *url, int type);
SECItem *
PK11_FindSMimeProfile(PK11SlotInfo **slotp, char *emailAddr, SECItem *derSubj,
SECItem **profileTime);
SECStatus
PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
SECItem *emailProfile, SECItem *profileTime);
PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle);
char *PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id);
SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
const char *nickname);
/* private */
SECStatus pk11_TraverseAllSlots(SECStatus (*callback)(PK11SlotInfo *, void *),
void *cbArg, PRBool forceLogin, void *pwArg);
/* fetch multiple CRLs for a specific issuer */
SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem *issuer,
void *wincx);
/* set global options for NSS PKCS#11 module loader */
SECStatus pk11_setGlobalOptions(PRBool noSingleThreadedModules,
PRBool allowAlreadyInitializedModules,
PRBool dontFinalizeModules);
/* return whether NSS is allowed to call C_Finalize */
PRBool pk11_getFinalizeModulesOption(void);
SEC_END_PROTOS
#endif

879
openflow/usr/include/nss/pk11pub.h Normal file
View File

@@ -0,0 +1,879 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _PK11PUB_H_
#define _PK11PUB_H_
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "secdert.h"
#include "keyt.h"
#include "certt.h"
#include "pkcs11t.h"
#include "secmodt.h"
#include "seccomon.h"
#include "pkcs7t.h"
#include "cmsreclist.h"
/*
* Exported PK11 wrap functions.
*/
SEC_BEGIN_PROTOS
/************************************************************
* Generic Slot Lists Management
************************************************************/
void PK11_FreeSlotList(PK11SlotList *list);
SECStatus PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le);
PK11SlotListElement *PK11_GetFirstSafe(PK11SlotList *list);
PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list,
PK11SlotListElement *le, PRBool restart);
/************************************************************
* Generic Slot Management
************************************************************/
PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
void PK11_FreeSlot(PK11SlotInfo *slot);
SECStatus PK11_DestroyObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE object);
SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE object);
PK11SlotInfo *PK11_GetInternalKeySlot(void);
PK11SlotInfo *PK11_GetInternalSlot(void);
SECStatus PK11_Logout(PK11SlotInfo *slot);
void PK11_LogoutAll(void);
/************************************************************
* Slot Password Management
************************************************************/
void PK11_SetSlotPWValues(PK11SlotInfo *slot, int askpw, int timeout);
void PK11_GetSlotPWValues(PK11SlotInfo *slot, int *askpw, int *timeout);
SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw);
PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
SECStatus PK11_InitPin(PK11SlotInfo *slot, const char *ssopw,
const char *pk11_userpwd);
SECStatus PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw,
const char *newpw);
void PK11_SetPasswordFunc(PK11PasswordFunc func);
int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
SECStatus PK11_TokenRefresh(PK11SlotInfo *slot);
/******************************************************************
* Slot info functions
******************************************************************/
PK11SlotInfo *PK11_FindSlotByName(const char *name);
/******************************************************************
* PK11_FindSlotsByNames searches for a PK11SlotInfo using one or
* more criteria : dllName, slotName and tokenName . In addition, if
* presentOnly is set , only slots with a token inserted will be
* returned.
******************************************************************/
PK11SlotList *PK11_FindSlotsByNames(const char *dllName,
const char *slotName, const char *tokenName, PRBool presentOnly);
PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
PRBool PK11_IsInternal(PK11SlotInfo *slot);
PRBool PK11_IsInternalKeySlot(PK11SlotInfo *slot);
char *PK11_GetTokenName(PK11SlotInfo *slot);
char *PK11_GetSlotName(PK11SlotInfo *slot);
PRBool PK11_NeedLogin(PK11SlotInfo *slot);
PRBool PK11_IsFriendly(PK11SlotInfo *slot);
PRBool PK11_IsHW(PK11SlotInfo *slot);
PRBool PK11_IsRemovable(PK11SlotInfo *slot);
PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
int PK11_GetSlotSeries(PK11SlotInfo *slot);
int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
PRBool PK11_IsDisabled(PK11SlotInfo *slot);
PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
/* Prevents the slot from being used, and set disable reason to user-disable */
/* NOTE: Mechanisms that were ON continue to stay ON */
/* Therefore, when the slot is enabled, it will remember */
/* what mechanisms needs to be turned on */
PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
/* Allow all mechanisms that are ON before UserDisableSlot() */
/* was called to be available again */
PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
/*
* wait for a specific slot event.
* event is a specific event to wait for. Currently only
* PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined.
* timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only
* poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change).
* pollInterval is a suggested pulling interval value. '0' means use the
* default. Future implementations that don't poll may ignore this value.
* series is the current series for the last slot. This should be the series
* value for the slot the last time you read persistant information from the
* slot. For instance, if you publish a cert from the slot, you should obtain
* the slot series at that time. Then PK11_WaitForTokenEvent can detect a
* a change in the slot between the time you publish and the time
* PK11_WaitForTokenEvent is called, elliminating potential race conditions.
*
* The current status that is returned is:
* PK11TokenNotRemovable - always returned for any non-removable token.
* PK11TokenPresent - returned when the token is present and we are waiting
* on a PK11TokenPresentEvent. Then next event to look for is a
* PK11TokenChangeOrRemovalEvent.
* PK11TokenChanged - returned when the old token has been removed and a new
* token ad been inserted, and we are waiting for a
* PK11TokenChangeOrRemovalEvent. The next event to look for is another
* PK11TokenChangeOrRemovalEvent.
* PK11TokenRemoved - returned when the token is not present and we are
* waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for
* is a PK11TokenPresentEvent.
*/
PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
PRIntervalTime timeout, PRIntervalTime pollInterval, int series);
PRBool PK11_NeedPWInit(void);
PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
PRBool PK11_IsFIPS(void);
SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
/*********************************************************************
* Slot mapping utility functions.
*********************************************************************/
PRBool PK11_IsPresent(PK11SlotInfo *slot);
PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
PK11SlotList *PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW,
PRBool loadCerts, void *wincx);
PK11SlotInfo *PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type,
CK_FLAGS *mechFlag, unsigned int *keySize,
unsigned int count, void *wincx);
PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type,
unsigned int count, void *wincx);
PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
PK11SlotInfo *PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type,
CK_FLAGS mechFlag, unsigned int keySize, void *wincx);
CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
/*
* Open a new database using the softoken. The caller is responsible for making
* sure the module spec is correct and usable. The caller should ask for one
* new database per call if the caller wants to get meaningful information
* about the new database.
*
* moduleSpec is the same data that you would pass to softoken at
* initialization time under the 'tokens' options. For example, if you were
* to specify tokens=<0x4=[configdir='./mybackup' tokenDescription='Backup']>
* You would specify "configdir='./mybackup' tokenDescription='Backup'" as your
* module spec here. The slot ID will be calculated for you by
* SECMOD_OpenUserDB().
*
* Typical parameters here are configdir, tokenDescription and flags.
*
* a Full list is below:
*
*
* configDir - The location of the databases for this token. If configDir is
* not specified, and noCertDB and noKeyDB is not specified, the load
* will fail.
* certPrefix - Cert prefix for this token.
* keyPrefix - Prefix for the key database for this token. (if not specified,
* certPrefix will be used).
* tokenDescription - The label value for this token returned in the
* CK_TOKEN_INFO structure with an internationalize string (UTF8).
* This value will be truncated at 32 bytes (no NULL, partial UTF8
* characters dropped). You should specify a user friendly name here
* as this is the value the token will be referred to in most
* application UI's. You should make sure tokenDescription is unique.
* slotDescription - The slotDescription value for this token returned
* in the CK_SLOT_INFO structure with an internationalize string
* (UTF8). This value will be truncated at 64 bytes (no NULL, partial
* UTF8 characters dropped). This name will not change after the
* database is closed. It should have some number to make this unique.
* minPWLen - minimum password length for this token.
* flags - comma separated list of flag values, parsed case-insensitive.
* Valid flags are:
* readOnly - Databases should be opened read only.
* noCertDB - Don't try to open a certificate database.
* noKeyDB - Don't try to open a key database.
* forceOpen - Don't fail to initialize the token if the
* databases could not be opened.
* passwordRequired - zero length passwords are not acceptable
* (valid only if there is a keyDB).
* optimizeSpace - allocate smaller hash tables and lock tables.
* When this flag is not specified, Softoken will allocate
* large tables to prevent lock contention.
*/
PK11SlotInfo *SECMOD_OpenUserDB(const char *moduleSpec);
SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot);
/*
* This is exactly the same as OpenUserDB except it can be called on any
* module that understands softoken style new slot entries. The resulting
* slot can be closed using SECMOD_CloseUserDB above. Value of moduleSpec
* is token specific.
*/
PK11SlotInfo *SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec);
/*
* merge the permanent objects from on token to another
*/
SECStatus PK11_MergeTokens(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
PK11MergeLog *log, void *targetPwArg, void *sourcePwArg);
/*
* create and destroy merge logs needed by PK11_MergeTokens
*/
PK11MergeLog *PK11_CreateMergeLog(void);
void PK11_DestroyMergeLog(PK11MergeLog *log);
/*********************************************************************
* Mechanism Mapping functions
*********************************************************************/
CK_KEY_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type, unsigned long len);
CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
int PK11_GetBlockSize(CK_MECHANISM_TYPE type, SECItem *params);
int PK11_GetIVLength(CK_MECHANISM_TYPE type);
SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type, SECItem *iv);
unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type, SECItem *param, int *len);
SECItem *PK11_BlockData(SECItem *data, unsigned long size);
/* PKCS #11 to DER mapping functions */
SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
PLArenaPool *arena, SECAlgorithmID *algid);
SECStatus PK11_SeedRandom(PK11SlotInfo *, unsigned char *data, int len);
SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo *, unsigned char *data, int len);
SECStatus PK11_RandomUpdate(void *data, size_t bytes);
SECStatus PK11_GenerateRandom(unsigned char *data, int len);
/* warning: cannot work with pkcs 5 v2
* use algorithm ID s instead of pkcs #11 mechanism pointers */
CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
CK_MECHANISM_PTR pCryptoMechanism,
SECItem *pbe_pwd, PRBool bad3DES);
CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
CK_MECHANISM_TYPE PK11_MapSignKeyType(KeyType keyType);
/**********************************************************************
* Symmetric, Public, and Private Keys
**********************************************************************/
void PK11_FreeSymKey(PK11SymKey *key);
PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx);
PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx);
PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID,
PRBool owner, void *wincx);
PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
CK_MECHANISM_TYPE type, int series, void *wincx);
/*
* This function is not thread-safe. It can only be called when only
* one thread has a reference to wrapKey.
*/
void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
/*
* import a public key into the desired slot
*
* This function takes a public key structure and creates a public key in a
* given slot. If isToken is set, then a persistant public key is created.
*
* Note: it is possible for this function to return a handle for a key which
* is persistant, even if isToken is not set.
*/
CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot,
SECKEYPublicKey *pubKey, PRBool isToken);
PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *param, int keySize, void *wincx);
PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *param, int keySize, SECItem *keyid,
PRBool isToken, void *wincx);
PK11SymKey *PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, SECItem *param,
int keySize, SECItem *keyid, CK_FLAGS opFlags,
PK11AttrFlags attrFlags, void *wincx);
/* Generates a key using the exact template supplied by the caller. The other
* PK11_[Token]KeyGen mechanisms should be used instead of this one whenever
* they work because they include/exclude the CKA_VALUE_LEN template value
* based on the mechanism type as required by many tokens.
*
* keyGenType should be PK11_GetKeyGenWithSize(type, <key size>) or it should
* be equal to type if PK11_GetKeyGenWithSize cannot be used (e.g. because
* pk11wrap does not know about the mechanisms).
*/
PK11SymKey *PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
CK_MECHANISM_TYPE keyGenType,
SECItem *param, CK_ATTRIBUTE *attrs,
unsigned int attrsCount, void *wincx);
PK11SymKey *PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname,
void *wincx);
PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey);
CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *key);
CK_OBJECT_HANDLE PK11_GetSymKeyHandle(PK11SymKey *symKey);
/*
* PK11_SetSymKeyUserData
* sets generic user data on keys (usually a pointer to a data structure)
* that can later be retrieved by PK11_GetSymKeyUserData().
* symKey - key where data will be set.
* data - data to be set.
* freefunc - function used to free the data.
* Setting user data on symKeys with existing user data already set will cause
* the existing user data to be freed before the new user data is set.
* Freeing user data is done by calling the user specified freefunc.
* If freefunc is NULL, the user data is assumed to be global or static an
* not freed. Passing NULL for user data to PK11_SetSymKeyUserData has the
* effect of freeing any existing user data, and clearing the user data
* pointer. If user data exists when the symKey is finally freed, that
* data will be freed with freefunc.
*
* Applications should only use this function on keys which the application
* has created directly, as there is only one user data value per key.
*/
void PK11_SetSymKeyUserData(PK11SymKey *symKey, void *data,
PK11FreeDataFunc freefunc);
/* PK11_GetSymKeyUserData
* retrieves generic user data which was set on a key by
* PK11_SetSymKeyUserData.
* symKey - key with data to be fetched
*
* If no data exists, or the data has been cleared, PK11_GetSymKeyUserData
* will return NULL. Returned data is still owned and managed by the SymKey,
* the caller should not free the data.
*
*/
void *PK11_GetSymKeyUserData(PK11SymKey *symKey);
SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
PK11SymKey *symKey, SECItem *wrappedKey);
SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
/* move a key to 'slot' optionally set the key attributes according to either
* operation or the flags and making the key permanent at the same time.
* If the key is moved to the same slot, operation and flags values are
* currently ignored */
PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation,
CK_FLAGS flags, PRBool perm, PK11SymKey *symKey);
/*
* derive a new key from the base key.
* PK11_Derive returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_DeriveWithFlags is the same as PK11_Derive, except you can use
* CKF_ flags to enable more than one operation.
* PK11_DeriveWithFlagsPerm is the same as PK11_DeriveWithFlags except you can
* (optionally) make the key permanent (token key).
*/
PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
SECItem *param, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey *PK11_DeriveWithFlags(PK11SymKey *baseKey,
CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
PK11SymKey *PK11_DeriveWithFlagsPerm(PK11SymKey *baseKey,
CK_MECHANISM_TYPE derive,
SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
int keySize, CK_FLAGS flags, PRBool isPerm);
PK11SymKey *
PK11_DeriveWithTemplate(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive,
SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs,
PRBool isPerm);
PK11SymKey *PK11_PubDerive(SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize, void *wincx);
PK11SymKey *PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,
CK_ULONG kdf, SECItem *sharedData, void *wincx);
/*
* unwrap a new key with a symetric key.
* PK11_Unwrap returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_UnwrapWithFlags is the same as PK11_Unwrap, except you can use
* CKF_ flags to enable more than one operation.
* PK11_UnwrapWithFlagsPerm is the same as PK11_UnwrapWithFlags except you can
* (optionally) make the key permanent (token key).
*/
PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key,
CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey,
CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize,
CK_FLAGS flags);
PK11SymKey *PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey,
CK_MECHANISM_TYPE wrapType,
SECItem *param, SECItem *wrappedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
int keySize, CK_FLAGS flags, PRBool isPerm);
/*
* unwrap a new key with a private key.
* PK11_PubUnwrap returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can
* use * CKF_ flags to enable more than one operation, and optionally make
* the key permanent (token key).
*/
PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey *PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey,
SECItem *wrappedKey, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,
CK_FLAGS flags, PRBool isPerm);
PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *keyID, void *wincx);
SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey, PRBool force);
SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert, void *wincx);
SECKEYPrivateKey *PK11_LoadPrivKey(PK11SlotInfo *slot,
SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
PRBool token, PRBool sensitive);
char *PK11_GetSymKeyNickname(PK11SymKey *symKey);
char *PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
char *PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey,
const char *nickname);
SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey,
const char *nickname);
/*
* Using __PK11_SetCertificateNickname is *DANGEROUS*.
*
* The API will update the NSS database, but it *will NOT* update the in-memory data.
* As a result, after calling this API, there will be INCONSISTENCY between
* in-memory data and the database.
*
* Use of the API should be limited to short-lived tools, which will exit immediately
* after using this API.
*
* If you ignore this warning, your process is TAINTED and will most likely misbehave.
*/
SECStatus __PK11_SetCertificateNickname(CERTCertificate *cert,
const char *nickname);
/* size to hold key in bytes */
unsigned int PK11_GetKeyLength(PK11SymKey *key);
/* size of actual secret parts of key in bits */
/* algid is because RC4 strength is determined by the effective bits as well
* as the key bits */
unsigned int PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid);
SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
SECItem *PK11_GetKeyData(PK11SymKey *symKey);
PK11SlotInfo *PK11_GetSlotFromKey(PK11SymKey *symKey);
void *PK11_GetWindow(PK11SymKey *symKey);
/*
* Explicitly set the key usage for the generated private key.
*
* This allows us to specify single use EC and RSA keys whose usage
* can be regulated by the underlying token.
*
* The underlying key usage is set using opFlags. opFlagsMask specifies
* which operations are specified by opFlags. For instance to turn encrypt
* on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and
* opFlagsMask would be CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_VERIFY. You
* need to specify both the public and private key flags,
* PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the
* correct key type. Flags not specified in opFlagMask will be defaulted
* according to mechanism type and token capabilities.
*/
SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask,
void *wincx);
/*
* The attrFlags is the logical OR of the PK11_ATTR_XXX bitflags.
* These flags apply to the private key. The PK11_ATTR_TOKEN,
* PK11_ATTR_SESSION, PK11_ATTR_MODIFIABLE, and PK11_ATTR_UNMODIFIABLE
* flags also apply to the public key.
*/
SECKEYPrivateKey *PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
PK11AttrFlags attrFlags, void *wincx);
SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
PRBool isPerm, PRBool isSensitive, void *wincx);
SECKEYPrivateKey *PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx);
SECKEYPrivateKey *PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
SECKEYPrivateKey *PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
void *wincx);
int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key);
SECStatus PK11_Decrypt(PK11SymKey *symkey,
CK_MECHANISM_TYPE mechanism, SECItem *param,
unsigned char *out, unsigned int *outLen,
unsigned int maxLen,
const unsigned char *enc, unsigned int encLen);
SECStatus PK11_Encrypt(PK11SymKey *symKey,
CK_MECHANISM_TYPE mechanism, SECItem *param,
unsigned char *out, unsigned int *outLen,
unsigned int maxLen,
const unsigned char *data, unsigned int dataLen);
/* note: despite the name, this function takes a private key. */
SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key,
unsigned char *data, unsigned *outLen,
unsigned int maxLen,
const unsigned char *enc, unsigned encLen);
#define PK11_PrivDecryptRaw PK11_PubDecryptRaw
/* The encrypt function that complements the above decrypt function. */
SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key,
unsigned char *enc,
const unsigned char *data, unsigned dataLen,
void *wincx);
SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key,
unsigned char *data, unsigned *outLen,
unsigned int maxLen,
const unsigned char *enc, unsigned encLen);
/* The encrypt function that complements the above decrypt function. */
SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key,
unsigned char *enc,
const unsigned char *data, unsigned dataLen,
void *wincx);
SECStatus PK11_PrivDecrypt(SECKEYPrivateKey *key,
CK_MECHANISM_TYPE mechanism, SECItem *param,
unsigned char *out, unsigned int *outLen,
unsigned int maxLen,
const unsigned char *enc, unsigned int encLen);
SECStatus PK11_PubEncrypt(SECKEYPublicKey *key,
CK_MECHANISM_TYPE mechanism, SECItem *param,
unsigned char *out, unsigned int *outLen,
unsigned int maxLen,
const unsigned char *data, unsigned int dataLen,
void *wincx);
SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot,
SECKEYPrivateKeyInfo *pki, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, void *wincx);
SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
SECKEYPrivateKeyInfo *pki, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, SECKEYPrivateKey **privk, void *wincx);
SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot,
SECItem *derPKI, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, void *wincx);
SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
SECItem *derPKI, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, SECKEYPrivateKey **privk, void *wincx);
SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, KeyType type,
unsigned int usage, void *wincx);
SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, KeyType type,
unsigned int usage, SECKEYPrivateKey **privk, void *wincx);
SECItem *PK11_ExportDERPrivateKeyInfo(SECKEYPrivateKey *pk, void *wincx);
SECKEYPrivateKeyInfo *PK11_ExportPrivKeyInfo(
SECKEYPrivateKey *pk, void *wincx);
SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
CERTCertificate *cert, void *wincx);
SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
SECKEYPrivateKey *pk, int iteration, void *wincx);
SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
CERTCertificate *cert, int iteration, void *wincx);
SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx);
SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
PRBool PK11_VerifyKeyOK(PK11SymKey *key);
SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot,
PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
SECItem *param, SECItem *wrappedKey, SECItem *label,
SECItem *publicValue, PRBool token, PRBool sensitive,
CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
void *wincx);
SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
SECItem *param, SECItem *wrappedKey, void *wincx);
/*
* The caller of PK11_DEREncodePublicKey should free the returned SECItem with
* a SECITEM_FreeItem(..., PR_TRUE) call.
*/
SECItem *PK11_DEREncodePublicKey(const SECKEYPublicKey *pubk);
PK11SymKey *PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
CK_MECHANISM_TYPE mech);
SECKEYPrivateKeyList *PK11_ListPrivKeysInSlot(PK11SlotInfo *slot,
char *nickname, void *wincx);
SECKEYPublicKeyList *PK11_ListPublicKeysInSlot(PK11SlotInfo *slot,
char *nickname);
SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey);
/* deprecated */
SECKEYPrivateKeyList *PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot);
PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk,
void *wincx);
SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey(
SECKEYPrivateKey *privk, void *wincx);
SECKEYPrivateKey *PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot,
SECKEYPrivateKey *privKey);
/**********************************************************************
* Certs
**********************************************************************/
SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
SECStatus PK11_TraverseSlotCerts(
SECStatus (*callback)(CERTCertificate *, SECItem *, void *),
void *arg, void *wincx);
CERTCertificate *PK11_FindCertFromNickname(const char *nickname, void *wincx);
CERTCertList *PK11_FindCertsFromEmailAddress(const char *email, void *wincx);
CERTCertList *PK11_FindCertsFromNickname(const char *nickname, void *wincx);
CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
CK_OBJECT_HANDLE key, const char *nickname,
PRBool includeTrust);
SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert,
const char *nickname, void *wincx);
PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
void *wincx);
PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
CK_OBJECT_HANDLE *keyPtr, void *wincx);
PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert,
CK_OBJECT_HANDLE *keyPtr, void *wincx);
CERTCertificate *PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
CERTIssuerAndSN *sn, void *wincx);
CERTCertificate *PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
SECKEYPrivateKey **privKey, void *wincx);
int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
void *wincx);
SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
PK11SlotInfo *slot, SECStatus (*callback)(CERTCertificate *, void *),
void *arg);
CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx);
CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot,
const SECItem *derCert, void *wincx);
SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
char *nickname, PRBool addUsage,
void *wincx);
CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert, void *wincx);
PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
void *wincx);
SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
PK11SlotInfo *slot, SECStatus (*callback)(CERTCertificate *, void *),
void *arg);
CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg);
CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot);
CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url,
int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions);
/**********************************************************************
* Sign/Verify
**********************************************************************/
/*
* Return the length in bytes of a signature generated with the
* private key.
*
* Return 0 or -1 on failure. (XXX Should we fix it to always return
* -1 on failure?)
*/
int PK11_SignatureLen(SECKEYPrivateKey *key);
PK11SlotInfo *PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig,
const SECItem *hash);
SECStatus PK11_SignWithMechanism(SECKEYPrivateKey *key,
CK_MECHANISM_TYPE mechanism,
const SECItem *param, SECItem *sig,
const SECItem *hash);
SECStatus PK11_SignWithSymKey(PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism,
SECItem *param, SECItem *sig, const SECItem *data);
SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, const SECItem *sig,
SECItem *dsig, void *wincx);
SECStatus PK11_Verify(SECKEYPublicKey *key, const SECItem *sig,
const SECItem *hash, void *wincx);
SECStatus PK11_VerifyWithMechanism(SECKEYPublicKey *key,
CK_MECHANISM_TYPE mechanism,
const SECItem *param, const SECItem *sig,
const SECItem *hash, void *wincx);
/**********************************************************************
* Crypto Contexts
**********************************************************************/
void PK11_DestroyContext(PK11Context *context, PRBool freeit);
PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
PK11Context *PK11_CloneContext(PK11Context *old);
SECStatus PK11_DigestBegin(PK11Context *cx);
/*
* The output buffer 'out' must be big enough to hold the output of
* the hash algorithm 'hashAlg'.
*/
SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out,
const unsigned char *in, PRInt32 len);
SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in,
unsigned len);
SECStatus PK11_CipherOp(PK11Context *context, unsigned char *out, int *outlen,
int maxout, const unsigned char *in, int inlen);
SECStatus PK11_Finalize(PK11Context *context);
SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data,
unsigned int *outLen, unsigned int length);
#define PK11_CipherFinal PK11_DigestFinal
SECStatus PK11_SaveContext(PK11Context *cx, unsigned char *save,
int *len, int saveLength);
/* Save the context's state, with possible allocation.
* The caller may supply an already allocated buffer in preAllocBuf,
* with length pabLen. If the buffer is large enough for the context's
* state, it will receive the state.
* If the buffer is not large enough (or NULL), then a new buffer will
* be allocated with PORT_Alloc.
* In either case, the state will be returned as a buffer, and the length
* of the state will be given in *stateLen.
*/
unsigned char *
PK11_SaveContextAlloc(PK11Context *cx,
unsigned char *preAllocBuf, unsigned int pabLen,
unsigned int *stateLen);
SECStatus PK11_RestoreContext(PK11Context *cx, unsigned char *save, int len);
SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey, unsigned char *iv, int len);
void PK11_SetFortezzaHack(PK11SymKey *symKey);
/**********************************************************************
* PBE functions
**********************************************************************/
/* This function creates PBE parameters from the given inputs. The result
* can be used to create a password integrity key for PKCS#12, by sending
* the return value to PK11_KeyGen along with the appropriate mechanism.
*/
SECItem *
PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations);
/* free params created above (can be called after keygen is done */
void PK11_DestroyPBEParams(SECItem *params);
SECAlgorithmID *
PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
/* use to create PKCS5 V2 algorithms with finder control than that provided
* by PK11_CreatePBEAlgorithmID. */
SECAlgorithmID *
PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag,
SECOidTag prfAlgTag, int keyLength, int iteration,
SECItem *salt);
PK11SymKey *
PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
PRBool faulty3DES, void *wincx);
/* warning: cannot work with PKCS 5 v2 use PK11_PBEKeyGen instead */
PK11SymKey *
PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
SECItem *pwitem, PRBool faulty3DES, void *wincx);
SECItem *
PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
/*
* Get the Mechanism and parameter of the base encryption or mac scheme from
* a PBE algorithm ID.
* Caller is responsible for freeing the return parameter (param).
*/
CK_MECHANISM_TYPE
PK11_GetPBECryptoMechanism(SECAlgorithmID *algid,
SECItem **param, SECItem *pwd);
/**********************************************************************
* Functions to manage secmod flags
**********************************************************************/
const PK11DefaultArrayEntry *PK11_GetDefaultArray(int *size);
SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
const PK11DefaultArrayEntry *entry,
PRBool add);
/**********************************************************************
* Functions to look at PKCS #11 dependent data
**********************************************************************/
PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot,
CK_OBJECT_CLASS objClass);
PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object);
PK11GenericObject *PK11_GetPrevGenericObject(PK11GenericObject *object);
SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object);
SECStatus PK11_LinkGenericObject(PK11GenericObject *list,
PK11GenericObject *object);
SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object);
SECStatus PK11_DestroyGenericObject(PK11GenericObject *object);
PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot,
const CK_ATTRIBUTE *pTemplate,
int count, PRBool token);
/*
* PK11_ReadRawAttribute and PK11_WriteRawAttribute are generic
* functions to read and modify the actual PKCS #11 attributes of
* the underlying pkcs #11 object.
*
* object is a pointer to an NSS object that represents the underlying
* PKCS #11 object. It's type must match the type of PK11ObjectType
* as follows:
*
* type object
* PK11_TypeGeneric PK11GenericObject *
* PK11_TypePrivKey SECKEYPrivateKey *
* PK11_TypePubKey SECKEYPublicKey *
* PK11_TypeSymKey PK11SymKey *
*
* All other types are considered invalid. If type does not match the object
* passed, unpredictable results will occur.
*
* PK11_ReadRawAttribute allocates the buffer for returning the attribute
* value. The caller of PK11_ReadRawAttribute should free the data buffer
* pointed to by item using a SECITEM_FreeItem(item, PR_FALSE) or
* PORT_Free(item->data) call.
*/
SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object,
CK_ATTRIBUTE_TYPE attr, SECItem *item);
SECStatus PK11_WriteRawAttribute(PK11ObjectType type, void *object,
CK_ATTRIBUTE_TYPE attr, SECItem *item);
/*
* PK11_GetAllSlotsForCert returns all the slots that a given certificate
* exists on, since it's possible for a cert to exist on more than one
* PKCS#11 token.
*/
PK11SlotList *
PK11_GetAllSlotsForCert(CERTCertificate *cert, void *arg);
/**********************************************************************
* New functions which are already deprecated....
**********************************************************************/
SECItem *
PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *pwarg);
SECItem *
PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
PRBool SECMOD_HasRootCerts(void);
SEC_END_PROTOS
#endif

28
openflow/usr/include/nss/pk11sdr.h Normal file
View File

@@ -0,0 +1,28 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _PK11SDR_H_
#define _PK11SDR_H_
#include "seccomon.h"
SEC_BEGIN_PROTOS
/*
* PK11SDR_Encrypt - encrypt data using the specified key id or SDR default
* result should be freed with SECItem_ZfreeItem
*/
SECStatus
PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx);
/*
* PK11SDR_Decrypt - decrypt data previously encrypted with PK11SDR_Encrypt
* result should be freed with SECItem_ZfreeItem
*/
SECStatus
PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx);
SEC_END_PROTOS
#endif

252
openflow/usr/include/nss/pkcs11.h Normal file
View File

@@ -0,0 +1,252 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
* is granted provided that it is identified as "RSA Security In.c Public-Key
* Cryptography Standards (PKCS)" in all material mentioning or referencing
* this document.
*
* The latest version of this header can be found at:
* http://www.rsalabs.com/pkcs/pkcs-11/index.html
*/
#ifndef _PKCS11_H_
#define _PKCS11_H_ 1
#ifdef __cplusplus
extern "C" {
#endif
/* Before including this file (pkcs11.h) (or pkcs11t.h by
* itself), 6 platform-specific macros must be defined. These
* macros are described below, and typical definitions for them
* are also given. Be advised that these definitions can depend
* on both the platform and the compiler used (and possibly also
* on whether a PKCS #11 library is linked statically or
* dynamically).
*
* In addition to defining these 6 macros, the packing convention
* for PKCS #11 structures should be set. The PKCS #11
* convention on packing is that structures should be 1-byte
* aligned.
*
* In a Win32 environment, this might be done by using the
* following preprocessor directive before including pkcs11.h
* or pkcs11t.h:
*
* #pragma pack(push, cryptoki, 1)
*
* and using the following preprocessor directive after including
* pkcs11.h or pkcs11t.h:
*
* #pragma pack(pop, cryptoki)
*
* In a UNIX environment, you're on your own here. You might
* not need to do anything.
*
*
* Now for the macros:
*
*
* 1. CK_PTR: The indirection string for making a pointer to an
* object. It can be used like this:
*
* typedef CK_BYTE CK_PTR CK_BYTE_PTR;
*
* In a Win32 environment, it might be defined by
*
* #define CK_PTR *
*
* In a UNIX environment, it might be defined by
*
* #define CK_PTR *
*
*
* 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
* an exportable PKCS #11 library function definition out of a
* return type and a function name. It should be used in the
* following fashion to define the exposed PKCS #11 functions in
* a PKCS #11 library:
*
* CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
* CK_VOID_PTR pReserved
* )
* {
* ...
* }
*
* For defining a function in a Win32 PKCS #11 .dll, it might be
* defined by
*
* #define CK_DEFINE_FUNCTION(returnType, name) \
* returnType __declspec(dllexport) name
*
* In a UNIX environment, it might be defined by
*
* #define CK_DEFINE_FUNCTION(returnType, name) \
* returnType name
*
*
* 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
* an importable PKCS #11 library function declaration out of a
* return type and a function name. It should be used in the
* following fashion:
*
* extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
* CK_VOID_PTR pReserved
* );
*
* For declaring a function in a Win32 PKCS #11 .dll, it might
* be defined by
*
* #define CK_DECLARE_FUNCTION(returnType, name) \
* returnType __declspec(dllimport) name
*
* In a UNIX environment, it might be defined by
*
* #define CK_DECLARE_FUNCTION(returnType, name) \
* returnType name
*
*
* 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
* which makes a PKCS #11 API function pointer declaration or
* function pointer type declaration out of a return type and a
* function name. It should be used in the following fashion:
*
* // Define funcPtr to be a pointer to a PKCS #11 API function
* // taking arguments args and returning CK_RV.
* CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
*
* or
*
* // Define funcPtrType to be the type of a pointer to a
* // PKCS #11 API function taking arguments args and returning
* // CK_RV, and then define funcPtr to be a variable of type
* // funcPtrType.
* typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
* funcPtrType funcPtr;
*
* For accessing functions in a Win32 PKCS #11 .dll, in might be
* defined by
*
* #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
* returnType __declspec(dllimport) (* name)
*
* In a UNIX environment, it might be defined by
*
* #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
* returnType (* name)
*
*
* 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
* a function pointer type for an application callback out of
* a return type for the callback and a name for the callback.
* It should be used in the following fashion:
*
* CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
*
* to declare a function pointer, myCallback, to a callback
* which takes arguments args and returns a CK_RV. It can also
* be used like this:
*
* typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
* myCallbackType myCallback;
*
* In a Win32 environment, it might be defined by
*
* #define CK_CALLBACK_FUNCTION(returnType, name) \
* returnType (* name)
*
* In a UNIX environment, it might be defined by
*
* #define CK_CALLBACK_FUNCTION(returnType, name) \
* returnType (* name)
*
*
* 6. NULL_PTR: This macro is the value of a NULL pointer.
*
* In any ANSI/ISO C environment (and in many others as well),
* this should be defined by
*
* #ifndef NULL_PTR
* #define NULL_PTR 0
* #endif
*/
/* All the various PKCS #11 types and #define'd values are in the
* file pkcs11t.h. */
#include "pkcs11t.h"
#define __PASTE(x, y) x##y
/* packing defines */
#include "pkcs11p.h"
/* ==============================================================
* Define the "extern" form of all the entry points.
* ==============================================================
*/
#define CK_NEED_ARG_LIST 1
#define CK_PKCS11_FUNCTION_INFO(name) \
CK_DECLARE_FUNCTION(CK_RV, name)
/* pkcs11f.h has all the information about the PKCS #11
* function prototypes. */
#include "pkcs11f.h"
#undef CK_NEED_ARG_LIST
#undef CK_PKCS11_FUNCTION_INFO
/* ==============================================================
* Define the typedef form of all the entry points. That is, for
* each PKCS #11 function C_XXX, define a type CK_C_XXX which is
* a pointer to that kind of function.
* ==============================================================
*/
#define CK_NEED_ARG_LIST 1
#define CK_PKCS11_FUNCTION_INFO(name) \
typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_, name))
/* pkcs11f.h has all the information about the PKCS #11
* function prototypes. */
#include "pkcs11f.h"
#undef CK_NEED_ARG_LIST
#undef CK_PKCS11_FUNCTION_INFO
/* ==============================================================
* Define structed vector of entry points. A CK_FUNCTION_LIST
* contains a CK_VERSION indicating a library's PKCS #11 version
* and then a whole slew of function pointers to the routines in
* the library. This type was declared, but not defined, in
* pkcs11t.h.
* ==============================================================
*/
#define CK_PKCS11_FUNCTION_INFO(name) \
__PASTE(CK_, name) \
name;
struct CK_FUNCTION_LIST {
CK_VERSION version; /* PKCS #11 version */
/* Pile all the function pointers into the CK_FUNCTION_LIST. */
/* pkcs11f.h has all the information about the PKCS #11
* function prototypes. */
#include "pkcs11f.h"
};
#undef CK_PKCS11_FUNCTION_INFO
#undef __PASTE
/* unpack */
#include "pkcs11u.h"
#ifdef __cplusplus
}
#endif
#endif

812
openflow/usr/include/nss/pkcs11f.h Normal file
View File

@@ -0,0 +1,812 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
* is granted provided that it is identified as "RSA Security In.c Public-Key
* Cryptography Standards (PKCS)" in all material mentioning or referencing
* this document.
*/
/* This function contains pretty much everything about all the */
/* PKCS #11 function prototypes. Because this information is */
/* used for more than just declaring function prototypes, the */
/* order of the functions appearing herein is important, and */
/* should not be altered. */
/* General-purpose */
/* C_Initialize initializes the PKCS #11 library. */
CK_PKCS11_FUNCTION_INFO(C_Initialize)
#ifdef CK_NEED_ARG_LIST
(
CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
* cast to CK_C_INITIALIZE_ARGS_PTR
* and dereferenced */
);
#endif
/* C_Finalize indicates that an application is done with the
* PKCS #11 library. */
CK_PKCS11_FUNCTION_INFO(C_Finalize)
#ifdef CK_NEED_ARG_LIST
(
CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */
);
#endif
/* C_GetInfo returns general information about PKCS #11. */
CK_PKCS11_FUNCTION_INFO(C_GetInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_INFO_PTR pInfo /* location that receives information */
);
#endif
/* C_GetFunctionList returns the function list. */
CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
#ifdef CK_NEED_ARG_LIST
(
CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
* function list */
);
#endif
/* Slot and token management */
/* C_GetSlotList obtains a list of slots in the system. */
CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
#ifdef CK_NEED_ARG_LIST
(
CK_BBOOL tokenPresent, /* only slots with tokens? */
CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
CK_ULONG_PTR pulCount /* receives number of slots */
);
#endif
/* C_GetSlotInfo obtains information about a particular slot in
* the system. */
CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* the ID of the slot */
CK_SLOT_INFO_PTR pInfo /* receives the slot information */
);
#endif
/* C_GetTokenInfo obtains information about a particular token
* in the system. */
CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* ID of the token's slot */
CK_TOKEN_INFO_PTR pInfo /* receives the token information */
);
#endif
/* C_GetMechanismList obtains a list of mechanism types
* supported by a token. */
CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* ID of token's slot */
CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */
CK_ULONG_PTR pulCount /* gets # of mechs. */
);
#endif
/* C_GetMechanismInfo obtains information about a particular
* mechanism possibly supported by a token. */
CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* ID of the token's slot */
CK_MECHANISM_TYPE type, /* type of mechanism */
CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */
);
#endif
/* C_InitToken initializes a token. */
CK_PKCS11_FUNCTION_INFO(C_InitToken)
#ifdef CK_NEED_ARG_LIST
/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
(
CK_SLOT_ID slotID, /* ID of the token's slot */
CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
CK_ULONG ulPinLen, /* length in bytes of the PIN */
CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */
);
#endif
/* C_InitPIN initializes the normal user's PIN. */
CK_PKCS11_FUNCTION_INFO(C_InitPIN)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */
CK_ULONG ulPinLen /* length in bytes of the PIN */
);
#endif
/* C_SetPIN modifies the PIN of the user who is logged in. */
CK_PKCS11_FUNCTION_INFO(C_SetPIN)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_UTF8CHAR_PTR pOldPin, /* the old PIN */
CK_ULONG ulOldLen, /* length of the old PIN */
CK_UTF8CHAR_PTR pNewPin, /* the new PIN */
CK_ULONG ulNewLen /* length of the new PIN */
);
#endif
/* Session management */
/* C_OpenSession opens a session between an application and a
* token. */
CK_PKCS11_FUNCTION_INFO(C_OpenSession)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* the slot's ID */
CK_FLAGS flags, /* from CK_SESSION_INFO */
CK_VOID_PTR pApplication, /* passed to callback */
CK_NOTIFY Notify, /* callback function */
CK_SESSION_HANDLE_PTR phSession /* gets session handle */
);
#endif
/* C_CloseSession closes a session between an application and a
* token. */
CK_PKCS11_FUNCTION_INFO(C_CloseSession)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* C_CloseAllSessions closes all sessions with a token. */
CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID /* the token's slot */
);
#endif
/* C_GetSessionInfo obtains information about the session. */
CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_SESSION_INFO_PTR pInfo /* receives session info */
);
#endif
/* C_GetOperationState obtains the state of the cryptographic operation
* in a session. */
CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pOperationState, /* gets state */
CK_ULONG_PTR pulOperationStateLen /* gets state length */
);
#endif
/* C_SetOperationState restores the state of the cryptographic
* operation in a session. */
CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pOperationState, /* holds state */
CK_ULONG ulOperationStateLen, /* holds state length */
CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */
CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */
);
#endif
/* C_Login logs a user into a token. */
CK_PKCS11_FUNCTION_INFO(C_Login)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_USER_TYPE userType, /* the user type */
CK_UTF8CHAR_PTR pPin, /* the user's PIN */
CK_ULONG ulPinLen /* the length of the PIN */
);
#endif
/* C_Logout logs a user out from a token. */
CK_PKCS11_FUNCTION_INFO(C_Logout)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* Object management */
/* C_CreateObject creates a new object. */
CK_PKCS11_FUNCTION_INFO(C_CreateObject)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_ATTRIBUTE_PTR pTemplate, /* the object's template */
CK_ULONG ulCount, /* attributes in template */
CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */
);
#endif
/* C_CopyObject copies an object, creating a new object for the
* copy. */
CK_PKCS11_FUNCTION_INFO(C_CopyObject)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject, /* the object's handle */
CK_ATTRIBUTE_PTR pTemplate, /* template for new object */
CK_ULONG ulCount, /* attributes in template */
CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */
);
#endif
/* C_DestroyObject destroys an object. */
CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject /* the object's handle */
);
#endif
/* C_GetObjectSize gets the size of an object in bytes. */
CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject, /* the object's handle */
CK_ULONG_PTR pulSize /* receives size of object */
);
#endif
/* C_GetAttributeValue obtains the value of one or more object
* attributes. */
CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject, /* the object's handle */
CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */
CK_ULONG ulCount /* attributes in template */
);
#endif
/* C_SetAttributeValue modifies the value of one or more object
* attributes */
CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject, /* the object's handle */
CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */
CK_ULONG ulCount /* attributes in template */
);
#endif
/* C_FindObjectsInit initializes a search for token and session
* objects that match a template. */
CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */
CK_ULONG ulCount /* attrs in search template */
);
#endif
/* C_FindObjects continues a search for token and session
* objects that match a template, obtaining additional object
* handles. */
CK_PKCS11_FUNCTION_INFO(C_FindObjects)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */
CK_ULONG ulMaxObjectCount, /* max handles to get */
CK_ULONG_PTR pulObjectCount /* actual # returned */
);
#endif
/* C_FindObjectsFinal finishes a search for token and session
* objects. */
CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* Encryption and decryption */
/* C_EncryptInit initializes an encryption operation. */
CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */
CK_OBJECT_HANDLE hKey /* handle of encryption key */
);
#endif
/* C_Encrypt encrypts single-part data. */
CK_PKCS11_FUNCTION_INFO(C_Encrypt)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pData, /* the plaintext data */
CK_ULONG ulDataLen, /* bytes of plaintext */
CK_BYTE_PTR pEncryptedData, /* gets ciphertext */
CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */
);
#endif
/* C_EncryptUpdate continues a multiple-part encryption
* operation. */
CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pPart, /* the plaintext data */
CK_ULONG ulPartLen, /* plaintext data len */
CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */
);
#endif
/* C_EncryptFinal finishes a multiple-part encryption
* operation. */
CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session handle */
CK_BYTE_PTR pLastEncryptedPart, /* last c-text */
CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */
);
#endif
/* C_DecryptInit initializes a decryption operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
CK_OBJECT_HANDLE hKey /* handle of decryption key */
);
#endif
/* C_Decrypt decrypts encrypted data in a single part. */
CK_PKCS11_FUNCTION_INFO(C_Decrypt)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pEncryptedData, /* ciphertext */
CK_ULONG ulEncryptedDataLen, /* ciphertext length */
CK_BYTE_PTR pData, /* gets plaintext */
CK_ULONG_PTR pulDataLen /* gets p-text size */
);
#endif
/* C_DecryptUpdate continues a multiple-part decryption
* operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pEncryptedPart, /* encrypted data */
CK_ULONG ulEncryptedPartLen, /* input length */
CK_BYTE_PTR pPart, /* gets plaintext */
CK_ULONG_PTR pulPartLen /* p-text size */
);
#endif
/* C_DecryptFinal finishes a multiple-part decryption
* operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pLastPart, /* gets plaintext */
CK_ULONG_PTR pulLastPartLen /* p-text size */
);
#endif
/* Message digesting */
/* C_DigestInit initializes a message-digesting operation. */
CK_PKCS11_FUNCTION_INFO(C_DigestInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism /* the digesting mechanism */
);
#endif
/* C_Digest digests data in a single part. */
CK_PKCS11_FUNCTION_INFO(C_Digest)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* data to be digested */
CK_ULONG ulDataLen, /* bytes of data to digest */
CK_BYTE_PTR pDigest, /* gets the message digest */
CK_ULONG_PTR pulDigestLen /* gets digest length */
);
#endif
/* C_DigestUpdate continues a multiple-part message-digesting
* operation. */
CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pPart, /* data to be digested */
CK_ULONG ulPartLen /* bytes of data to be digested */
);
#endif
/* C_DigestKey continues a multi-part message-digesting
* operation, by digesting the value of a secret key as part of
* the data already digested. */
CK_PKCS11_FUNCTION_INFO(C_DigestKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hKey /* secret key to digest */
);
#endif
/* C_DigestFinal finishes a multiple-part message-digesting
* operation. */
CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pDigest, /* gets the message digest */
CK_ULONG_PTR pulDigestLen /* gets byte count of digest */
);
#endif
/* Signing and MACing */
/* C_SignInit initializes a signature (private key encryption)
* operation, where the signature is (will be) an appendix to
* the data, and plaintext cannot be recovered from the
*signature. */
CK_PKCS11_FUNCTION_INFO(C_SignInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
CK_OBJECT_HANDLE hKey /* handle of signature key */
);
#endif
/* C_Sign signs (encrypts with private key) data in a single
* part, where the signature is (will be) an appendix to the
* data, and plaintext cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_Sign)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* the data to sign */
CK_ULONG ulDataLen, /* count of bytes to sign */
CK_BYTE_PTR pSignature, /* gets the signature */
CK_ULONG_PTR pulSignatureLen /* gets signature length */
);
#endif
/* C_SignUpdate continues a multiple-part signature operation,
* where the signature is (will be) an appendix to the data,
* and plaintext cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pPart, /* the data to sign */
CK_ULONG ulPartLen /* count of bytes to sign */
);
#endif
/* C_SignFinal finishes a multiple-part signature operation,
* returning the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSignature, /* gets the signature */
CK_ULONG_PTR pulSignatureLen /* gets signature length */
);
#endif
/* C_SignRecoverInit initializes a signature operation, where
* the data can be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
CK_OBJECT_HANDLE hKey /* handle of the signature key */
);
#endif
/* C_SignRecover signs data in a single operation, where the
* data can be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignRecover)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* the data to sign */
CK_ULONG ulDataLen, /* count of bytes to sign */
CK_BYTE_PTR pSignature, /* gets the signature */
CK_ULONG_PTR pulSignatureLen /* gets signature length */
);
#endif
/* Verifying signatures and MACs */
/* C_VerifyInit initializes a verification operation, where the
* signature is an appendix to the data, and plaintext cannot
* cannot be recovered from the signature (e.g. DSA). */
CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
CK_OBJECT_HANDLE hKey /* verification key */
);
#endif
/* C_Verify verifies a signature in a single-part operation,
* where the signature is an appendix to the data, and plaintext
* cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_Verify)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* signed data */
CK_ULONG ulDataLen, /* length of signed data */
CK_BYTE_PTR pSignature, /* signature */
CK_ULONG ulSignatureLen /* signature length*/
);
#endif
/* C_VerifyUpdate continues a multiple-part verification
* operation, where the signature is an appendix to the data,
* and plaintext cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pPart, /* signed data */
CK_ULONG ulPartLen /* length of signed data */
);
#endif
/* C_VerifyFinal finishes a multiple-part verification
* operation, checking the signature. */
CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSignature, /* signature to verify */
CK_ULONG ulSignatureLen /* signature length */
);
#endif
/* C_VerifyRecoverInit initializes a signature verification
* operation, where the data is recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
CK_OBJECT_HANDLE hKey /* verification key */
);
#endif
/* C_VerifyRecover verifies a signature in a single-part
* operation, where the data is recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSignature, /* signature to verify */
CK_ULONG ulSignatureLen, /* signature length */
CK_BYTE_PTR pData, /* gets signed data */
CK_ULONG_PTR pulDataLen /* gets signed data len */
);
#endif
/* Dual-function cryptographic operations */
/* C_DigestEncryptUpdate continues a multiple-part digesting
* and encryption operation. */
CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pPart, /* the plaintext data */
CK_ULONG ulPartLen, /* plaintext length */
CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
);
#endif
/* C_DecryptDigestUpdate continues a multiple-part decryption and
* digesting operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pEncryptedPart, /* ciphertext */
CK_ULONG ulEncryptedPartLen, /* ciphertext length */
CK_BYTE_PTR pPart, /* gets plaintext */
CK_ULONG_PTR pulPartLen /* gets plaintext len */
);
#endif
/* C_SignEncryptUpdate continues a multiple-part signing and
* encryption operation. */
CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pPart, /* the plaintext data */
CK_ULONG ulPartLen, /* plaintext length */
CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
);
#endif
/* C_DecryptVerifyUpdate continues a multiple-part decryption and
* verify operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pEncryptedPart, /* ciphertext */
CK_ULONG ulEncryptedPartLen, /* ciphertext length */
CK_BYTE_PTR pPart, /* gets plaintext */
CK_ULONG_PTR pulPartLen /* gets p-text length */
);
#endif
/* Key management */
/* C_GenerateKey generates a secret key, creating a new key
* object. */
CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* key generation mech. */
CK_ATTRIBUTE_PTR pTemplate, /* template for new key */
CK_ULONG ulCount, /* # of attrs in template */
CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */
);
#endif
/* C_GenerateKeyPair generates a public-key/private-key pair,
* creating new key objects. */
CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session handle */
CK_MECHANISM_PTR pMechanism, /* key-gen mech. */
CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template for pub. key */
CK_ULONG ulPublicKeyAttributeCount, /* # pub. attrs. */
CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template for priv. key */
CK_ULONG ulPrivateKeyAttributeCount, /* # priv. attrs. */
CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. key handle */
CK_OBJECT_HANDLE_PTR phPrivateKey /* gets priv. key handle */
);
#endif
/* C_WrapKey wraps (i.e., encrypts) a key. */
CK_PKCS11_FUNCTION_INFO(C_WrapKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */
CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */
CK_OBJECT_HANDLE hKey, /* key to be wrapped */
CK_BYTE_PTR pWrappedKey, /* gets wrapped key */
CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */
);
#endif
/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
* key object. */
CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */
CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */
CK_BYTE_PTR pWrappedKey, /* the wrapped key */
CK_ULONG ulWrappedKeyLen, /* wrapped key len */
CK_ATTRIBUTE_PTR pTemplate, /* new key template */
CK_ULONG ulAttributeCount, /* template length */
CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
);
#endif
/* C_DeriveKey derives a key from a base key, creating a new key
* object. */
CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */
CK_OBJECT_HANDLE hBaseKey, /* base key */
CK_ATTRIBUTE_PTR pTemplate, /* new key template */
CK_ULONG ulAttributeCount, /* template length */
CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
);
#endif
/* Random number generation */
/* C_SeedRandom mixes additional seed material into the token's
* random number generator. */
CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSeed, /* the seed material */
CK_ULONG ulSeedLen /* length of seed material */
);
#endif
/* C_GenerateRandom generates random data. */
CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR RandomData, /* receives the random data */
CK_ULONG ulRandomLen /* # of bytes to generate */
);
#endif
/* Parallel function management */
/* C_GetFunctionStatus is a legacy function; it obtains an
* updated status of a function running in parallel with an
* application. */
CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* C_CancelFunction is a legacy function; it cancels a function
* running in parallel. */
CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* Functions added in for PKCS #11 Version 2.01 or later */
/* C_WaitForSlotEvent waits for a slot event (token insertion,
* removal, etc.) to occur. */
CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
#ifdef CK_NEED_ARG_LIST
(
CK_FLAGS flags, /* blocking/nonblocking flag */
CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */
CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
);
#endif

501
openflow/usr/include/nss/pkcs11n.h Normal file
View File

@@ -0,0 +1,501 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _PKCS11N_H_
#define _PKCS11N_H_
/*
* pkcs11n.h
*
* This file contains the NSS-specific type definitions for Cryptoki
* (PKCS#11).
*/
/*
* NSSCK_VENDOR_NSS
*
* Cryptoki reserves the high half of all the number spaces for
* vendor-defined use. I'd like to keep all of our NSS-
* specific values together, but not in the oh-so-obvious
* 0x80000001, 0x80000002, etc. area. So I've picked an offset,
* and constructed values for the beginnings of our spaces.
*
* Note that some "historical" Netscape values don't fall within
* this range.
*/
#define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */
/*
* NSS-defined object classes
*
*/
#define CKO_NSS (CKO_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
#define CKO_NSS_CRL (CKO_NSS + 1)
#define CKO_NSS_SMIME (CKO_NSS + 2)
#define CKO_NSS_TRUST (CKO_NSS + 3)
#define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4)
#define CKO_NSS_NEWSLOT (CKO_NSS + 5)
#define CKO_NSS_DELSLOT (CKO_NSS + 6)
/*
* NSS-defined key types
*
*/
#define CKK_NSS (CKK_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
#define CKK_NSS_PKCS8 (CKK_NSS + 1)
#define CKK_NSS_JPAKE_ROUND1 (CKK_NSS + 2)
#define CKK_NSS_JPAKE_ROUND2 (CKK_NSS + 3)
#define CKK_NSS_CHACHA20 (CKK_NSS + 4)
/*
* NSS-defined certificate types
*
*/
#define CKC_NSS (CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
/* FAKE PKCS #11 defines */
#define CKA_DIGEST 0x81000000L
#define CKA_FLAGS_ONLY 0 /* CKA_CLASS */
/*
* NSS-defined object attributes
*
*/
#define CKA_NSS (CKA_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
#define CKA_NSS_URL (CKA_NSS + 1)
#define CKA_NSS_EMAIL (CKA_NSS + 2)
#define CKA_NSS_SMIME_INFO (CKA_NSS + 3)
#define CKA_NSS_SMIME_TIMESTAMP (CKA_NSS + 4)
#define CKA_NSS_PKCS8_SALT (CKA_NSS + 5)
#define CKA_NSS_PASSWORD_CHECK (CKA_NSS + 6)
#define CKA_NSS_EXPIRES (CKA_NSS + 7)
#define CKA_NSS_KRL (CKA_NSS + 8)
#define CKA_NSS_PQG_COUNTER (CKA_NSS + 20)
#define CKA_NSS_PQG_SEED (CKA_NSS + 21)
#define CKA_NSS_PQG_H (CKA_NSS + 22)
#define CKA_NSS_PQG_SEED_BITS (CKA_NSS + 23)
#define CKA_NSS_MODULE_SPEC (CKA_NSS + 24)
#define CKA_NSS_OVERRIDE_EXTENSIONS (CKA_NSS + 25)
#define CKA_NSS_JPAKE_SIGNERID (CKA_NSS + 26)
#define CKA_NSS_JPAKE_PEERID (CKA_NSS + 27)
#define CKA_NSS_JPAKE_GX1 (CKA_NSS + 28)
#define CKA_NSS_JPAKE_GX2 (CKA_NSS + 29)
#define CKA_NSS_JPAKE_GX3 (CKA_NSS + 30)
#define CKA_NSS_JPAKE_GX4 (CKA_NSS + 31)
#define CKA_NSS_JPAKE_X2 (CKA_NSS + 32)
#define CKA_NSS_JPAKE_X2S (CKA_NSS + 33)
/*
* Trust attributes:
*
* If trust goes standard, these probably will too. So I'll
* put them all in one place.
*/
#define CKA_TRUST (CKA_NSS + 0x2000)
/* "Usage" key information */
#define CKA_TRUST_DIGITAL_SIGNATURE (CKA_TRUST + 1)
#define CKA_TRUST_NON_REPUDIATION (CKA_TRUST + 2)
#define CKA_TRUST_KEY_ENCIPHERMENT (CKA_TRUST + 3)
#define CKA_TRUST_DATA_ENCIPHERMENT (CKA_TRUST + 4)
#define CKA_TRUST_KEY_AGREEMENT (CKA_TRUST + 5)
#define CKA_TRUST_KEY_CERT_SIGN (CKA_TRUST + 6)
#define CKA_TRUST_CRL_SIGN (CKA_TRUST + 7)
/* "Purpose" trust information */
#define CKA_TRUST_SERVER_AUTH (CKA_TRUST + 8)
#define CKA_TRUST_CLIENT_AUTH (CKA_TRUST + 9)
#define CKA_TRUST_CODE_SIGNING (CKA_TRUST + 10)
#define CKA_TRUST_EMAIL_PROTECTION (CKA_TRUST + 11)
#define CKA_TRUST_IPSEC_END_SYSTEM (CKA_TRUST + 12)
#define CKA_TRUST_IPSEC_TUNNEL (CKA_TRUST + 13)
#define CKA_TRUST_IPSEC_USER (CKA_TRUST + 14)
#define CKA_TRUST_TIME_STAMPING (CKA_TRUST + 15)
#define CKA_TRUST_STEP_UP_APPROVED (CKA_TRUST + 16)
#define CKA_CERT_SHA1_HASH (CKA_TRUST + 100)
#define CKA_CERT_MD5_HASH (CKA_TRUST + 101)
/* NSS trust stuff */
/* HISTORICAL: define used to pass in the database key for DSA private keys */
#define CKA_NETSCAPE_DB 0xD5A0DB00L
#define CKA_NETSCAPE_TRUST 0x80000001L
/* FAKE PKCS #11 defines */
#define CKM_FAKE_RANDOM 0x80000efeUL
#define CKM_INVALID_MECHANISM 0xffffffffUL
/*
* NSS-defined crypto mechanisms
*
*/
#define CKM_NSS (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
#define CKM_NSS_AES_KEY_WRAP (CKM_NSS + 1)
#define CKM_NSS_AES_KEY_WRAP_PAD (CKM_NSS + 2)
/* HKDF key derivation mechanisms. See CK_NSS_HKDFParams for documentation. */
#define CKM_NSS_HKDF_SHA1 (CKM_NSS + 3)
#define CKM_NSS_HKDF_SHA256 (CKM_NSS + 4)
#define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5)
#define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6)
/* J-PAKE round 1 key generation mechanisms.
*
* Required template attributes: CKA_PRIME, CKA_SUBPRIME, CKA_BASE,
* CKA_NSS_JPAKE_SIGNERID
* Output key type: CKK_NSS_JPAKE_ROUND1
* Output key class: CKO_PRIVATE_KEY
* Parameter type: CK_NSS_JPAKERound1Params
*
*/
#define CKM_NSS_JPAKE_ROUND1_SHA1 (CKM_NSS + 7)
#define CKM_NSS_JPAKE_ROUND1_SHA256 (CKM_NSS + 8)
#define CKM_NSS_JPAKE_ROUND1_SHA384 (CKM_NSS + 9)
#define CKM_NSS_JPAKE_ROUND1_SHA512 (CKM_NSS + 10)
/* J-PAKE round 2 key derivation mechanisms.
*
* Required template attributes: CKA_NSS_JPAKE_PEERID
* Input key type: CKK_NSS_JPAKE_ROUND1
* Output key type: CKK_NSS_JPAKE_ROUND2
* Output key class: CKO_PRIVATE_KEY
* Parameter type: CK_NSS_JPAKERound2Params
*/
#define CKM_NSS_JPAKE_ROUND2_SHA1 (CKM_NSS + 11)
#define CKM_NSS_JPAKE_ROUND2_SHA256 (CKM_NSS + 12)
#define CKM_NSS_JPAKE_ROUND2_SHA384 (CKM_NSS + 13)
#define CKM_NSS_JPAKE_ROUND2_SHA512 (CKM_NSS + 14)
/* J-PAKE final key material derivation mechanisms
*
* Input key type: CKK_NSS_JPAKE_ROUND2
* Output key type: CKK_GENERIC_SECRET
* Output key class: CKO_SECRET_KEY
* Parameter type: CK_NSS_JPAKEFinalParams
*
* You must apply a KDF (e.g. CKM_NSS_HKDF_*) to resultant keying material
* to get a key with uniformly distributed bits.
*/
#define CKM_NSS_JPAKE_FINAL_SHA1 (CKM_NSS + 15)
#define CKM_NSS_JPAKE_FINAL_SHA256 (CKM_NSS + 16)
#define CKM_NSS_JPAKE_FINAL_SHA384 (CKM_NSS + 17)
#define CKM_NSS_JPAKE_FINAL_SHA512 (CKM_NSS + 18)
/* Constant-time MAC mechanisms:
*
* These operations verify a padded, MAC-then-encrypt block of data in
* constant-time. Because of the order of operations, the padding bytes are not
* protected by the MAC. However, disclosing the value of the padding bytes
* gives an attacker the ability to decrypt ciphertexts. Such disclosure can be
* as subtle as taking slightly less time to perform the MAC when the padding
* is one byte longer. See https://www.isg.rhul.ac.uk/tls/
*
* CKM_NSS_HMAC_CONSTANT_TIME: performs an HMAC authentication.
* CKM_NSS_SSL3_MAC_CONSTANT_TIME: performs an authentication with SSLv3 MAC.
*
* Parameter type: CK_NSS_MAC_CONSTANT_TIME_PARAMS
*/
#define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19)
#define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20)
/* TLS 1.2 mechanisms */
#define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21)
#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22)
#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23)
#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
/* TLS extended master secret derivation */
#define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE (CKM_NSS + 25)
#define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (CKM_NSS + 26)
#define CKM_NSS_CHACHA20_KEY_GEN (CKM_NSS + 27)
#define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 28)
/*
* HISTORICAL:
* Do not attempt to use these. They are only used by NETSCAPE's internal
* PKCS #11 interface. Most of these are place holders for other mechanism
* and will change in the future.
*/
#define CKM_NETSCAPE_PBE_SHA1_DES_CBC 0x80000002UL
#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC 0x80000003UL
#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC 0x80000004UL
#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC 0x80000005UL
#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4 0x80000006UL
#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4 0x80000007UL
#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC 0x80000008UL
#define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN 0x80000009UL
#define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN 0x8000000aUL
#define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN 0x8000000bUL
#define CKM_TLS_PRF_GENERAL 0x80000373UL
typedef struct CK_NSS_JPAKEPublicValue {
CK_BYTE *pGX;
CK_ULONG ulGXLen;
CK_BYTE *pGV;
CK_ULONG ulGVLen;
CK_BYTE *pR;
CK_ULONG ulRLen;
} CK_NSS_JPAKEPublicValue;
typedef struct CK_NSS_JPAKERound1Params {
CK_NSS_JPAKEPublicValue gx1; /* out */
CK_NSS_JPAKEPublicValue gx2; /* out */
} CK_NSS_JPAKERound1Params;
typedef struct CK_NSS_JPAKERound2Params {
CK_BYTE *pSharedKey; /* in */
CK_ULONG ulSharedKeyLen; /* in */
CK_NSS_JPAKEPublicValue gx3; /* in */
CK_NSS_JPAKEPublicValue gx4; /* in */
CK_NSS_JPAKEPublicValue A; /* out */
} CK_NSS_JPAKERound2Params;
typedef struct CK_NSS_JPAKEFinalParams {
CK_NSS_JPAKEPublicValue B; /* in */
} CK_NSS_JPAKEFinalParams;
/* macAlg: the MAC algorithm to use. This determines the hash function used in
* the HMAC/SSLv3 MAC calculations.
* ulBodyTotalLen: the total length of the data, including padding bytes and
* padding length.
* pHeader: points to a block of data that contains additional data to
* authenticate. For TLS this includes the sequence number etc. For SSLv3,
* this also includes the initial padding bytes.
*
* NOTE: the softoken's implementation of CKM_NSS_HMAC_CONSTANT_TIME and
* CKM_NSS_SSL3_MAC_CONSTANT_TIME requires that the sum of ulBodyTotalLen
* and ulHeaderLen be much smaller than 2^32 / 8 bytes because it uses an
* unsigned int variable to represent the length in bits. This should not
* be a problem because the SSL/TLS protocol limits the size of an SSL
* record to something considerably less than 2^32 bytes.
*/
typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS {
CK_MECHANISM_TYPE macAlg; /* in */
CK_ULONG ulBodyTotalLen; /* in */
CK_BYTE *pHeader; /* in */
CK_ULONG ulHeaderLen; /* in */
} CK_NSS_MAC_CONSTANT_TIME_PARAMS;
typedef struct CK_NSS_AEAD_PARAMS {
CK_BYTE_PTR pNonce;
CK_ULONG ulNonceLen;
CK_BYTE_PTR pAAD;
CK_ULONG ulAADLen;
CK_ULONG ulTagLen;
} CK_NSS_AEAD_PARAMS;
/*
* NSS-defined return values
*
*/
#define CKR_NSS (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
#define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1)
#define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2)
/* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms.
See RFC 5869.
bExtract: If set, HKDF-Extract will be applied to the input key. If
the optional salt is given, it is used; otherwise, the salt is
set to a sequence of zeros equal in length to the HMAC output.
If bExpand is not set, then the key template given to
C_DeriveKey must indicate an output key size less than or equal
to the output size of the HMAC.
bExpand: If set, HKDF-Expand will be applied to the input key (if
bExtract is not set) or to the result of HKDF-Extract (if
bExtract is set). Any info given in the optional pInfo field will
be included in the calculation.
The size of the output key must be specified in the template passed to
C_DeriveKey.
*/
typedef struct CK_NSS_HKDFParams {
CK_BBOOL bExtract;
CK_BYTE_PTR pSalt;
CK_ULONG ulSaltLen;
CK_BBOOL bExpand;
CK_BYTE_PTR pInfo;
CK_ULONG ulInfoLen;
} CK_NSS_HKDFParams;
/*
* Parameter for the TLS extended master secret key derivation mechanisms:
*
* * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE
* * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH
*
* For the TLS 1.2 PRF, the prfHashMechanism parameter determines the hash
* function used. For earlier versions of the PRF, set the prfHashMechanism
* value to CKM_TLS_PRF.
*
* The session hash input is expected to be the output of the same hash
* function as the PRF uses (as required by draft-ietf-tls-session-hash). So
* the ulSessionHashLen member must be equal the output length of the hash
* function specified by the prfHashMechanism member (or, for pre-TLS 1.2 PRF,
* the length of concatenated MD5 and SHA-1 digests).
*
*/
typedef struct CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS {
CK_MECHANISM_TYPE prfHashMechanism;
CK_BYTE_PTR pSessionHash;
CK_ULONG ulSessionHashLen;
CK_VERSION_PTR pVersion;
} CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS;
/*
* Trust info
*
* This isn't part of the Cryptoki standard (yet), so I'm putting
* all the definitions here. Some of this would move to nssckt.h
* if trust info were made part of the standard. In view of this
* possibility, I'm putting my (NSS) values in the NSS
* vendor space, like everything else.
*/
typedef CK_ULONG CK_TRUST;
/* The following trust types are defined: */
#define CKT_VENDOR_DEFINED 0x80000000
#define CKT_NSS (CKT_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
/* If trust goes standard, these'll probably drop out of vendor space. */
#define CKT_NSS_TRUSTED (CKT_NSS + 1)
#define CKT_NSS_TRUSTED_DELEGATOR (CKT_NSS + 2)
#define CKT_NSS_MUST_VERIFY_TRUST (CKT_NSS + 3)
#define CKT_NSS_NOT_TRUSTED (CKT_NSS + 10)
#define CKT_NSS_TRUST_UNKNOWN (CKT_NSS + 5) /* default */
/*
* These may well remain NSS-specific; I'm only using them
* to cache resolution data.
*/
#define CKT_NSS_VALID_DELEGATOR (CKT_NSS + 11)
/*
* old definitions. They still exist, but the plain meaning of the
* labels have never been accurate to what was really implemented.
* The new labels correctly reflect what the values effectively mean.
*/
#if defined(__GNUC__) && (__GNUC__ > 3)
/* make GCC warn when we use these #defines */
/*
* This is really painful because GCC doesn't allow us to mark random
* #defines as deprecated. We can only mark the following:
* functions, variables, and types.
* const variables will create extra storage for everyone including this
* header file, so it's undesirable.
* functions could be inlined to prevent storage creation, but will fail
* when constant values are expected (like switch statements).
* enum types do not seem to pay attention to the deprecated attribute.
*
* That leaves typedefs. We declare new types that we then deprecate, then
* cast the resulting value to the deprecated type in the #define, thus
* producting the warning when the #define is used.
*/
#if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
/* The mac doesn't like the friendlier deprecate messages. I'm assuming this
* is a gcc version issue rather than mac or ppc specific */
typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated));
typedef CK_TRUST __CKT_NSS_VALID __attribute__((deprecated));
typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated));
#else
/* when possible, get a full deprecation warning. This works on gcc 4.5
* it may work on earlier versions of gcc */
typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated("CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST")));
typedef CK_TRUST __CKT_NSS_VALID __attribute__((deprecated("CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED")));
typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated("CKT_NSS_MUST_VERIFY really functions as CKT_NSS_TRUST_UNKNOWN")));
#endif
#define CKT_NSS_UNTRUSTED ((__CKT_NSS_UNTRUSTED)CKT_NSS_MUST_VERIFY_TRUST)
#define CKT_NSS_VALID ((__CKT_NSS_VALID)CKT_NSS_NOT_TRUSTED)
/* keep the old value for compatibility reasons*/
#define CKT_NSS_MUST_VERIFY ((__CKT_NSS_MUST_VERIFY)(CKT_NSS + 4))
#else
#ifdef _WIN32
/* This magic gets the windows compiler to give us a deprecation
* warning */
#pragma deprecated(CKT_NSS_UNTRUSTED, CKT_NSS_MUST_VERIFY, CKT_NSS_VALID)
#endif
/* CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST */
#define CKT_NSS_UNTRUSTED CKT_NSS_MUST_VERIFY_TRUST
/* CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED */
#define CKT_NSS_VALID CKT_NSS_NOT_TRUSTED
/* CKT_NSS_MUST_VERIFY was always treated as CKT_NSS_TRUST_UNKNOWN */
#define CKT_NSS_MUST_VERIFY (CKT_NSS + 4) /*really means trust unknown*/
#endif
/* don't leave old programs in a lurch just yet, give them the old NETSCAPE
* synonym */
#define CKO_NETSCAPE_CRL CKO_NSS_CRL
#define CKO_NETSCAPE_SMIME CKO_NSS_SMIME
#define CKO_NETSCAPE_TRUST CKO_NSS_TRUST
#define CKO_NETSCAPE_BUILTIN_ROOT_LIST CKO_NSS_BUILTIN_ROOT_LIST
#define CKO_NETSCAPE_NEWSLOT CKO_NSS_NEWSLOT
#define CKO_NETSCAPE_DELSLOT CKO_NSS_DELSLOT
#define CKK_NETSCAPE_PKCS8 CKK_NSS_PKCS8
#define CKA_NETSCAPE_URL CKA_NSS_URL
#define CKA_NETSCAPE_EMAIL CKA_NSS_EMAIL
#define CKA_NETSCAPE_SMIME_INFO CKA_NSS_SMIME_INFO
#define CKA_NETSCAPE_SMIME_TIMESTAMP CKA_NSS_SMIME_TIMESTAMP
#define CKA_NETSCAPE_PKCS8_SALT CKA_NSS_PKCS8_SALT
#define CKA_NETSCAPE_PASSWORD_CHECK CKA_NSS_PASSWORD_CHECK
#define CKA_NETSCAPE_EXPIRES CKA_NSS_EXPIRES
#define CKA_NETSCAPE_KRL CKA_NSS_KRL
#define CKA_NETSCAPE_PQG_COUNTER CKA_NSS_PQG_COUNTER
#define CKA_NETSCAPE_PQG_SEED CKA_NSS_PQG_SEED
#define CKA_NETSCAPE_PQG_H CKA_NSS_PQG_H
#define CKA_NETSCAPE_PQG_SEED_BITS CKA_NSS_PQG_SEED_BITS
#define CKA_NETSCAPE_MODULE_SPEC CKA_NSS_MODULE_SPEC
#define CKM_NETSCAPE_AES_KEY_WRAP CKM_NSS_AES_KEY_WRAP
#define CKM_NETSCAPE_AES_KEY_WRAP_PAD CKM_NSS_AES_KEY_WRAP_PAD
#define CKR_NETSCAPE_CERTDB_FAILED CKR_NSS_CERTDB_FAILED
#define CKR_NETSCAPE_KEYDB_FAILED CKR_NSS_KEYDB_FAILED
#define CKT_NETSCAPE_TRUSTED CKT_NSS_TRUSTED
#define CKT_NETSCAPE_TRUSTED_DELEGATOR CKT_NSS_TRUSTED_DELEGATOR
#define CKT_NETSCAPE_UNTRUSTED CKT_NSS_UNTRUSTED
#define CKT_NETSCAPE_MUST_VERIFY CKT_NSS_MUST_VERIFY
#define CKT_NETSCAPE_TRUST_UNKNOWN CKT_NSS_TRUST_UNKNOWN
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
/*
* These are not really PKCS #11 values specifically. They are the 'loadable'
* module spec NSS uses. The are available for others to use as well, but not
* part of the formal PKCS #11 spec.
*
* The function 'FIND' returns an array of PKCS #11 initialization strings
* The function 'ADD' takes a PKCS #11 initialization string and stores it.
* The function 'DEL' takes a 'name= library=' value and deletes the associated
* string.
* The function 'RELEASE' frees the array returned by 'FIND'
*/
#define SECMOD_MODULE_DB_FUNCTION_FIND 0
#define SECMOD_MODULE_DB_FUNCTION_ADD 1
#define SECMOD_MODULE_DB_FUNCTION_DEL 2
#define SECMOD_MODULE_DB_FUNCTION_RELEASE 3
typedef char **(PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function,
char *parameters, void *moduleSpec);
/* softoken slot ID's */
#define SFTK_MIN_USER_SLOT_ID 4
#define SFTK_MAX_USER_SLOT_ID 100
#define SFTK_MIN_FIPS_USER_SLOT_ID 101
#define SFTK_MAX_FIPS_USER_SLOT_ID 127
#endif /* _PKCS11N_H_ */

21
openflow/usr/include/nss/pkcs11p.h Normal file
View File

@@ -0,0 +1,21 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
* is granted provided that it is identified as "RSA Security Inc. Public-Key
* Cryptography Standards (PKCS)" in all material mentioning or referencing
* this document.
*/
/* these data types are platform/implementation dependent. */
/*
* Packing was removed from the shipped RSA header files, even
* though it's still needed. put in a central file to help merging..
*/
#if defined(_WIN32)
#ifdef _MSC_VER
#pragma warning(disable : 4103)
#endif
#pragma pack(push, cryptoki, 1)
#endif

1800
openflow/usr/include/nss/pkcs11t.h Normal file
View File

File diff suppressed because it is too large Load Diff

19
openflow/usr/include/nss/pkcs11u.h Normal file
View File

@@ -0,0 +1,19 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
* is granted provided that it is identified as "RSA Security Inc. Public-Key
* Cryptography Standards (PKCS)" in all material mentioning or referencing
* this document.
*/
/*
* reset any packing set by pkcs11p.h
*/
#if defined(_WIN32)
#ifdef _MSC_VER
#pragma warning(disable : 4103)
#endif
#pragma pack(pop, cryptoki)
#endif

41
openflow/usr/include/nss/pkcs12.h Normal file
View File

@@ -0,0 +1,41 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _PKCS12_H_
#define _PKCS12_H_
#include "pkcs12t.h"
#include "p12.h"
SEC_BEGIN_PROTOS
typedef SECItem *(*SEC_PKCS12GetPassword)(void *arg);
/* Decode functions */
/* Import a PFX item.
* der_pfx is the der-encoded pfx item to import.
* pbef, and pbefarg are used to retrieve passwords for the HMAC,
* and any passwords needed for passing to PKCS5 encryption
* routines.
* algorithm is the algorithm by which private keys are stored in
* the key database. this could be a specific algorithm or could
* be based on a global setting.
* slot is the slot to where the certificates will be placed. if NULL,
* the internal key slot is used.
* If the process is successful, a SECSuccess is returned, otherwise
* a failure occurred.
*/
SECStatus
SEC_PKCS12PutPFX(SECItem *der_pfx, SECItem *pwitem,
SEC_PKCS12NicknameCollisionCallback ncCall,
PK11SlotInfo *slot, void *wincx);
/* check the first two bytes of a file to make sure that it matches
* the desired header for a PKCS 12 file
*/
PRBool SEC_PKCS12ValidData(char *buf, int bufLen, long int totalLength);
SEC_END_PROTOS
#endif

341
openflow/usr/include/nss/pkcs12t.h Normal file
View File

@@ -0,0 +1,341 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _PKCS12T_H_
#define _PKCS12T_H_
#include "seccomon.h"
#include "secoid.h"
#include "cert.h"
#include "key.h"
#include "plarena.h"
#include "secpkcs7.h"
#include "secdig.h" /* for SGNDigestInfo */
typedef enum {
SECPKCS12TargetTokenNoCAs, /* CA get loaded intothe fixed token,
* User certs go to target token */
SECPKCS12TargetTokenIntermediateCAs, /* User certs and intermediates go to
* target token, root certs got to
* fixed token */
SECPKCS12TargetTokenAllCAs /* All certs go to target token */
} SECPKCS12TargetTokenCAs;
/* PKCS12 Structures */
typedef struct SEC_PKCS12PFXItemStr SEC_PKCS12PFXItem;
typedef struct SEC_PKCS12MacDataStr SEC_PKCS12MacData;
typedef struct SEC_PKCS12AuthenticatedSafeStr SEC_PKCS12AuthenticatedSafe;
typedef struct SEC_PKCS12BaggageItemStr SEC_PKCS12BaggageItem;
typedef struct SEC_PKCS12BaggageStr SEC_PKCS12Baggage;
typedef struct SEC_PKCS12Baggage_OLDStr SEC_PKCS12Baggage_OLD;
typedef struct SEC_PKCS12ESPVKItemStr SEC_PKCS12ESPVKItem;
typedef struct SEC_PKCS12PVKSupportingDataStr SEC_PKCS12PVKSupportingData;
typedef struct SEC_PKCS12PVKAdditionalDataStr SEC_PKCS12PVKAdditionalData;
typedef struct SEC_PKCS12SafeContentsStr SEC_PKCS12SafeContents;
typedef struct SEC_PKCS12SafeBagStr SEC_PKCS12SafeBag;
typedef struct SEC_PKCS12PrivateKeyStr SEC_PKCS12PrivateKey;
typedef struct SEC_PKCS12PrivateKeyBagStr SEC_PKCS12PrivateKeyBag;
typedef struct SEC_PKCS12CertAndCRLBagStr SEC_PKCS12CertAndCRLBag;
typedef struct SEC_PKCS12CertAndCRLStr SEC_PKCS12CertAndCRL;
typedef struct SEC_PKCS12X509CertCRLStr SEC_PKCS12X509CertCRL;
typedef struct SEC_PKCS12SDSICertStr SEC_PKCS12SDSICert;
typedef struct SEC_PKCS12SecretStr SEC_PKCS12Secret;
typedef struct SEC_PKCS12SecretAdditionalStr SEC_PKCS12SecretAdditional;
typedef struct SEC_PKCS12SecretItemStr SEC_PKCS12SecretItem;
typedef struct SEC_PKCS12SecretBagStr SEC_PKCS12SecretBag;
typedef SECItem *(*SEC_PKCS12PasswordFunc)(SECItem *args);
/* PKCS12 types */
/* stores shrouded keys */
struct SEC_PKCS12BaggageStr {
PLArenaPool *poolp;
SEC_PKCS12BaggageItem **bags;
int luggage_size; /* used locally */
};
/* additional data to be associated with keys. currently there
* is nothing defined to be stored here. allows future expansion.
*/
struct SEC_PKCS12PVKAdditionalDataStr {
PLArenaPool *poolp;
SECOidData *pvkAdditionalTypeTag; /* used locally */
SECItem pvkAdditionalType;
SECItem pvkAdditionalContent;
};
/* cert and other supporting data for private keys. used
* for both shrouded and non-shrouded keys.
*/
struct SEC_PKCS12PVKSupportingDataStr {
PLArenaPool *poolp;
SGNDigestInfo **assocCerts;
SECItem regenerable;
SECItem nickname;
SEC_PKCS12PVKAdditionalData pvkAdditional;
SECItem pvkAdditionalDER;
SECItem uniNickName;
/* used locally */
int nThumbs;
};
/* shrouded key structure. supports only pkcs8 shrouding
* currently.
*/
struct SEC_PKCS12ESPVKItemStr {
PLArenaPool *poolp; /* used locally */
SECOidData *espvkTag; /* used locally */
SECItem espvkOID;
SEC_PKCS12PVKSupportingData espvkData;
union {
SECKEYEncryptedPrivateKeyInfo *pkcs8KeyShroud;
} espvkCipherText;
PRBool duplicate; /* used locally */
PRBool problem_cert; /* used locally */
PRBool single_cert; /* used locally */
int nCerts; /* used locally */
SECItem derCert; /* used locally */
};
/* generic bag store for the safe. safeBagType identifies
* the type of bag stored.
*/
struct SEC_PKCS12SafeBagStr {
PLArenaPool *poolp;
SECOidData *safeBagTypeTag; /* used locally */
SECItem safeBagType;
union {
SEC_PKCS12PrivateKeyBag *keyBag;
SEC_PKCS12CertAndCRLBag *certAndCRLBag;
SEC_PKCS12SecretBag *secretBag;
} safeContent;
SECItem derSafeContent;
SECItem safeBagName;
SECItem uniSafeBagName;
};
/* stores private keys and certificates in a list. each safebag
* has an ID identifying the type of content stored.
*/
struct SEC_PKCS12SafeContentsStr {
PLArenaPool *poolp;
SEC_PKCS12SafeBag **contents;
/* used for tracking purposes */
int safe_size;
PRBool old;
PRBool swapUnicode;
PRBool possibleSwapUnicode;
};
/* private key structure which holds encrypted private key and
* supporting data including nickname and certificate thumbprint.
*/
struct SEC_PKCS12PrivateKeyStr {
PLArenaPool *poolp;
SEC_PKCS12PVKSupportingData pvkData;
SECKEYPrivateKeyInfo pkcs8data; /* borrowed from PKCS 8 */
PRBool duplicate; /* used locally */
PRBool problem_cert; /* used locally */
PRBool single_cert; /* used locally */
int nCerts; /* used locally */
SECItem derCert; /* used locally */
};
/* private key bag, holds a (null terminated) list of private key
* structures.
*/
struct SEC_PKCS12PrivateKeyBagStr {
PLArenaPool *poolp;
SEC_PKCS12PrivateKey **privateKeys;
int bag_size; /* used locally */
};
/* container to hold certificates. currently supports x509
* and sdsi certificates
*/
struct SEC_PKCS12CertAndCRLStr {
PLArenaPool *poolp;
SECOidData *BagTypeTag; /* used locally */
SECItem BagID;
union {
SEC_PKCS12X509CertCRL *x509;
SEC_PKCS12SDSICert *sdsi;
} value;
SECItem derValue;
SECItem nickname; /* used locally */
PRBool duplicate; /* used locally */
};
/* x509 certificate structure. typically holds the der encoding
* of the x509 certificate. thumbprint contains a digest of the
* certificate
*/
struct SEC_PKCS12X509CertCRLStr {
PLArenaPool *poolp;
SEC_PKCS7ContentInfo certOrCRL;
SGNDigestInfo thumbprint;
SECItem *derLeafCert; /* used locally */
};
/* sdsi certificate structure. typically holds the der encoding
* of the sdsi certificate. thumbprint contains a digest of the
* certificate
*/
struct SEC_PKCS12SDSICertStr {
PLArenaPool *poolp;
SECItem value;
SGNDigestInfo thumbprint;
};
/* contains a null terminated list of certs and crls */
struct SEC_PKCS12CertAndCRLBagStr {
PLArenaPool *poolp;
SEC_PKCS12CertAndCRL **certAndCRLs;
int bag_size; /* used locally */
};
/* additional secret information. currently no information
* stored in this structure.
*/
struct SEC_PKCS12SecretAdditionalStr {
PLArenaPool *poolp;
SECOidData *secretTypeTag; /* used locally */
SECItem secretAdditionalType;
SECItem secretAdditionalContent;
};
/* secrets container. this will be used to contain currently
* unspecified secrets. (it's a secret)
*/
struct SEC_PKCS12SecretStr {
PLArenaPool *poolp;
SECItem secretName;
SECItem value;
SEC_PKCS12SecretAdditional secretAdditional;
SECItem uniSecretName;
};
struct SEC_PKCS12SecretItemStr {
PLArenaPool *poolp;
SEC_PKCS12Secret secret;
SEC_PKCS12SafeBag subFolder;
};
/* a bag of secrets. holds a null terminated list of secrets.
*/
struct SEC_PKCS12SecretBagStr {
PLArenaPool *poolp;
SEC_PKCS12SecretItem **secrets;
int bag_size; /* used locally */
};
struct SEC_PKCS12MacDataStr {
SGNDigestInfo safeMac;
SECItem macSalt;
};
/* outer transfer unit */
struct SEC_PKCS12PFXItemStr {
PLArenaPool *poolp;
SEC_PKCS12MacData macData;
SEC_PKCS7ContentInfo authSafe;
/* for compatibility with beta */
PRBool old;
SGNDigestInfo old_safeMac;
SECItem old_macSalt;
/* compatibility between platforms for unicode swapping */
PRBool swapUnicode;
};
struct SEC_PKCS12BaggageItemStr {
PLArenaPool *poolp;
SEC_PKCS12ESPVKItem **espvks;
SEC_PKCS12SafeBag **unencSecrets;
int nEspvks;
int nSecrets;
};
/* stores shrouded keys */
struct SEC_PKCS12Baggage_OLDStr {
PLArenaPool *poolp;
SEC_PKCS12ESPVKItem **espvks;
int luggage_size; /* used locally */
};
/* authenticated safe, stores certs, keys, and shrouded keys */
struct SEC_PKCS12AuthenticatedSafeStr {
PLArenaPool *poolp;
SECItem version;
SECOidData *transportTypeTag; /* local not part of encoding*/
SECItem transportMode;
SECItem privacySalt;
SEC_PKCS12Baggage baggage;
SEC_PKCS7ContentInfo *safe;
/* used for beta compatibility */
PRBool old;
PRBool emptySafe;
SEC_PKCS12Baggage_OLD old_baggage;
SEC_PKCS7ContentInfo old_safe;
PRBool swapUnicode;
};
#define SEC_PKCS12_PFX_VERSION 1 /* what we create */
/* PKCS 12 Templates */
extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[];
extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate_OLD[];
extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[];
extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate[];
extern const SEC_ASN1Template SEC_PKCS12MacDataTemplate[];
extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate[];
extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate[];
extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate[];
extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[];
extern const SEC_ASN1Template SEC_PKCS12PVKAdditionalTemplate[];
extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate_OLD[];
extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate[];
extern const SEC_ASN1Template SEC_PKCS12SafeBagTemplate[];
extern const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[];
extern const SEC_ASN1Template SEC_PKCS12PrivateKeyBagTemplate[];
extern const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate[];
extern const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate[];
extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[];
extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate[];
extern const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[];
extern const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[];
extern const SEC_ASN1Template SEC_PKCS12SecretTemplate[];
extern const SEC_ASN1Template SEC_PKCS12SecretItemTemplate[];
extern const SEC_ASN1Template SEC_PKCS12SecretAdditionalTemplate[];
extern const SEC_ASN1Template SGN_DigestInfoTemplate[];
extern const SEC_ASN1Template SEC_PointerToPKCS12KeyBagTemplate[];
extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate[];
extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD[];
extern const SEC_ASN1Template SEC_PointerToPKCS12SecretBagTemplate[];
extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate_OLD[];
extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate[];
extern const SEC_ASN1Template SEC_PointerToPKCS12SDSICertTemplate[];
extern const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[];
extern const SEC_ASN1Template SEC_PKCS12CodedCertBagTemplate[];
extern const SEC_ASN1Template SEC_PKCS12CodedCertAndCRLBagTemplate[];
extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[];
extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate_OLD[];
#endif

30
openflow/usr/include/nss/pkcs1sig.h Normal file
View File

@@ -0,0 +1,30 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef _PKCS1SIG_H_
#define _PKCS1SIG_H_
#include "hasht.h"
#include "seccomon.h"
#include "secoidt.h"
/* SGN_VerifyPKCS1DigestInfo verifies that the length of the digest is correct
* for the given algorithm, then verifies that the recovered data from the
* PKCS#1 signature is a properly-formatted DigestInfo that identifies the
* given digest algorithm, then verifies that the digest in the DigestInfo
* matches the given digest.
*
* dataRecoveredFromSignature must be the result of calling PK11_VerifyRecover
* or equivalent.
*
* If unsafeAllowMissingParameters is true (not recommended), then a DigestInfo
* without the mandatory ASN.1 NULL parameter will also be accepted.
*/
SECStatus _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
const SECItem* digest,
const SECItem* dataRecoveredFromSignature,
PRBool unsafeAllowMissingParameters);
#endif /* _PKCS1SIG_H_ */

233
openflow/usr/include/nss/pkcs7t.h Normal file
View File

@@ -0,0 +1,233 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Header for pkcs7 types.
*/
#ifndef _PKCS7T_H_
#define _PKCS7T_H_
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "certt.h"
#include "secmodt.h"
/* Opaque objects */
typedef struct SEC_PKCS7DecoderContextStr SEC_PKCS7DecoderContext;
typedef struct SEC_PKCS7EncoderContextStr SEC_PKCS7EncoderContext;
/* legacy defines that haven't been active for years */
typedef void *(*SECKEYGetPasswordKey)(void *arg, void *handle);
/* Non-opaque objects. NOTE, though: I want them to be treated as
* opaque as much as possible. If I could hide them completely,
* I would. (I tried, but ran into trouble that was taking me too
* much time to get out of.) I still intend to try to do so.
* In fact, the only type that "outsiders" should even *name* is
* SEC_PKCS7ContentInfo, and they should not reference its fields.
*/
/* rjr: PKCS #11 cert handling (pk11cert.c) does use SEC_PKCS7RecipientInfo's.
* This is because when we search the recipient list for the cert and key we
* want, we need to invert the order of the loops we used to have. The old
* loops were:
*
* For each recipient {
* find_cert = PK11_Find_AllCert(recipient->issuerSN);
* [which unrolls to... ]
* For each slot {
* Log into slot;
* search slot for cert;
* }
* }
*
* the new loop searchs all the recipients at once on a slot. this allows
* PKCS #11 to order slots in such a way that logout slots don't get checked
* if we can find the cert on a logged in slot. This eliminates lots of
* spurious password prompts when smart cards are installed... so why this
* comment? If you make SEC_PKCS7RecipientInfo completely opaque, you need
* to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
* and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
* function.
*/
typedef struct SEC_PKCS7ContentInfoStr SEC_PKCS7ContentInfo;
typedef struct SEC_PKCS7SignedDataStr SEC_PKCS7SignedData;
typedef struct SEC_PKCS7EncryptedContentInfoStr SEC_PKCS7EncryptedContentInfo;
typedef struct SEC_PKCS7EnvelopedDataStr SEC_PKCS7EnvelopedData;
typedef struct SEC_PKCS7SignedAndEnvelopedDataStr
SEC_PKCS7SignedAndEnvelopedData;
typedef struct SEC_PKCS7SignerInfoStr SEC_PKCS7SignerInfo;
typedef struct SEC_PKCS7RecipientInfoStr SEC_PKCS7RecipientInfo;
typedef struct SEC_PKCS7DigestedDataStr SEC_PKCS7DigestedData;
typedef struct SEC_PKCS7EncryptedDataStr SEC_PKCS7EncryptedData;
/*
* The following is not actually a PKCS7 type, but for now it is only
* used by PKCS7, so we have adopted it. If someone else *ever* needs
* it, its name should be changed and it should be moved out of here.
* Do not dare to use it without doing so!
*/
typedef struct SEC_PKCS7AttributeStr SEC_PKCS7Attribute;
struct SEC_PKCS7ContentInfoStr {
PLArenaPool *poolp; /* local; not part of encoding */
PRBool created; /* local; not part of encoding */
int refCount; /* local; not part of encoding */
SECOidData *contentTypeTag; /* local; not part of encoding */
SECKEYGetPasswordKey pwfn; /* local; not part of encoding */
void *pwfn_arg; /* local; not part of encoding */
SECItem contentType;
union {
SECItem *data;
SEC_PKCS7DigestedData *digestedData;
SEC_PKCS7EncryptedData *encryptedData;
SEC_PKCS7EnvelopedData *envelopedData;
SEC_PKCS7SignedData *signedData;
SEC_PKCS7SignedAndEnvelopedData *signedAndEnvelopedData;
} content;
};
struct SEC_PKCS7SignedDataStr {
SECItem version;
SECAlgorithmID **digestAlgorithms;
SEC_PKCS7ContentInfo contentInfo;
SECItem **rawCerts;
CERTSignedCrl **crls;
SEC_PKCS7SignerInfo **signerInfos;
SECItem **digests; /* local; not part of encoding */
CERTCertificate **certs; /* local; not part of encoding */
CERTCertificateList **certLists; /* local; not part of encoding */
};
#define SEC_PKCS7_SIGNED_DATA_VERSION 1 /* what we *create* */
struct SEC_PKCS7EncryptedContentInfoStr {
SECOidData *contentTypeTag; /* local; not part of encoding */
SECItem contentType;
SECAlgorithmID contentEncAlg;
SECItem encContent;
SECItem plainContent; /* local; not part of encoding */
/* bytes not encrypted, but encoded */
int keysize; /* local; not part of encoding */
/* size of bulk encryption key
* (only used by creation code) */
SECOidTag encalg; /* local; not part of encoding */
/* oid tag of encryption algorithm
* (only used by creation code) */
};
struct SEC_PKCS7EnvelopedDataStr {
SECItem version;
SEC_PKCS7RecipientInfo **recipientInfos;
SEC_PKCS7EncryptedContentInfo encContentInfo;
};
#define SEC_PKCS7_ENVELOPED_DATA_VERSION 0 /* what we *create* */
struct SEC_PKCS7SignedAndEnvelopedDataStr {
SECItem version;
SEC_PKCS7RecipientInfo **recipientInfos;
SECAlgorithmID **digestAlgorithms;
SEC_PKCS7EncryptedContentInfo encContentInfo;
SECItem **rawCerts;
CERTSignedCrl **crls;
SEC_PKCS7SignerInfo **signerInfos;
SECItem **digests; /* local; not part of encoding */
CERTCertificate **certs; /* local; not part of encoding */
CERTCertificateList **certLists; /* local; not part of encoding */
PK11SymKey *sigKey; /* local; not part of encoding */
};
#define SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION 1 /* what we *create* */
struct SEC_PKCS7SignerInfoStr {
SECItem version;
CERTIssuerAndSN *issuerAndSN;
SECAlgorithmID digestAlg;
SEC_PKCS7Attribute **authAttr;
SECAlgorithmID digestEncAlg;
SECItem encDigest;
SEC_PKCS7Attribute **unAuthAttr;
CERTCertificate *cert; /* local; not part of encoding */
CERTCertificateList *certList; /* local; not part of encoding */
};
#define SEC_PKCS7_SIGNER_INFO_VERSION 1 /* what we *create* */
struct SEC_PKCS7RecipientInfoStr {
SECItem version;
CERTIssuerAndSN *issuerAndSN;
SECAlgorithmID keyEncAlg;
SECItem encKey;
CERTCertificate *cert; /* local; not part of encoding */
};
#define SEC_PKCS7_RECIPIENT_INFO_VERSION 0 /* what we *create* */
struct SEC_PKCS7DigestedDataStr {
SECItem version;
SECAlgorithmID digestAlg;
SEC_PKCS7ContentInfo contentInfo;
SECItem digest;
};
#define SEC_PKCS7_DIGESTED_DATA_VERSION 0 /* what we *create* */
struct SEC_PKCS7EncryptedDataStr {
SECItem version;
SEC_PKCS7EncryptedContentInfo encContentInfo;
};
#define SEC_PKCS7_ENCRYPTED_DATA_VERSION 0 /* what we *create* */
/*
* See comment above about this type not really belonging to PKCS7.
*/
struct SEC_PKCS7AttributeStr {
/* The following fields make up an encoded Attribute: */
SECItem type;
SECItem **values; /* data may or may not be encoded */
/* The following fields are not part of an encoded Attribute: */
SECOidData *typeTag;
PRBool encoded; /* when true, values are encoded */
};
/*
* Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
* If specified, this is where the content bytes (only) will be "sent"
* as they are recovered during the decoding.
*
* XXX Should just combine this with SEC_PKCS7EncoderContentCallback type
* and use a simpler, common name.
*/
typedef void (*SEC_PKCS7DecoderContentCallback)(void *arg,
const char *buf,
unsigned long len);
/*
* Type of function passed to SEC_PKCS7Encode or SEC_PKCS7EncoderStart.
* This is where the encoded bytes will be "sent".
*
* XXX Should just combine this with SEC_PKCS7DecoderContentCallback type
* and use a simpler, common name.
*/
typedef void (*SEC_PKCS7EncoderOutputCallback)(void *arg,
const char *buf,
unsigned long len);
/*
* Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart
* to retrieve the decryption key. This function is inteded to be
* used for EncryptedData content info's which do not have a key available
* in a certificate, etc.
*/
typedef PK11SymKey *(*SEC_PKCS7GetDecryptKeyCallback)(void *arg,
SECAlgorithmID *algid);
/*
* Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
* This function in intended to be used to verify that decrypting a
* particular crypto algorithm is allowed. Content types which do not
* require decryption will not need the callback. If the callback
* is not specified for content types which require decryption, the
* decryption will be disallowed.
*/
typedef PRBool (*SEC_PKCS7DecryptionAllowedCallback)(SECAlgorithmID *algid,
PK11SymKey *bulkkey);
#endif /* _PKCS7T_H_ */

81
openflow/usr/include/nss/portreg.h Normal file
View File

@@ -0,0 +1,81 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* shexp.h: Defines and prototypes for shell exp. match routines
*
* This routine will match a string with a shell expression. The expressions
* accepted are based loosely on the expressions accepted by zsh.
*
* o * matches anything
* o ? matches one character
* o \ will escape a special character
* o $ matches the end of the string
* Bracketed expressions:
* o [abc] matches one occurence of a, b, or c.
* o [^abc] matches any character except a, b, or c.
* To be matched between [ and ], these characters must be escaped: \ ]
* No other characters need be escaped between brackets.
* Unnecessary escaping is permitted.
* o [a-z] matches any character between a and z, inclusive.
* The two range-definition characters must be alphanumeric ASCII.
* If one is upper case and the other is lower case, then the ASCII
* non-alphanumeric characters between Z and a will also be in range.
* o [^a-z] matches any character except those between a and z, inclusive.
* These forms cannot be combined, e.g [a-gp-z] does not work.
* o Exclusions:
* As a top level, outter-most expression only, the expression
* foo~bar will match the expression foo, provided it does not also
* match the expression bar. Either expression or both may be a union.
* Except between brackets, any unescaped ~ is an exclusion.
* At most one exclusion is permitted.
* Exclusions cannot be nested (contain other exclusions).
* example: *~abc will match any string except abc
* o Unions:
* (foo|bar) will match either the expression foo, or the expression bar.
* At least one '|' separator is required. More are permitted.
* Expressions inside unions may not include unions or exclusions.
* Inside a union, to be matched and not treated as a special character,
* these characters must be escaped: \ ( | ) [ ~ except when they occur
* inside a bracketed expression, where only \ and ] require escaping.
*
* The public interface to these routines is documented below.
*
*/
#ifndef SHEXP_H
#define SHEXP_H
#include "utilrename.h"
/*
* Requires that the macro MALLOC be set to a "safe" malloc that will
* exit if no memory is available.
*/
/* --------------------------- Public routines ---------------------------- */
/*
* shexp_valid takes a shell expression exp as input. It returns:
*
* NON_SXP if exp is a standard string
* INVALID_SXP if exp is a shell expression, but invalid
* VALID_SXP if exp is a valid shell expression
*/
#define NON_SXP -1
#define INVALID_SXP -2
#define VALID_SXP 1
SEC_BEGIN_PROTOS
extern int PORT_RegExpValid(const char *exp);
extern int PORT_RegExpSearch(const char *str, const char *exp);
/* same as above but uses case insensitive search */
extern int PORT_RegExpCaseSearch(const char *str, const char *exp);
SEC_END_PROTOS
#endif

113
openflow/usr/include/nss/preenc.h Normal file
View File

@@ -0,0 +1,113 @@
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */
/*
* Fortezza support is removed.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* Fortezza support is removed.
* This file remains so that old programs will continue to compile,
* But this functionality is no longer supported or implemented.
*/
#include "seccomon.h"
#include "prio.h"
typedef struct PEHeaderStr PEHeader;
#define PE_MIME_TYPE "application/pre-encrypted"
typedef struct PEFortezzaHeaderStr PEFortezzaHeader;
typedef struct PEFortezzaGeneratedHeaderStr PEFortezzaGeneratedHeader;
typedef struct PEFixedKeyHeaderStr PEFixedKeyHeader;
typedef struct PERSAKeyHeaderStr PERSAKeyHeader;
struct PEFortezzaHeaderStr {
unsigned char key[12];
unsigned char iv[24];
unsigned char hash[20];
unsigned char serial[8];
};
struct PEFortezzaGeneratedHeaderStr {
unsigned char key[12];
unsigned char iv[24];
unsigned char hash[20];
unsigned char Ra[128];
unsigned char Y[128];
};
struct PEFixedKeyHeaderStr {
unsigned char pkcs11Mech[4];
unsigned char labelLen[2];
unsigned char keyIDLen[2];
unsigned char ivLen[2];
unsigned char keyLen[2];
unsigned char data[1];
};
struct PERSAKeyHeaderStr {
unsigned char pkcs11Mech[4];
unsigned char issuerLen[2];
unsigned char serialLen[2];
unsigned char ivLen[2];
unsigned char keyLen[2];
unsigned char data[1];
};
#define PEFIXED_Label(header) (header->data)
#define PEFIXED_KeyID(header) (&header->data[GetInt2(header->labelLen)])
#define PEFIXED_IV(header) (&header->data[GetInt2(header->labelLen) + \
GetInt2(header->keyIDLen)])
#define PEFIXED_Key(header) (&header->data[GetInt2(header->labelLen) + \
GetInt2(header->keyIDLen) + \
GetInt2(header->keyLen)])
#define PERSA_Issuer(header) (header->data)
#define PERSA_Serial(header) (&header->data[GetInt2(header->issuerLen)])
#define PERSA_IV(header) (&header->data[GetInt2(header->issuerLen) + \
GetInt2(header->serialLen)])
#define PERSA_Key(header) (&header->data[GetInt2(header->issuerLen) + \
GetInt2(header->serialLen) + \
GetInt2(header->keyLen)])
struct PEHeaderStr {
unsigned char magic[2];
unsigned char len[2];
unsigned char type[2];
unsigned char version[2];
union {
PEFortezzaHeader fortezza;
PEFortezzaGeneratedHeader g_fortezza;
PEFixedKeyHeader fixed;
PERSAKeyHeader rsa;
} u;
};
#define PE_CRYPT_INTRO_LEN 8
#define PE_INTRO_LEN 4
#define PE_BASE_HEADER_LEN 8
#define PRE_BLOCK_SIZE 8
#define GetInt2(c) ((c[0] << 8) | c[1])
#define GetInt4(c) (((unsigned long)c[0] << 24) | ((unsigned long)c[1] << 16) | \
((unsigned long)c[2] << 8) | ((unsigned long)c[3]))
#define PutInt2(c, i) ((c[1] = (i)&0xff), (c[0] = ((i) >> 8) & 0xff))
#define PutInt4(c, i) ((c[0] = ((i) >> 24) & 0xff), (c[1] = ((i) >> 16) & 0xff), \
(c[2] = ((i) >> 8) & 0xff), (c[3] = (i)&0xff))
#define PRE_MAGIC 0xc0de
#define PRE_VERSION 0x1010
#define PRE_FORTEZZA_FILE 0x00ff
#define PRE_FORTEZZA_STREAM 0x00f5
#define PRE_FORTEZZA_GEN_STREAM 0x00f6
#define PRE_FIXED_FILE 0x000f
#define PRE_RSA_FILE 0x001f
#define PRE_FIXED_STREAM 0x0005
PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *,
int *headerSize);
PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *,
int *headerSize);

291
openflow/usr/include/nss/secasn1.h Normal file
View File

@@ -0,0 +1,291 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Support for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
* Encoding Rules). The routines are found in and used extensively by the
* security library, but exported for other use.
*/
#ifndef _SECASN1_H_
#define _SECASN1_H_
#include "utilrename.h"
#include "plarena.h"
#include "seccomon.h"
#include "secasn1t.h"
/************************************************************************/
SEC_BEGIN_PROTOS
/*
* XXX These function prototypes need full, explanatory comments.
*/
/*
** Decoding.
*/
extern SEC_ASN1DecoderContext *SEC_ASN1DecoderStart(PLArenaPool *pool,
void *dest,
const SEC_ASN1Template *t);
/* XXX char or unsigned char? */
extern SECStatus SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
const char *buf,
unsigned long len);
extern SECStatus SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx);
/* Higher level code detected an error, abort the rest of the processing */
extern void SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error);
extern void SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx,
SEC_ASN1WriteProc fn,
void *arg, PRBool no_store);
extern void SEC_ASN1DecoderClearFilterProc(SEC_ASN1DecoderContext *cx);
extern void SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx,
SEC_ASN1NotifyProc fn,
void *arg);
extern void SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx);
extern SECStatus SEC_ASN1Decode(PLArenaPool *pool, void *dest,
const SEC_ASN1Template *t,
const char *buf, long len);
/* Both classic ASN.1 and QuickDER have a feature that removes leading zeroes
out of SEC_ASN1_INTEGER if the caller sets siUnsignedInteger in the type
field of the target SECItem prior to calling the decoder. Otherwise, the
type field is ignored and untouched. For SECItem that are dynamically
allocated (from POINTER, SET OF, SEQUENCE OF) the decoder sets the type
field to siBuffer. */
extern SECStatus SEC_ASN1DecodeItem(PLArenaPool *pool, void *dest,
const SEC_ASN1Template *t,
const SECItem *src);
extern SECStatus SEC_QuickDERDecodeItem(PLArenaPool *arena, void *dest,
const SEC_ASN1Template *templateEntry,
const SECItem *src);
/*
** Encoding.
*/
extern SEC_ASN1EncoderContext *SEC_ASN1EncoderStart(const void *src,
const SEC_ASN1Template *t,
SEC_ASN1WriteProc fn,
void *output_arg);
/* XXX char or unsigned char? */
extern SECStatus SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx,
const char *buf,
unsigned long len);
extern void SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx);
/* Higher level code detected an error, abort the rest of the processing */
extern void SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error);
extern void SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx,
SEC_ASN1NotifyProc fn,
void *arg);
extern void SEC_ASN1EncoderClearNotifyProc(SEC_ASN1EncoderContext *cx);
extern void SEC_ASN1EncoderSetStreaming(SEC_ASN1EncoderContext *cx);
extern void SEC_ASN1EncoderClearStreaming(SEC_ASN1EncoderContext *cx);
extern void sec_ASN1EncoderSetDER(SEC_ASN1EncoderContext *cx);
extern void sec_ASN1EncoderClearDER(SEC_ASN1EncoderContext *cx);
extern void SEC_ASN1EncoderSetTakeFromBuf(SEC_ASN1EncoderContext *cx);
extern void SEC_ASN1EncoderClearTakeFromBuf(SEC_ASN1EncoderContext *cx);
extern SECStatus SEC_ASN1Encode(const void *src, const SEC_ASN1Template *t,
SEC_ASN1WriteProc output_proc,
void *output_arg);
/*
* If both pool and dest are NULL, the caller should free the returned SECItem
* with a SECITEM_FreeItem(..., PR_TRUE) call. If pool is NULL but dest is
* not NULL, the caller should free the data buffer pointed to by dest with a
* SECITEM_FreeItem(dest, PR_FALSE) or PORT_Free(dest->data) call.
*/
extern SECItem *SEC_ASN1EncodeItem(PLArenaPool *pool, SECItem *dest,
const void *src, const SEC_ASN1Template *t);
extern SECItem *SEC_ASN1EncodeInteger(PLArenaPool *pool,
SECItem *dest, long value);
extern SECItem *SEC_ASN1EncodeUnsignedInteger(PLArenaPool *pool,
SECItem *dest,
unsigned long value);
extern SECStatus SEC_ASN1DecodeInteger(SECItem *src,
unsigned long *value);
/*
** Utilities.
*/
/*
* We have a length that needs to be encoded; how many bytes will the
* encoding take?
*/
extern int SEC_ASN1LengthLength(unsigned long len);
/* encode the length and return the number of bytes we encoded. Buffer
* must be pre allocated */
extern int SEC_ASN1EncodeLength(unsigned char *buf, int value);
/*
* Find the appropriate subtemplate for the given template.
* This may involve calling a "chooser" function, or it may just
* be right there. In either case, it is expected to *have* a
* subtemplate; this is asserted in debug builds (in non-debug
* builds, NULL will be returned).
*
* "thing" is a pointer to the structure being encoded/decoded
* "encoding", when true, means that we are in the process of encoding
* (as opposed to in the process of decoding)
*/
extern const SEC_ASN1Template *
SEC_ASN1GetSubtemplate(const SEC_ASN1Template *inTemplate, void *thing,
PRBool encoding);
/* whether the template is for a primitive type or a choice of
* primitive types
*/
extern PRBool SEC_ASN1IsTemplateSimple(const SEC_ASN1Template *theTemplate);
/************************************************************************/
/*
* Generic Templates
* One for each of the simple types, plus a special one for ANY, plus:
* - a pointer to each one of those
* - a set of each one of those
* - a sequence of each one of those
*
* Note that these are alphabetical (case insensitive); please add new
* ones in the appropriate place.
*/
extern const SEC_ASN1Template SEC_AnyTemplate[];
extern const SEC_ASN1Template SEC_BitStringTemplate[];
extern const SEC_ASN1Template SEC_BMPStringTemplate[];
extern const SEC_ASN1Template SEC_BooleanTemplate[];
extern const SEC_ASN1Template SEC_EnumeratedTemplate[];
extern const SEC_ASN1Template SEC_GeneralizedTimeTemplate[];
extern const SEC_ASN1Template SEC_IA5StringTemplate[];
extern const SEC_ASN1Template SEC_IntegerTemplate[];
extern const SEC_ASN1Template SEC_NullTemplate[];
extern const SEC_ASN1Template SEC_ObjectIDTemplate[];
extern const SEC_ASN1Template SEC_OctetStringTemplate[];
extern const SEC_ASN1Template SEC_PrintableStringTemplate[];
extern const SEC_ASN1Template SEC_T61StringTemplate[];
extern const SEC_ASN1Template SEC_UniversalStringTemplate[];
extern const SEC_ASN1Template SEC_UTCTimeTemplate[];
extern const SEC_ASN1Template SEC_UTF8StringTemplate[];
extern const SEC_ASN1Template SEC_VisibleStringTemplate[];
extern const SEC_ASN1Template SEC_PointerToAnyTemplate[];
extern const SEC_ASN1Template SEC_PointerToBitStringTemplate[];
extern const SEC_ASN1Template SEC_PointerToBMPStringTemplate[];
extern const SEC_ASN1Template SEC_PointerToBooleanTemplate[];
extern const SEC_ASN1Template SEC_PointerToEnumeratedTemplate[];
extern const SEC_ASN1Template SEC_PointerToGeneralizedTimeTemplate[];
extern const SEC_ASN1Template SEC_PointerToIA5StringTemplate[];
extern const SEC_ASN1Template SEC_PointerToIntegerTemplate[];
extern const SEC_ASN1Template SEC_PointerToNullTemplate[];
extern const SEC_ASN1Template SEC_PointerToObjectIDTemplate[];
extern const SEC_ASN1Template SEC_PointerToOctetStringTemplate[];
extern const SEC_ASN1Template SEC_PointerToPrintableStringTemplate[];
extern const SEC_ASN1Template SEC_PointerToT61StringTemplate[];
extern const SEC_ASN1Template SEC_PointerToUniversalStringTemplate[];
extern const SEC_ASN1Template SEC_PointerToUTCTimeTemplate[];
extern const SEC_ASN1Template SEC_PointerToUTF8StringTemplate[];
extern const SEC_ASN1Template SEC_PointerToVisibleStringTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfAnyTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfBitStringTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfBMPStringTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfBooleanTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfEnumeratedTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfGeneralizedTimeTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfIA5StringTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfIntegerTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfNullTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfObjectIDTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfOctetStringTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfPrintableStringTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfT61StringTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfUniversalStringTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfUTCTimeTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfUTF8StringTemplate[];
extern const SEC_ASN1Template SEC_SequenceOfVisibleStringTemplate[];
extern const SEC_ASN1Template SEC_SetOfAnyTemplate[];
extern const SEC_ASN1Template SEC_SetOfBitStringTemplate[];
extern const SEC_ASN1Template SEC_SetOfBMPStringTemplate[];
extern const SEC_ASN1Template SEC_SetOfBooleanTemplate[];
extern const SEC_ASN1Template SEC_SetOfEnumeratedTemplate[];
extern const SEC_ASN1Template SEC_SetOfGeneralizedTimeTemplate[];
extern const SEC_ASN1Template SEC_SetOfIA5StringTemplate[];
extern const SEC_ASN1Template SEC_SetOfIntegerTemplate[];
extern const SEC_ASN1Template SEC_SetOfNullTemplate[];
extern const SEC_ASN1Template SEC_SetOfObjectIDTemplate[];
extern const SEC_ASN1Template SEC_SetOfOctetStringTemplate[];
extern const SEC_ASN1Template SEC_SetOfPrintableStringTemplate[];
extern const SEC_ASN1Template SEC_SetOfT61StringTemplate[];
extern const SEC_ASN1Template SEC_SetOfUniversalStringTemplate[];
extern const SEC_ASN1Template SEC_SetOfUTCTimeTemplate[];
extern const SEC_ASN1Template SEC_SetOfUTF8StringTemplate[];
extern const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[];
/*
* Template for skipping a subitem; this only makes sense when decoding.
*/
extern const SEC_ASN1Template SEC_SkipTemplate[];
/* These functions simply return the address of the above-declared templates.
** This is necessary for Windows DLLs. Sigh.
*/
SEC_ASN1_CHOOSER_DECLARE(SEC_AnyTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_BMPStringTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_BooleanTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_BitStringTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_GeneralizedTimeTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_IA5StringTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_IntegerTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_NullTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_ObjectIDTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_OctetStringTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_UTCTimeTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_UTF8StringTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToAnyTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToOctetStringTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_SetOfAnyTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_EnumeratedTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToEnumeratedTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_SequenceOfAnyTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_SequenceOfObjectIDTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_SkipTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_UniversalStringTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_PrintableStringTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_T61StringTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToGeneralizedTimeTemplate)
SEC_END_PROTOS
#endif /* _SECASN1_H_ */

267
openflow/usr/include/nss/secasn1t.h Normal file
View File

@@ -0,0 +1,267 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
* Encoding Rules).
*/
#ifndef _SECASN1T_H_
#define _SECASN1T_H_
#include "utilrename.h"
/*
** An array of these structures defines a BER/DER encoding for an object.
**
** The array usually starts with a dummy entry whose kind is SEC_ASN1_SEQUENCE;
** such an array is terminated with an entry where kind == 0. (An array
** which consists of a single component does not require a second dummy
** entry -- the array is only searched as long as previous component(s)
** instruct it.)
*/
typedef struct sec_ASN1Template_struct {
/*
** Kind of item being decoded/encoded, including tags and modifiers.
*/
unsigned long kind;
/*
** The value is the offset from the base of the structure to the
** field that holds the value being decoded/encoded.
*/
unsigned long offset;
/*
** When kind suggests it (SEC_ASN1_POINTER, SEC_ASN1_GROUP, SEC_ASN1_INLINE,
** or a component that is *not* a SEC_ASN1_UNIVERSAL), this points to
** a sub-template for nested encoding/decoding,
** OR, iff SEC_ASN1_DYNAMIC is set, then this is a pointer to a pointer
** to a function which will return the appropriate template when called
** at runtime. NOTE! that explicit level of indirection, which is
** necessary because ANSI does not allow you to store a function
** pointer directly as a "void *" so we must store it separately and
** dereference it to get at the function pointer itself.
*/
const void *sub;
/*
** In the first element of a template array, the value is the size
** of the structure to allocate when this template is being referenced
** by another template via SEC_ASN1_POINTER or SEC_ASN1_GROUP.
** In all other cases, the value is ignored.
*/
unsigned int size;
} SEC_ASN1Template;
/* default size used for allocation of encoding/decoding stuff */
/* XXX what is the best value here? */
#define SEC_ASN1_DEFAULT_ARENA_SIZE (2048)
/*
** BER/DER values for ASN.1 identifier octets.
*/
#define SEC_ASN1_TAG_MASK 0xff
/*
* BER/DER universal type tag numbers.
* The values are defined by the X.208 standard; do not change them!
* NOTE: if you add anything to this list, you must add code to secasn1d.c
* to accept the tag, and probably also to secasn1e.c to encode it.
* XXX It appears some have been added recently without being added to
* the code; so need to go through the list now and double-check them all.
* (Look especially at those added in revision 1.10.)
*/
#define SEC_ASN1_TAGNUM_MASK 0x1f
#define SEC_ASN1_BOOLEAN 0x01
#define SEC_ASN1_INTEGER 0x02
#define SEC_ASN1_BIT_STRING 0x03
#define SEC_ASN1_OCTET_STRING 0x04
#define SEC_ASN1_NULL 0x05
#define SEC_ASN1_OBJECT_ID 0x06
#define SEC_ASN1_OBJECT_DESCRIPTOR 0x07
/* External type and instance-of type 0x08 */
#define SEC_ASN1_REAL 0x09
#define SEC_ASN1_ENUMERATED 0x0a
#define SEC_ASN1_EMBEDDED_PDV 0x0b
#define SEC_ASN1_UTF8_STRING 0x0c
/* 0x0d */
/* 0x0e */
/* 0x0f */
#define SEC_ASN1_SEQUENCE 0x10
#define SEC_ASN1_SET 0x11
#define SEC_ASN1_NUMERIC_STRING 0x12
#define SEC_ASN1_PRINTABLE_STRING 0x13
#define SEC_ASN1_T61_STRING 0x14
#define SEC_ASN1_VIDEOTEX_STRING 0x15
#define SEC_ASN1_IA5_STRING 0x16
#define SEC_ASN1_UTC_TIME 0x17
#define SEC_ASN1_GENERALIZED_TIME 0x18
#define SEC_ASN1_GRAPHIC_STRING 0x19
#define SEC_ASN1_VISIBLE_STRING 0x1a
#define SEC_ASN1_GENERAL_STRING 0x1b
#define SEC_ASN1_UNIVERSAL_STRING 0x1c
/* 0x1d */
#define SEC_ASN1_BMP_STRING 0x1e
#define SEC_ASN1_HIGH_TAG_NUMBER 0x1f
#define SEC_ASN1_TELETEX_STRING SEC_ASN1_T61_STRING
/*
** Modifiers to type tags. These are also specified by a/the
** standard, and must not be changed.
*/
#define SEC_ASN1_METHOD_MASK 0x20
#define SEC_ASN1_PRIMITIVE 0x00
#define SEC_ASN1_CONSTRUCTED 0x20
#define SEC_ASN1_CLASS_MASK 0xc0
#define SEC_ASN1_UNIVERSAL 0x00
#define SEC_ASN1_APPLICATION 0x40
#define SEC_ASN1_CONTEXT_SPECIFIC 0x80
#define SEC_ASN1_PRIVATE 0xc0
/*
** Our additions, used for templates.
** These are not defined by any standard; the values are used internally only.
** Just be careful to keep them out of the low 8 bits.
** XXX finish comments
*/
#define SEC_ASN1_OPTIONAL 0x00100
#define SEC_ASN1_EXPLICIT 0x00200
#define SEC_ASN1_ANY 0x00400
#define SEC_ASN1_INLINE 0x00800
#define SEC_ASN1_POINTER 0x01000
#define SEC_ASN1_GROUP 0x02000 /* with SET or SEQUENCE means \
* SET OF or SEQUENCE OF */
#define SEC_ASN1_DYNAMIC 0x04000 /* subtemplate is found by calling \
* a function at runtime */
#define SEC_ASN1_SKIP 0x08000 /* skip a field; only for decoding */
#define SEC_ASN1_INNER 0x10000 /* with ANY means capture the \
* contents only (not the id, len, \
* or eoc); only for decoding */
#define SEC_ASN1_SAVE 0x20000 /* stash away the encoded bytes first; \
* only for decoding */
#define SEC_ASN1_MAY_STREAM 0x40000 /* field or one of its sub-fields may \
* stream in and so should encode as \
* indefinite-length when streaming \
* has been indicated; only for \
* encoding */
#define SEC_ASN1_SKIP_REST 0x80000 /* skip all following fields; \
only for decoding */
#define SEC_ASN1_CHOICE 0x100000 /* pick one from a template */
#define SEC_ASN1_NO_STREAM 0X200000 /* This entry will not stream \
even if the sub-template says \
streaming is possible. Helps \
to solve ambiguities with potential \
streaming entries that are \
optional */
#define SEC_ASN1_DEBUG_BREAK 0X400000 /* put this in your template and the \
decoder will assert when it \
processes it. Only for use with \
SEC_QuickDERDecodeItem */
/* Shorthand/Aliases */
#define SEC_ASN1_SEQUENCE_OF (SEC_ASN1_GROUP | SEC_ASN1_SEQUENCE)
#define SEC_ASN1_SET_OF (SEC_ASN1_GROUP | SEC_ASN1_SET)
#define SEC_ASN1_ANY_CONTENTS (SEC_ASN1_ANY | SEC_ASN1_INNER)
/* Maximum depth of nested SEQUENCEs and SETs */
#define SEC_ASN1D_MAX_DEPTH 32
/*
** Function used for SEC_ASN1_DYNAMIC.
** "arg" is a pointer to the structure being encoded/decoded
** "enc", when true, means that we are encoding (false means decoding)
*/
typedef const SEC_ASN1Template *SEC_ASN1TemplateChooser(void *arg, PRBool enc);
typedef SEC_ASN1TemplateChooser *SEC_ASN1TemplateChooserPtr;
#if defined(_WIN32) || defined(ANDROID)
#define SEC_ASN1_GET(x) NSS_Get_##x(NULL, PR_FALSE)
#define SEC_ASN1_SUB(x) &p_NSS_Get_##x
#define SEC_ASN1_XTRN SEC_ASN1_DYNAMIC
#define SEC_ASN1_MKSUB(x) \
static const SEC_ASN1TemplateChooserPtr p_NSS_Get_##x = &NSS_Get_##x;
#else
#define SEC_ASN1_GET(x) x
#define SEC_ASN1_SUB(x) x
#define SEC_ASN1_XTRN 0
#define SEC_ASN1_MKSUB(x)
#endif
#define SEC_ASN1_CHOOSER_DECLARE(x) \
extern const SEC_ASN1Template *NSS_Get_##x(void *arg, PRBool enc);
#define SEC_ASN1_CHOOSER_IMPLEMENT(x) \
const SEC_ASN1Template *NSS_Get_##x(void *arg, PRBool enc) \
{ \
return x; \
}
/*
** Opaque object used by the decoder to store state.
*/
typedef struct sec_DecoderContext_struct SEC_ASN1DecoderContext;
/*
** Opaque object used by the encoder to store state.
*/
typedef struct sec_EncoderContext_struct SEC_ASN1EncoderContext;
/*
* This is used to describe to a filter function the bytes that are
* being passed to it. This is only useful when the filter is an "outer"
* one, meaning it expects to get *all* of the bytes not just the
* contents octets.
*/
typedef enum {
SEC_ASN1_Identifier = 0,
SEC_ASN1_Length = 1,
SEC_ASN1_Contents = 2,
SEC_ASN1_EndOfContents = 3
} SEC_ASN1EncodingPart;
/*
* Type of the function pointer used either for decoding or encoding,
* when doing anything "funny" (e.g. manipulating the data stream)
*/
typedef void (*SEC_ASN1NotifyProc)(void *arg, PRBool before,
void *dest, int real_depth);
/*
* Type of the function pointer used for grabbing encoded bytes.
* This can be used during either encoding or decoding, as follows...
*
* When decoding, this can be used to filter the encoded bytes as they
* are parsed. This is what you would do if you wanted to process the data
* along the way (like to decrypt it, or to perform a hash on it in order
* to do a signature check later). See SEC_ASN1DecoderSetFilterProc().
* When processing only part of the encoded bytes is desired, you "watch"
* for the field(s) you are interested in with a "notify proc" (see
* SEC_ASN1DecoderSetNotifyProc()) and for even finer granularity (e.g. to
* ignore all by the contents bytes) you pay attention to the "data_kind"
* parameter.
*
* When encoding, this is the specification for the output function which
* will receive the bytes as they are encoded. The output function can
* perform any postprocessing necessary (like hashing (some of) the data
* to create a digest that gets included at the end) as well as shoving
* the data off wherever it needs to go. (In order to "tune" any processing,
* you can set a "notify proc" as described above in the decoding case.)
*
* The parameters:
* - "arg" is an opaque pointer that you provided at the same time you
* specified a function of this type
* - "data" is a buffer of length "len", containing the encoded bytes
* - "depth" is how deep in a nested encoding we are (it is not usually
* valuable, but can be useful sometimes so I included it)
* - "data_kind" tells you if these bytes are part of the ASN.1 encoded
* octets for identifier, length, contents, or end-of-contents
*/
typedef void (*SEC_ASN1WriteProc)(void *arg,
const char *data, unsigned long len,
int depth, SEC_ASN1EncodingPart data_kind);
#endif /* _SECASN1T_H_ */

91
openflow/usr/include/nss/seccomon.h Normal file
View File

@@ -0,0 +1,91 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* seccomon.h - common data structures for security libraries
*
* This file should have lowest-common-denominator datastructures
* for security libraries. It should not be dependent on any other
* headers, and should not require linking with any libraries.
*/
#ifndef _SECCOMMON_H_
#define _SECCOMMON_H_
#include "utilrename.h"
#include "prtypes.h"
#ifdef __cplusplus
#define SEC_BEGIN_PROTOS extern "C" {
#define SEC_END_PROTOS }
#else
#define SEC_BEGIN_PROTOS
#define SEC_END_PROTOS
#endif
#include "secport.h"
typedef enum {
siBuffer = 0,
siClearDataBuffer = 1,
siCipherDataBuffer = 2,
siDERCertBuffer = 3,
siEncodedCertBuffer = 4,
siDERNameBuffer = 5,
siEncodedNameBuffer = 6,
siAsciiNameString = 7,
siAsciiString = 8,
siDEROID = 9,
siUnsignedInteger = 10,
siUTCTime = 11,
siGeneralizedTime = 12,
siVisibleString = 13,
siUTF8String = 14,
siBMPString = 15
} SECItemType;
typedef struct SECItemStr SECItem;
struct SECItemStr {
SECItemType type;
unsigned char *data;
unsigned int len;
};
typedef struct SECItemArrayStr SECItemArray;
struct SECItemArrayStr {
SECItem *items;
unsigned int len;
};
/*
** A status code. Status's are used by procedures that return status
** values. Again the motivation is so that a compiler can generate
** warnings when return values are wrong. Correct testing of status codes:
**
** SECStatus rv;
** rv = some_function (some_argument);
** if (rv != SECSuccess)
** do_an_error_thing();
**
*/
typedef enum _SECStatus {
SECWouldBlock = -2,
SECFailure = -1,
SECSuccess = 0
} SECStatus;
/*
** A comparison code. Used for procedures that return comparision
** values. Again the motivation is so that a compiler can generate
** warnings when return values are wrong.
*/
typedef enum _SECComparison {
SECLessThan = -1,
SECEqual = 0,
SECGreaterThan = 1
} SECComparison;
#endif /* _SECCOMMON_H_ */

172
openflow/usr/include/nss/secder.h Normal file
View File

@@ -0,0 +1,172 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECDER_H_
#define _SECDER_H_
#include "utilrename.h"
/*
* secder.h - public data structures and prototypes for the DER encoding and
* decoding utilities library
*/
#include <time.h>
#include "plarena.h"
#include "prlong.h"
#include "seccomon.h"
#include "secdert.h"
#include "prtime.h"
SEC_BEGIN_PROTOS
/*
** Encode a data structure into DER.
** "dest" will be filled in (and memory allocated) to hold the der
** encoded structure in "src"
** "t" is a template structure which defines the shape of the
** stored data
** "src" is a pointer to the structure that will be encoded
*/
extern SECStatus DER_Encode(PLArenaPool *arena, SECItem *dest, DERTemplate *t,
void *src);
extern SECStatus DER_Lengths(SECItem *item, int *header_len_p,
PRUint32 *contents_len_p);
/*
** Lower level der subroutine that stores the standard header into "to".
** The header is of variable length, based on encodingLen.
** The return value is the new value of "to" after skipping over the header.
** "to" is where the header will be stored
** "code" is the der code to write
** "encodingLen" is the number of bytes of data that will follow
** the header
*/
extern unsigned char *DER_StoreHeader(unsigned char *to, unsigned int code,
PRUint32 encodingLen);
/*
** Return the number of bytes it will take to hold a der encoded length.
*/
extern int DER_LengthLength(PRUint32 len);
/*
** Store a der encoded *signed* integer (whose value is "src") into "dst".
** XXX This should really be enhanced to take a long.
*/
extern SECStatus DER_SetInteger(PLArenaPool *arena, SECItem *dst, PRInt32 src);
/*
** Store a der encoded *unsigned* integer (whose value is "src") into "dst".
** XXX This should really be enhanced to take an unsigned long.
*/
extern SECStatus DER_SetUInteger(PLArenaPool *arena, SECItem *dst, PRUint32 src);
/*
** Decode a der encoded *signed* integer that is stored in "src".
** If "-1" is returned, then the caller should check the error in
** XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
*/
extern long DER_GetInteger(const SECItem *src);
/*
** Decode a der encoded *unsigned* integer that is stored in "src".
** If the ULONG_MAX is returned, then the caller should check the error
** in XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
*/
extern unsigned long DER_GetUInteger(SECItem *src);
/*
** Convert an NSPR time value to a der encoded time value.
** "result" is the der encoded time (memory is allocated)
** "time" is the NSPR time value (Since Jan 1st, 1970).
** time must be on or after January 1, 1950, and
** before January 1, 2050
** The caller is responsible for freeing up the buffer which
** result->data points to upon a successful operation.
*/
extern SECStatus DER_TimeToUTCTime(SECItem *result, PRTime time);
extern SECStatus DER_TimeToUTCTimeArena(PLArenaPool *arenaOpt,
SECItem *dst, PRTime gmttime);
/*
** Convert an ascii encoded time value (according to DER rules) into
** an NSPR time value.
** "result" the resulting NSPR time
** "string" the der notation ascii value to decode
*/
extern SECStatus DER_AsciiToTime(PRTime *result, const char *string);
/*
** Same as DER_AsciiToTime except takes an SECItem instead of a string
*/
extern SECStatus DER_UTCTimeToTime(PRTime *result, const SECItem *time);
/*
** Convert a DER encoded UTC time to an ascii time representation
** "utctime" is the DER encoded UTC time to be converted. The
** caller is responsible for deallocating the returned buffer.
*/
extern char *DER_UTCTimeToAscii(SECItem *utcTime);
/*
** Convert a DER encoded UTC time to an ascii time representation, but only
** include the day, not the time.
** "utctime" is the DER encoded UTC time to be converted.
** The caller is responsible for deallocating the returned buffer.
*/
extern char *DER_UTCDayToAscii(SECItem *utctime);
/* same thing for DER encoded GeneralizedTime */
extern char *DER_GeneralizedDayToAscii(SECItem *gentime);
/* same thing for either DER UTCTime or GeneralizedTime */
extern char *DER_TimeChoiceDayToAscii(SECItem *timechoice);
/*
** Convert a PRTime to a DER encoded Generalized time
** gmttime must be on or after January 1, year 1 and
** before January 1, 10000.
*/
extern SECStatus DER_TimeToGeneralizedTime(SECItem *dst, PRTime gmttime);
extern SECStatus DER_TimeToGeneralizedTimeArena(PLArenaPool *arenaOpt,
SECItem *dst, PRTime gmttime);
/*
** Convert a DER encoded Generalized time value into an NSPR time value.
** "dst" the resulting NSPR time
** "string" the der notation ascii value to decode
*/
extern SECStatus DER_GeneralizedTimeToTime(PRTime *dst, const SECItem *time);
/*
** Convert from a PRTime UTC time value to a formatted ascii value. The
** caller is responsible for deallocating the returned buffer.
*/
extern char *CERT_UTCTime2FormattedAscii(PRTime utcTime, char *format);
#define CERT_GeneralizedTime2FormattedAscii CERT_UTCTime2FormattedAscii
/*
** Convert from a PRTime Generalized time value to a formatted ascii value. The
** caller is responsible for deallocating the returned buffer.
*/
extern char *CERT_GenTime2FormattedAscii(PRTime genTime, char *format);
/*
** decode a SECItem containing either a SEC_ASN1_GENERALIZED_TIME
** or a SEC_ASN1_UTC_TIME
*/
extern SECStatus DER_DecodeTimeChoice(PRTime *output, const SECItem *input);
/* encode a PRTime to an ASN.1 DER SECItem containing either a
SEC_ASN1_GENERALIZED_TIME or a SEC_ASN1_UTC_TIME */
extern SECStatus DER_EncodeTimeChoice(PLArenaPool *arena, SECItem *output,
PRTime input);
SEC_END_PROTOS
#endif /* _SECDER_H_ */

129
openflow/usr/include/nss/secdert.h Normal file
View File

@@ -0,0 +1,129 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECDERT_H_
#define _SECDERT_H_
/*
* secdert.h - public data structures for the DER encoding and
* decoding utilities library
*/
#include "utilrename.h"
#include "seccomon.h"
typedef struct DERTemplateStr DERTemplate;
/*
** An array of these structures defines an encoding for an object using DER.
** The array usually starts with a dummy entry whose kind is DER_SEQUENCE;
** such an array is terminated with an entry where kind == 0. (An array
** which consists of a single component does not require a second dummy
** entry -- the array is only searched as long as previous component(s)
** instruct it.)
*/
struct DERTemplateStr {
/*
** Kind of item being decoded/encoded, including tags and modifiers.
*/
unsigned long kind;
/*
** Offset from base of structure to field that holds the value
** being decoded/encoded.
*/
unsigned int offset;
/*
** When kind suggests it (DER_POINTER, DER_INDEFINITE, DER_INLINE),
** this points to a sub-template for nested encoding/decoding.
*/
DERTemplate *sub;
/*
** Argument value, dependent on "kind" and/or template placement
** within an array of templates:
** - In the first element of a template array, the value is the
** size of the structure to allocate when this template is being
** referenced by another template via DER_POINTER or DER_INDEFINITE.
** - In a component of a DER_SET or DER_SEQUENCE which is *not* a
** DER_UNIVERSAL type (that is, it has a class tag for either
** DER_APPLICATION, DER_CONTEXT_SPECIFIC, or DER_PRIVATE), the
** value is the underlying type of item being decoded/encoded.
*/
unsigned long arg;
};
/************************************************************************/
/* default chunksize for arenas used for DER stuff */
#define DER_DEFAULT_CHUNKSIZE (2048)
/*
** BER/DER values for ASN.1 identifier octets.
*/
#define DER_TAG_MASK 0xff
/*
* BER/DER universal type tag numbers.
* The values are defined by the X.208 standard; do not change them!
* NOTE: if you add anything to this list, you must add code to derdec.c
* to accept the tag, and probably also to derenc.c to encode it.
*/
#define DER_TAGNUM_MASK 0x1f
#define DER_BOOLEAN 0x01
#define DER_INTEGER 0x02
#define DER_BIT_STRING 0x03
#define DER_OCTET_STRING 0x04
#define DER_NULL 0x05
#define DER_OBJECT_ID 0x06
#define DER_SEQUENCE 0x10
#define DER_SET 0x11
#define DER_PRINTABLE_STRING 0x13
#define DER_T61_STRING 0x14
#define DER_IA5_STRING 0x16
#define DER_UTC_TIME 0x17
#define DER_VISIBLE_STRING 0x1a
#define DER_HIGH_TAG_NUMBER 0x1f
/*
** Modifiers to type tags. These are also specified by a/the
** standard, and must not be changed.
*/
#define DER_METHOD_MASK 0x20
#define DER_PRIMITIVE 0x00
#define DER_CONSTRUCTED 0x20
#define DER_CLASS_MASK 0xc0
#define DER_UNIVERSAL 0x00
#define DER_APPLICATION 0x40
#define DER_CONTEXT_SPECIFIC 0x80
#define DER_PRIVATE 0xc0
/*
** Our additions, used for templates.
** These are not defined by any standard; the values are used internally only.
** Just be careful to keep them out of the low 8 bits.
*/
#define DER_OPTIONAL 0x00100
#define DER_EXPLICIT 0x00200
#define DER_ANY 0x00400
#define DER_INLINE 0x00800
#define DER_POINTER 0x01000
#define DER_INDEFINITE 0x02000
#define DER_DERPTR 0x04000
#define DER_SKIP 0x08000
#define DER_FORCE 0x10000
#define DER_OUTER 0x40000 /* for DER_DERPTR */
/*
** Macro to convert der decoded bit string into a decoded octet
** string. All it needs to do is fiddle with the length code.
*/
#define DER_ConvertBitString(item) \
{ \
(item)->len = ((item)->len + 7) >> 3; \
}
#endif /* _SECDERT_H_ */

100
openflow/usr/include/nss/secdig.h Normal file
View File

@@ -0,0 +1,100 @@
/*
* secdig.h - public prototypes for digest-info functions
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECDIG_H_
#define _SECDIG_H_
#include "utilrename.h"
#include "secdigt.h"
#include "seccomon.h"
#include "secasn1t.h"
#include "secdert.h"
SEC_BEGIN_PROTOS
extern const SEC_ASN1Template sgn_DigestInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(sgn_DigestInfoTemplate)
/****************************************/
/*
** Digest-info functions
*/
/*
** Create a new digest-info object
** "algorithm" one of SEC_OID_MD2, SEC_OID_MD5, or SEC_OID_SHA1
** "sig" the raw signature data (from MD2 or MD5)
** "sigLen" the length of the signature data
**
** NOTE: this is a low level routine used to prepare some data for PKCS#1
** digital signature formatting.
**
** XXX It might be nice to combine the create and encode functions.
** I think that is all anybody ever wants to do anyway.
*/
extern SGNDigestInfo *SGN_CreateDigestInfo(SECOidTag algorithm,
const unsigned char *sig,
unsigned int sigLen);
/*
** Destroy a digest-info object
*/
extern void SGN_DestroyDigestInfo(SGNDigestInfo *info);
/*
** Encode a digest-info object
** "poolp" is where to allocate the result from; it can be NULL in
** which case generic heap allocation (XP_ALLOC) will be used
** "dest" is where to store the result; it can be NULL, in which case
** it will be allocated (from poolp or heap, as explained above)
** "diginfo" is the object to be encoded
** The return value is NULL if any error occurred, otherwise it is the
** resulting SECItem (either allocated or the same as the "dest" parameter).
**
** XXX It might be nice to combine the create and encode functions.
** I think that is all anybody ever wants to do anyway.
*/
extern SECItem *SGN_EncodeDigestInfo(PLArenaPool *poolp, SECItem *dest,
SGNDigestInfo *diginfo);
/*
** Decode a DER encoded digest info objct.
** didata is thr source of the encoded digest.
** The return value is NULL if an error occurs. Otherwise, a
** digest info object which is allocated within it's own
** pool is returned. The digest info should be deleted
** by later calling SGN_DestroyDigestInfo.
*/
extern SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
/*
** Copy digest info.
** poolp is the arena to which the digest will be copied.
** a is the destination digest, it must be non-NULL.
** b is the source digest
** This function is for copying digests. It allows digests
** to be copied into a specified pool. If the digest is in
** the same pool as other data, you do not want to delete
** the digest by calling SGN_DestroyDigestInfo.
** A return value of SECFailure indicates an error. A return
** of SECSuccess indicates no error occurred.
*/
extern SECStatus SGN_CopyDigestInfo(PLArenaPool *poolp,
SGNDigestInfo *a,
SGNDigestInfo *b);
/*
** Compare two digest-info objects, returning the difference between
** them.
*/
extern SECComparison SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b);
SEC_END_PROTOS
#endif /* _SECDIG_H_ */

26
openflow/usr/include/nss/secdigt.h Normal file
View File

@@ -0,0 +1,26 @@
/*
* secdigt.h - public data structures for digest-info objects
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECDIGT_H_
#define _SECDIGT_H_
#include "utilrename.h"
#include "plarena.h"
#include "secoidt.h"
#include "secitem.h"
/*
** A PKCS#1 digest-info object
*/
struct SGNDigestInfoStr {
PLArenaPool* arena;
SECAlgorithmID digestAlgorithm;
SECItem digest;
};
typedef struct SGNDigestInfoStr SGNDigestInfo;
#endif /* _SECDIGT_H_ */

218
openflow/usr/include/nss/secerr.h Normal file
View File

@@ -0,0 +1,218 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __SEC_ERR_H_
#define __SEC_ERR_H_
#include "utilrename.h"
#define SEC_ERROR_BASE (-0x2000)
#define SEC_ERROR_LIMIT (SEC_ERROR_BASE + 1000)
#define IS_SEC_ERROR(code) \
(((code) >= SEC_ERROR_BASE) && ((code) < SEC_ERROR_LIMIT))
#ifndef NO_SECURITY_ERROR_ENUM
typedef enum {
SEC_ERROR_IO = SEC_ERROR_BASE + 0,
SEC_ERROR_LIBRARY_FAILURE = SEC_ERROR_BASE + 1,
SEC_ERROR_BAD_DATA = SEC_ERROR_BASE + 2,
SEC_ERROR_OUTPUT_LEN = SEC_ERROR_BASE + 3,
SEC_ERROR_INPUT_LEN = SEC_ERROR_BASE + 4,
SEC_ERROR_INVALID_ARGS = SEC_ERROR_BASE + 5,
SEC_ERROR_INVALID_ALGORITHM = SEC_ERROR_BASE + 6,
SEC_ERROR_INVALID_AVA = SEC_ERROR_BASE + 7,
SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8,
SEC_ERROR_BAD_DER = SEC_ERROR_BASE + 9,
SEC_ERROR_BAD_SIGNATURE = SEC_ERROR_BASE + 10,
SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11,
SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12,
SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13,
SEC_ERROR_BAD_KEY = SEC_ERROR_BASE + 14,
SEC_ERROR_BAD_PASSWORD = SEC_ERROR_BASE + 15,
SEC_ERROR_RETRY_PASSWORD = SEC_ERROR_BASE + 16,
SEC_ERROR_NO_NODELOCK = SEC_ERROR_BASE + 17,
SEC_ERROR_BAD_DATABASE = SEC_ERROR_BASE + 18,
SEC_ERROR_NO_MEMORY = SEC_ERROR_BASE + 19,
SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20,
SEC_ERROR_UNTRUSTED_CERT = SEC_ERROR_BASE + 21,
SEC_ERROR_DUPLICATE_CERT = (SEC_ERROR_BASE + 22),
SEC_ERROR_DUPLICATE_CERT_NAME = (SEC_ERROR_BASE + 23),
SEC_ERROR_ADDING_CERT = (SEC_ERROR_BASE + 24),
SEC_ERROR_FILING_KEY = (SEC_ERROR_BASE + 25),
SEC_ERROR_NO_KEY = (SEC_ERROR_BASE + 26),
SEC_ERROR_CERT_VALID = (SEC_ERROR_BASE + 27),
SEC_ERROR_CERT_NOT_VALID = (SEC_ERROR_BASE + 28),
SEC_ERROR_CERT_NO_RESPONSE = (SEC_ERROR_BASE + 29),
SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = (SEC_ERROR_BASE + 30),
SEC_ERROR_CRL_EXPIRED = (SEC_ERROR_BASE + 31),
SEC_ERROR_CRL_BAD_SIGNATURE = (SEC_ERROR_BASE + 32),
SEC_ERROR_CRL_INVALID = (SEC_ERROR_BASE + 33),
SEC_ERROR_EXTENSION_VALUE_INVALID = (SEC_ERROR_BASE + 34),
SEC_ERROR_EXTENSION_NOT_FOUND = (SEC_ERROR_BASE + 35),
SEC_ERROR_CA_CERT_INVALID = (SEC_ERROR_BASE + 36),
SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID = (SEC_ERROR_BASE + 37),
SEC_ERROR_CERT_USAGES_INVALID = (SEC_ERROR_BASE + 38),
SEC_INTERNAL_ONLY = (SEC_ERROR_BASE + 39),
SEC_ERROR_INVALID_KEY = (SEC_ERROR_BASE + 40),
SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION = (SEC_ERROR_BASE + 41),
SEC_ERROR_OLD_CRL = (SEC_ERROR_BASE + 42),
SEC_ERROR_NO_EMAIL_CERT = (SEC_ERROR_BASE + 43),
SEC_ERROR_NO_RECIPIENT_CERTS_QUERY = (SEC_ERROR_BASE + 44),
SEC_ERROR_NOT_A_RECIPIENT = (SEC_ERROR_BASE + 45),
SEC_ERROR_PKCS7_KEYALG_MISMATCH = (SEC_ERROR_BASE + 46),
SEC_ERROR_PKCS7_BAD_SIGNATURE = (SEC_ERROR_BASE + 47),
SEC_ERROR_UNSUPPORTED_KEYALG = (SEC_ERROR_BASE + 48),
SEC_ERROR_DECRYPTION_DISALLOWED = (SEC_ERROR_BASE + 49),
/* Fortezza Alerts */
XP_SEC_FORTEZZA_BAD_CARD = (SEC_ERROR_BASE + 50),
XP_SEC_FORTEZZA_NO_CARD = (SEC_ERROR_BASE + 51),
XP_SEC_FORTEZZA_NONE_SELECTED = (SEC_ERROR_BASE + 52),
XP_SEC_FORTEZZA_MORE_INFO = (SEC_ERROR_BASE + 53),
XP_SEC_FORTEZZA_PERSON_NOT_FOUND = (SEC_ERROR_BASE + 54),
XP_SEC_FORTEZZA_NO_MORE_INFO = (SEC_ERROR_BASE + 55),
XP_SEC_FORTEZZA_BAD_PIN = (SEC_ERROR_BASE + 56),
XP_SEC_FORTEZZA_PERSON_ERROR = (SEC_ERROR_BASE + 57),
SEC_ERROR_NO_KRL = (SEC_ERROR_BASE + 58),
SEC_ERROR_KRL_EXPIRED = (SEC_ERROR_BASE + 59),
SEC_ERROR_KRL_BAD_SIGNATURE = (SEC_ERROR_BASE + 60),
SEC_ERROR_REVOKED_KEY = (SEC_ERROR_BASE + 61),
SEC_ERROR_KRL_INVALID = (SEC_ERROR_BASE + 62),
SEC_ERROR_NEED_RANDOM = (SEC_ERROR_BASE + 63),
SEC_ERROR_NO_MODULE = (SEC_ERROR_BASE + 64),
SEC_ERROR_NO_TOKEN = (SEC_ERROR_BASE + 65),
SEC_ERROR_READ_ONLY = (SEC_ERROR_BASE + 66),
SEC_ERROR_NO_SLOT_SELECTED = (SEC_ERROR_BASE + 67),
SEC_ERROR_CERT_NICKNAME_COLLISION = (SEC_ERROR_BASE + 68),
SEC_ERROR_KEY_NICKNAME_COLLISION = (SEC_ERROR_BASE + 69),
SEC_ERROR_SAFE_NOT_CREATED = (SEC_ERROR_BASE + 70),
SEC_ERROR_BAGGAGE_NOT_CREATED = (SEC_ERROR_BASE + 71),
XP_JAVA_REMOVE_PRINCIPAL_ERROR = (SEC_ERROR_BASE + 72),
XP_JAVA_DELETE_PRIVILEGE_ERROR = (SEC_ERROR_BASE + 73),
XP_JAVA_CERT_NOT_EXISTS_ERROR = (SEC_ERROR_BASE + 74),
SEC_ERROR_BAD_EXPORT_ALGORITHM = (SEC_ERROR_BASE + 75),
SEC_ERROR_EXPORTING_CERTIFICATES = (SEC_ERROR_BASE + 76),
SEC_ERROR_IMPORTING_CERTIFICATES = (SEC_ERROR_BASE + 77),
SEC_ERROR_PKCS12_DECODING_PFX = (SEC_ERROR_BASE + 78),
SEC_ERROR_PKCS12_INVALID_MAC = (SEC_ERROR_BASE + 79),
SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM = (SEC_ERROR_BASE + 80),
SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE = (SEC_ERROR_BASE + 81),
SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE = (SEC_ERROR_BASE + 82),
SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM = (SEC_ERROR_BASE + 83),
SEC_ERROR_PKCS12_UNSUPPORTED_VERSION = (SEC_ERROR_BASE + 84),
SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT = (SEC_ERROR_BASE + 85),
SEC_ERROR_PKCS12_CERT_COLLISION = (SEC_ERROR_BASE + 86),
SEC_ERROR_USER_CANCELLED = (SEC_ERROR_BASE + 87),
SEC_ERROR_PKCS12_DUPLICATE_DATA = (SEC_ERROR_BASE + 88),
SEC_ERROR_MESSAGE_SEND_ABORTED = (SEC_ERROR_BASE + 89),
SEC_ERROR_INADEQUATE_KEY_USAGE = (SEC_ERROR_BASE + 90),
SEC_ERROR_INADEQUATE_CERT_TYPE = (SEC_ERROR_BASE + 91),
SEC_ERROR_CERT_ADDR_MISMATCH = (SEC_ERROR_BASE + 92),
SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY = (SEC_ERROR_BASE + 93),
SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN = (SEC_ERROR_BASE + 94),
SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME = (SEC_ERROR_BASE + 95),
SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY = (SEC_ERROR_BASE + 96),
SEC_ERROR_PKCS12_UNABLE_TO_WRITE = (SEC_ERROR_BASE + 97),
SEC_ERROR_PKCS12_UNABLE_TO_READ = (SEC_ERROR_BASE + 98),
SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED = (SEC_ERROR_BASE + 99),
SEC_ERROR_KEYGEN_FAIL = (SEC_ERROR_BASE + 100),
SEC_ERROR_INVALID_PASSWORD = (SEC_ERROR_BASE + 101),
SEC_ERROR_RETRY_OLD_PASSWORD = (SEC_ERROR_BASE + 102),
SEC_ERROR_BAD_NICKNAME = (SEC_ERROR_BASE + 103),
SEC_ERROR_NOT_FORTEZZA_ISSUER = (SEC_ERROR_BASE + 104),
SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY = (SEC_ERROR_BASE + 105),
SEC_ERROR_JS_INVALID_MODULE_NAME = (SEC_ERROR_BASE + 106),
SEC_ERROR_JS_INVALID_DLL = (SEC_ERROR_BASE + 107),
SEC_ERROR_JS_ADD_MOD_FAILURE = (SEC_ERROR_BASE + 108),
SEC_ERROR_JS_DEL_MOD_FAILURE = (SEC_ERROR_BASE + 109),
SEC_ERROR_OLD_KRL = (SEC_ERROR_BASE + 110),
SEC_ERROR_CKL_CONFLICT = (SEC_ERROR_BASE + 111),
SEC_ERROR_CERT_NOT_IN_NAME_SPACE = (SEC_ERROR_BASE + 112),
SEC_ERROR_KRL_NOT_YET_VALID = (SEC_ERROR_BASE + 113),
SEC_ERROR_CRL_NOT_YET_VALID = (SEC_ERROR_BASE + 114),
SEC_ERROR_UNKNOWN_CERT = (SEC_ERROR_BASE + 115),
SEC_ERROR_UNKNOWN_SIGNER = (SEC_ERROR_BASE + 116),
SEC_ERROR_CERT_BAD_ACCESS_LOCATION = (SEC_ERROR_BASE + 117),
SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE = (SEC_ERROR_BASE + 118),
SEC_ERROR_OCSP_BAD_HTTP_RESPONSE = (SEC_ERROR_BASE + 119),
SEC_ERROR_OCSP_MALFORMED_REQUEST = (SEC_ERROR_BASE + 120),
SEC_ERROR_OCSP_SERVER_ERROR = (SEC_ERROR_BASE + 121),
SEC_ERROR_OCSP_TRY_SERVER_LATER = (SEC_ERROR_BASE + 122),
SEC_ERROR_OCSP_REQUEST_NEEDS_SIG = (SEC_ERROR_BASE + 123),
SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST = (SEC_ERROR_BASE + 124),
SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS = (SEC_ERROR_BASE + 125),
SEC_ERROR_OCSP_UNKNOWN_CERT = (SEC_ERROR_BASE + 126),
SEC_ERROR_OCSP_NOT_ENABLED = (SEC_ERROR_BASE + 127),
SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER = (SEC_ERROR_BASE + 128),
SEC_ERROR_OCSP_MALFORMED_RESPONSE = (SEC_ERROR_BASE + 129),
SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE = (SEC_ERROR_BASE + 130),
SEC_ERROR_OCSP_FUTURE_RESPONSE = (SEC_ERROR_BASE + 131),
SEC_ERROR_OCSP_OLD_RESPONSE = (SEC_ERROR_BASE + 132),
/* smime stuff */
SEC_ERROR_DIGEST_NOT_FOUND = (SEC_ERROR_BASE + 133),
SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE = (SEC_ERROR_BASE + 134),
SEC_ERROR_MODULE_STUCK = (SEC_ERROR_BASE + 135),
SEC_ERROR_BAD_TEMPLATE = (SEC_ERROR_BASE + 136),
SEC_ERROR_CRL_NOT_FOUND = (SEC_ERROR_BASE + 137),
SEC_ERROR_REUSED_ISSUER_AND_SERIAL = (SEC_ERROR_BASE + 138),
SEC_ERROR_BUSY = (SEC_ERROR_BASE + 139),
SEC_ERROR_EXTRA_INPUT = (SEC_ERROR_BASE + 140),
/* error codes used by elliptic curve code */
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE = (SEC_ERROR_BASE + 141),
SEC_ERROR_UNSUPPORTED_EC_POINT_FORM = (SEC_ERROR_BASE + 142),
SEC_ERROR_UNRECOGNIZED_OID = (SEC_ERROR_BASE + 143),
SEC_ERROR_OCSP_INVALID_SIGNING_CERT = (SEC_ERROR_BASE + 144),
/* new revocation errors */
SEC_ERROR_REVOKED_CERTIFICATE_CRL = (SEC_ERROR_BASE + 145),
SEC_ERROR_REVOKED_CERTIFICATE_OCSP = (SEC_ERROR_BASE + 146),
SEC_ERROR_CRL_INVALID_VERSION = (SEC_ERROR_BASE + 147),
SEC_ERROR_CRL_V1_CRITICAL_EXTENSION = (SEC_ERROR_BASE + 148),
SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION = (SEC_ERROR_BASE + 149),
SEC_ERROR_UNKNOWN_OBJECT_TYPE = (SEC_ERROR_BASE + 150),
SEC_ERROR_INCOMPATIBLE_PKCS11 = (SEC_ERROR_BASE + 151),
SEC_ERROR_NO_EVENT = (SEC_ERROR_BASE + 152),
SEC_ERROR_CRL_ALREADY_EXISTS = (SEC_ERROR_BASE + 153),
SEC_ERROR_NOT_INITIALIZED = (SEC_ERROR_BASE + 154),
SEC_ERROR_TOKEN_NOT_LOGGED_IN = (SEC_ERROR_BASE + 155),
SEC_ERROR_OCSP_RESPONDER_CERT_INVALID = (SEC_ERROR_BASE + 156),
SEC_ERROR_OCSP_BAD_SIGNATURE = (SEC_ERROR_BASE + 157),
SEC_ERROR_OUT_OF_SEARCH_LIMITS = (SEC_ERROR_BASE + 158),
SEC_ERROR_INVALID_POLICY_MAPPING = (SEC_ERROR_BASE + 159),
SEC_ERROR_POLICY_VALIDATION_FAILED = (SEC_ERROR_BASE + 160),
/* No longer used. Unknown AIA location types are now silently ignored. */
SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE = (SEC_ERROR_BASE + 161),
SEC_ERROR_BAD_HTTP_RESPONSE = (SEC_ERROR_BASE + 162),
SEC_ERROR_BAD_LDAP_RESPONSE = (SEC_ERROR_BASE + 163),
SEC_ERROR_FAILED_TO_ENCODE_DATA = (SEC_ERROR_BASE + 164),
SEC_ERROR_BAD_INFO_ACCESS_LOCATION = (SEC_ERROR_BASE + 165),
SEC_ERROR_LIBPKIX_INTERNAL = (SEC_ERROR_BASE + 166),
SEC_ERROR_PKCS11_GENERAL_ERROR = (SEC_ERROR_BASE + 167),
SEC_ERROR_PKCS11_FUNCTION_FAILED = (SEC_ERROR_BASE + 168),
SEC_ERROR_PKCS11_DEVICE_ERROR = (SEC_ERROR_BASE + 169),
SEC_ERROR_BAD_INFO_ACCESS_METHOD = (SEC_ERROR_BASE + 170),
SEC_ERROR_CRL_IMPORT_FAILED = (SEC_ERROR_BASE + 171),
SEC_ERROR_EXPIRED_PASSWORD = (SEC_ERROR_BASE + 172),
SEC_ERROR_LOCKED_PASSWORD = (SEC_ERROR_BASE + 173),
SEC_ERROR_UNKNOWN_PKCS11_ERROR = (SEC_ERROR_BASE + 174),
SEC_ERROR_BAD_CRL_DP_URL = (SEC_ERROR_BASE + 175),
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = (SEC_ERROR_BASE + 176),
SEC_ERROR_LEGACY_DATABASE = (SEC_ERROR_BASE + 177),
SEC_ERROR_APPLICATION_CALLBACK_ERROR = (SEC_ERROR_BASE + 178),
/* Add new error codes above here. */
SEC_ERROR_END_OF_LIST
} SECErrorCodes;
#endif /* NO_SECURITY_ERROR_ENUM */
#endif /* __SEC_ERR_H_ */

58
openflow/usr/include/nss/sechash.h Normal file
View File

@@ -0,0 +1,58 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _HASH_H_
#define _HASH_H_
#include "seccomon.h"
#include "hasht.h"
#include "secoidt.h"
SEC_BEGIN_PROTOS
/*
** Generic hash api.
*/
extern unsigned int HASH_ResultLen(HASH_HashType type);
extern unsigned int HASH_ResultLenContext(HASHContext *context);
extern unsigned int HASH_ResultLenByOidTag(SECOidTag hashOid);
extern SECStatus HASH_HashBuf(HASH_HashType type,
unsigned char *dest,
const unsigned char *src,
PRUint32 src_len);
extern HASHContext *HASH_Create(HASH_HashType type);
extern HASHContext *HASH_Clone(HASHContext *context);
extern void HASH_Destroy(HASHContext *context);
extern void HASH_Begin(HASHContext *context);
extern void HASH_Update(HASHContext *context,
const unsigned char *src,
unsigned int len);
extern void HASH_End(HASHContext *context,
unsigned char *result,
unsigned int *result_len,
unsigned int max_result_len);
extern HASH_HashType HASH_GetType(HASHContext *context);
extern const SECHashObject *HASH_GetHashObject(HASH_HashType type);
extern const SECHashObject *HASH_GetHashObjectByOidTag(SECOidTag hashOid);
extern HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid);
extern SECOidTag HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid);
extern SECOidTag HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid);
SEC_END_PROTOS
#endif /* _HASH_H_ */

118
openflow/usr/include/nss/secitem.h Normal file
View File

@@ -0,0 +1,118 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECITEM_H_
#define _SECITEM_H_
#include "utilrename.h"
/*
* secitem.h - public data structures and prototypes for handling
* SECItems
*/
#include "plarena.h"
#include "plhash.h"
#include "seccomon.h"
SEC_BEGIN_PROTOS
/*
** Allocate an item. If "arena" is not NULL, then allocate from there,
** otherwise allocate from the heap. If "item" is not NULL, allocate
** only the data buffer for the item, not the item itself. If "len" is
** 0, do not allocate the data buffer for the item; simply set the data
** field to NULL and the len field to 0. The item structure is allocated
** zero-filled; the data buffer is not zeroed. The caller is responsible
** for initializing the type field of the item.
**
** The resulting item is returned; NULL if any error occurs.
**
** XXX This probably should take a SECItemType, but since that is mostly
** unused and our improved APIs (aka Stan) are looming, I left it out.
*/
extern SECItem *SECITEM_AllocItem(PLArenaPool *arena, SECItem *item,
unsigned int len);
/*
** This is a legacy function containing bugs. It doesn't update item->len,
** and it has other issues as described in bug 298649 and bug 298938.
** However, the function is kept unchanged for consumers that might depend
** on the broken behaviour. New code should call SECITEM_ReallocItemV2.
**
** Reallocate the data for the specified "item". If "arena" is not NULL,
** then reallocate from there, otherwise reallocate from the heap.
** In the case where oldlen is 0, the data is allocated (not reallocated).
** In any case, "item" is expected to be a valid SECItem pointer;
** SECFailure is returned if it is not. If the allocation succeeds,
** SECSuccess is returned.
*/
extern SECStatus SECITEM_ReallocItem(/* deprecated function */
PLArenaPool *arena, SECItem *item,
unsigned int oldlen, unsigned int newlen);
/*
** Reallocate the data for the specified "item". If "arena" is not NULL,
** then reallocate from there, otherwise reallocate from the heap.
** If item->data is NULL, the data is allocated (not reallocated).
** In any case, "item" is expected to be a valid SECItem pointer;
** SECFailure is returned if it is not, and the item will remain unchanged.
** If the allocation succeeds, the item is updated and SECSuccess is returned.
*/
extern SECStatus SECITEM_ReallocItemV2(PLArenaPool *arena, SECItem *item,
unsigned int newlen);
/*
** Compare two items returning the difference between them.
*/
extern SECComparison SECITEM_CompareItem(const SECItem *a, const SECItem *b);
/*
** Compare two items -- if they are the same, return true; otherwise false.
*/
extern PRBool SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b);
/*
** Copy "from" to "to"
*/
extern SECStatus SECITEM_CopyItem(PLArenaPool *arena, SECItem *to,
const SECItem *from);
/*
** Allocate an item and copy "from" into it.
*/
extern SECItem *SECITEM_DupItem(const SECItem *from);
/*
** Allocate an item and copy "from" into it. The item itself and the
** data it points to are both allocated from the arena. If arena is
** NULL, this function is equivalent to SECITEM_DupItem.
*/
extern SECItem *SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from);
/*
** Free "zap". If freeit is PR_TRUE then "zap" itself is freed.
*/
extern void SECITEM_FreeItem(SECItem *zap, PRBool freeit);
/*
** Zero and then free "zap". If freeit is PR_TRUE then "zap" itself is freed.
*/
extern void SECITEM_ZfreeItem(SECItem *zap, PRBool freeit);
PLHashNumber PR_CALLBACK SECITEM_Hash(const void *key);
PRIntn PR_CALLBACK SECITEM_HashCompare(const void *k1, const void *k2);
extern SECItemArray *SECITEM_AllocArray(PLArenaPool *arena,
SECItemArray *array,
unsigned int len);
extern SECItemArray *SECITEM_DupArray(PLArenaPool *arena,
const SECItemArray *from);
extern void SECITEM_FreeArray(SECItemArray *array, PRBool freeit);
extern void SECITEM_ZfreeArray(SECItemArray *array, PRBool freeit);
SEC_END_PROTOS
#endif /* _SECITEM_H_ */

160
openflow/usr/include/nss/secmime.h Normal file
View File

@@ -0,0 +1,160 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Header file for routines specific to S/MIME. Keep things that are pure
* pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
*/
#ifndef _SECMIME_H_
#define _SECMIME_H_ 1
#include "secpkcs7.h"
/************************************************************************/
SEC_BEGIN_PROTOS
/*
* Initialize the local recording of the user S/MIME cipher preferences.
* This function is called once for each cipher, the order being
* important (first call records greatest preference, and so on).
* When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
* If the function is called again after that, it is assumed that
* the preferences are being reset, and the old preferences are
* discarded.
*
* XXX This is for a particular user, and right now the storage is
* XXX local, static. The preference should be stored elsewhere to allow
* XXX for multiple uses of one library? How does SSL handle this;
* XXX it has something similar?
*
* - The "which" values are defined in ciferfam.h (the SMIME_* values,
* for example SMIME_DES_CBC_56).
* - If "on" is non-zero then the named cipher is enabled, otherwise
* it is disabled. (It is not necessary to call the function for
* ciphers that are disabled, however, as that is the default.)
*
* If the cipher preference is successfully recorded, SECSuccess
* is returned. Otherwise SECFailure is returned. The only errors
* are due to failure allocating memory or bad parameters/calls:
* SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
* SEC_ERROR_XXX (function is being called more times than there
* are known/expected ciphers)
*/
extern SECStatus SECMIME_EnableCipher(long which, int on);
/*
* Initialize the local recording of the S/MIME policy.
* This function is called to enable/disable a particular cipher.
* (S/MIME encryption or decryption using a particular cipher is only
* allowed if that cipher is currently enabled.) At startup, all S/MIME
* ciphers are disabled. From that point, this function can be called
* to enable a cipher -- it is not necessary to call this to disable
* a cipher unless that cipher was previously, explicitly enabled via
* this function.
*
* XXX This is for a the current module, I think, so local, static storage
* XXX is okay. Is that correct, or could multiple uses of the same
* XXX library expect to operate under different policies?
*
* - The "which" values are defined in ciferfam.h (the SMIME_* values,
* for example SMIME_DES_CBC_56).
* - If "on" is non-zero then the named cipher is enabled, otherwise
* it is disabled.
*
* If the cipher is successfully enabled/disabled, SECSuccess is
* returned. Otherwise SECFailure is returned. The only errors
* are due to bad parameters:
* SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
* SEC_ERROR_XXX ("which" exceeds expected maximum cipher; this is
* really an internal error)
*/
extern SECStatus SECMIME_SetPolicy(long which, int on);
/*
* Does the current policy allow S/MIME decryption of this particular
* algorithm and keysize?
*/
extern PRBool SECMIME_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
/*
* Does the current policy allow *any* S/MIME encryption (or decryption)?
*
* This tells whether or not *any* S/MIME encryption can be done,
* according to policy. Callers may use this to do nicer user interface
* (say, greying out a checkbox so a user does not even try to encrypt
* a message when they are not allowed to) or for any reason they want
* to check whether S/MIME encryption (or decryption, for that matter)
* may be done.
*
* It takes no arguments. The return value is a simple boolean:
* PR_TRUE means encryption (or decryption) is *possible*
* (but may still fail due to other reasons, like because we cannot
* find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
* PR_FALSE means encryption (or decryption) is not permitted
*
* There are no errors from this routine.
*/
extern PRBool SECMIME_EncryptionPossible(void);
/*
* Start an S/MIME encrypting context.
*
* "scert" is the cert for the sender. It will be checked for validity.
* "rcerts" are the certs for the recipients. They will also be checked.
*
* "certdb" is the cert database to use for verifying the certs.
* It can be NULL if a default database is available (like in the client).
*
* This function already does all of the stuff specific to S/MIME protocol
* and local policy; the return value just needs to be passed to
* SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
* and finally to SEC_PKCS7DestroyContentInfo().
*
* An error results in a return value of NULL and an error set.
* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
*/
extern SEC_PKCS7ContentInfo *SECMIME_CreateEncrypted(CERTCertificate *scert,
CERTCertificate **rcerts,
CERTCertDBHandle *certdb,
SECKEYGetPasswordKey pwfn,
void *pwfn_arg);
/*
* Start an S/MIME signing context.
*
* "scert" is the cert that will be used to sign the data. It will be
* checked for validity.
*
* "certdb" is the cert database to use for verifying the cert.
* It can be NULL if a default database is available (like in the client).
*
* "digestalg" names the digest algorithm. (It should be SEC_OID_SHA1;
* XXX There should be SECMIME functions for hashing, or the hashing should
* be built into this interface, which we would like because we would
* support more smartcards that way, and then this argument should go away.)
*
* "digest" is the actual digest of the data. It must be provided in
* the case of detached data or NULL if the content will be included.
*
* This function already does all of the stuff specific to S/MIME protocol
* and local policy; the return value just needs to be passed to
* SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
* and finally to SEC_PKCS7DestroyContentInfo().
*
* An error results in a return value of NULL and an error set.
* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
*/
extern SEC_PKCS7ContentInfo *SECMIME_CreateSigned(CERTCertificate *scert,
CERTCertificate *ecert,
CERTCertDBHandle *certdb,
SECOidTag digestalg,
SECItem *digest,
SECKEYGetPasswordKey pwfn,
void *pwfn_arg);
/************************************************************************/
SEC_END_PROTOS
#endif /* _SECMIME_H_ */

167
openflow/usr/include/nss/secmod.h Normal file
View File

@@ -0,0 +1,167 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECMOD_H_
#define _SECMOD_H_
#include "seccomon.h"
#include "secmodt.h"
#include "prinrval.h"
/* These mechanisms flags are visible to all other libraries. */
/* They must be converted to internal SECMOD_*_FLAG */
/* if used inside the functions of the security library */
#define PUBLIC_MECH_RSA_FLAG 0x00000001ul
#define PUBLIC_MECH_DSA_FLAG 0x00000002ul
#define PUBLIC_MECH_RC2_FLAG 0x00000004ul
#define PUBLIC_MECH_RC4_FLAG 0x00000008ul
#define PUBLIC_MECH_DES_FLAG 0x00000010ul
#define PUBLIC_MECH_DH_FLAG 0x00000020ul
#define PUBLIC_MECH_FORTEZZA_FLAG 0x00000040ul
#define PUBLIC_MECH_RC5_FLAG 0x00000080ul
#define PUBLIC_MECH_SHA1_FLAG 0x00000100ul
#define PUBLIC_MECH_MD5_FLAG 0x00000200ul
#define PUBLIC_MECH_MD2_FLAG 0x00000400ul
#define PUBLIC_MECH_SSL_FLAG 0x00000800ul
#define PUBLIC_MECH_TLS_FLAG 0x00001000ul
#define PUBLIC_MECH_AES_FLAG 0x00002000ul
#define PUBLIC_MECH_SHA256_FLAG 0x00004000ul
#define PUBLIC_MECH_SHA512_FLAG 0x00008000ul
#define PUBLIC_MECH_CAMELLIA_FLAG 0x00010000ul
#define PUBLIC_MECH_SEED_FLAG 0x00020000ul
#define PUBLIC_MECH_ECC_FLAG 0x00040000ul
#define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul
#define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul
#define PUBLIC_OWN_PW_DEFAULTS 0X20000000ul
#define PUBLIC_DISABLE_FLAG 0x40000000ul
/* warning: reserved means reserved */
#define PUBLIC_MECH_RESERVED_FLAGS 0x87FF0000ul
/* These cipher flags are visible to all other libraries, */
/* But they must be converted before used in functions */
/* withing the security module */
#define PUBLIC_CIPHER_FORTEZZA_FLAG 0x00000001ul
/* warning: reserved means reserved */
#define PUBLIC_CIPHER_RESERVED_FLAGS 0xFFFFFFFEul
SEC_BEGIN_PROTOS
/*
* the following functions are going to be deprecated in NSS 4.0 in
* favor of the new stan functions.
*/
/* Initialization */
extern SECMODModule *SECMOD_LoadModule(char *moduleSpec, SECMODModule *parent,
PRBool recurse);
extern SECMODModule *SECMOD_LoadUserModule(char *moduleSpec, SECMODModule *parent,
PRBool recurse);
SECStatus SECMOD_UnloadUserModule(SECMODModule *mod);
SECMODModule *SECMOD_CreateModule(const char *lib, const char *name,
const char *param, const char *nss);
SECMODModule *SECMOD_CreateModuleEx(const char *lib, const char *name,
const char *param, const char *nss,
const char *config);
/*
* After a fork(), PKCS #11 says we need to call C_Initialize again in
* the child before we can use the module. This function causes this
* reinitialization.
* NOTE: Any outstanding handles will become invalid, which means your
* keys and contexts will fail, but new ones can be created.
*
* Setting 'force' to true means to do the reinitialization even if the
* PKCS #11 module does not seem to need it. This allows software modules
* which ignore fork to preserve their keys across the fork().
*/
SECStatus SECMOD_RestartModules(PRBool force);
/* Module Management */
char **SECMOD_GetModuleSpecList(SECMODModule *module);
SECStatus SECMOD_FreeModuleSpecList(SECMODModule *module, char **moduleSpecList);
/* protoypes */
/* Get a list of active PKCS #11 modules */
extern SECMODModuleList *SECMOD_GetDefaultModuleList(void);
/* Get a list of defined but not loaded PKCS #11 modules */
extern SECMODModuleList *SECMOD_GetDeadModuleList(void);
/* Get a list of Modules which define PKCS #11 modules to load */
extern SECMODModuleList *SECMOD_GetDBModuleList(void);
/* lock to protect all three module lists above */
extern SECMODListLock *SECMOD_GetDefaultModuleListLock(void);
extern SECStatus SECMOD_UpdateModule(SECMODModule *module);
/* lock management */
extern void SECMOD_GetReadLock(SECMODListLock *);
extern void SECMOD_ReleaseReadLock(SECMODListLock *);
/* Operate on modules by name */
extern SECMODModule *SECMOD_FindModule(const char *name);
extern SECStatus SECMOD_DeleteModule(const char *name, int *type);
extern SECStatus SECMOD_DeleteModuleEx(const char *name,
SECMODModule *mod,
int *type,
PRBool permdb);
extern SECStatus SECMOD_DeleteInternalModule(const char *name);
extern PRBool SECMOD_CanDeleteInternalModule(void);
extern SECStatus SECMOD_AddNewModule(const char *moduleName,
const char *dllPath,
unsigned long defaultMechanismFlags,
unsigned long cipherEnableFlags);
extern SECStatus SECMOD_AddNewModuleEx(const char *moduleName,
const char *dllPath,
unsigned long defaultMechanismFlags,
unsigned long cipherEnableFlags,
char *modparms,
char *nssparms);
/* database/memory management */
extern SECMODModule *SECMOD_GetInternalModule(void);
extern SECMODModule *SECMOD_ReferenceModule(SECMODModule *module);
extern void SECMOD_DestroyModule(SECMODModule *module);
extern PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID module,
unsigned long slotID);
extern PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module, const char *name);
/* Funtion reports true if at least one of the modules */
/* of modType has been installed */
PRBool SECMOD_IsModulePresent(unsigned long int pubCipherEnableFlags);
/* accessors */
PRBool SECMOD_GetSkipFirstFlag(SECMODModule *mod);
PRBool SECMOD_GetDefaultModDBFlag(SECMODModule *mod);
/* Functions used to convert between internal & public representation
* of Mechanism Flags and Cipher Enable Flags */
extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);
extern unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags);
extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
PRBool SECMOD_HasRemovableSlots(SECMODModule *mod);
PK11SlotInfo *SECMOD_WaitForAnyTokenEvent(SECMODModule *mod,
unsigned long flags, PRIntervalTime latency);
/*
* Warning: the SECMOD_CancelWait function is highly destructive, potentially
* finalizing the module 'mod' (causing inprogress operations to fail,
* and session key material to disappear). It should only be called when
* shutting down the module.
*/
SECStatus SECMOD_CancelWait(SECMODModule *mod);
/*
* check to see if the module has added new slots. PKCS 11 v2.20 allows for
* modules to add new slots, but never remove them. Slots not be added between
* a call to C_GetSlotLlist(Flag, NULL, &count) and the corresponding
* C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
* grow on the caller. It is permissible for the slots to increase between
* corresponding calls with NULL to get the size.
*/
SECStatus SECMOD_UpdateSlotList(SECMODModule *mod);
SEC_END_PROTOS
#endif

444
openflow/usr/include/nss/secmodt.h Normal file
View File

@@ -0,0 +1,444 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECMODT_H_
#define _SECMODT_H_ 1
#include "nssrwlkt.h"
#include "nssilckt.h"
#include "secoid.h"
#include "secasn1.h"
#include "pkcs11t.h"
#include "utilmodt.h"
SEC_BEGIN_PROTOS
/* find a better home for these... */
extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
SEC_END_PROTOS
/* PKCS11 needs to be included */
typedef struct SECMODModuleStr SECMODModule;
typedef struct SECMODModuleListStr SECMODModuleList;
typedef NSSRWLock SECMODListLock;
typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
typedef struct PK11SlotListStr PK11SlotList;
typedef struct PK11SlotListElementStr PK11SlotListElement;
typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
typedef unsigned long SECMODModuleID;
typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
typedef struct PK11GenericObjectStr PK11GenericObject;
typedef void (*PK11FreeDataFunc)(void *);
struct SECMODModuleStr {
PLArenaPool *arena;
PRBool internal; /* true of internally linked modules, false
* for the loaded modules */
PRBool loaded; /* Set to true if module has been loaded */
PRBool isFIPS; /* Set to true if module is finst internal */
char *dllName; /* name of the shared library which implements
* this module */
char *commonName; /* name of the module to display to the user */
void *library; /* pointer to the library. opaque. used only by
* pk11load.c */
void *functionList; /* The PKCS #11 function table */
PZLock *refLock; /* only used pk11db.c */
int refCount; /* Module reference count */
PK11SlotInfo **slots; /* array of slot points attached to this mod*/
int slotCount; /* count of slot in above array */
PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
int slotInfoCount; /* count */
SECMODModuleID moduleID; /* ID so we can find this module again */
PRBool isThreadSafe;
unsigned long ssl[2]; /* SSL cipher enable flags */
char *libraryParams; /* Module specific parameters */
void *moduleDBFunc; /* function to return module configuration data*/
SECMODModule *parent; /* module that loaded us */
PRBool isCritical; /* This module must load successfully */
PRBool isModuleDB; /* this module has lists of PKCS #11 modules */
PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */
int trustOrder; /* order for this module's certificate trust rollup */
int cipherOrder; /* order for cipher operations */
unsigned long evControlMask; /* control the running and shutdown of slot
* events (SECMOD_WaitForAnyTokenEvent) */
CK_VERSION cryptokiVersion; /* version of this library */
};
/* evControlMask flags */
/*
* These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
*
* SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
* C_WaitForSlotEvent().
* SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
* which polls for token insertion and removal events.
* SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
* waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
* should return immediately to it's caller.
*/
#define SECMOD_END_WAIT 0x01
#define SECMOD_WAIT_SIMULATED_EVENT 0x02
#define SECMOD_WAIT_PKCS11_EVENT 0x04
struct SECMODModuleListStr {
SECMODModuleList *next;
SECMODModule *module;
};
struct PK11SlotListStr {
PK11SlotListElement *head;
PK11SlotListElement *tail;
PZLock *lock;
};
struct PK11SlotListElementStr {
PK11SlotListElement *next;
PK11SlotListElement *prev;
PK11SlotInfo *slot;
int refCount;
};
struct PK11RSAGenParamsStr {
int keySizeInBits;
unsigned long pe;
};
typedef enum {
PK11CertListUnique = 0, /* get one instance of all certs */
PK11CertListUser = 1, /* get all instances of user certs */
PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
* deprecated. Use PK11CertListCAUnique
*/
PK11CertListCA = 3, /* get all instances of CA certs */
PK11CertListCAUnique = 4, /* get one instance of CA certs */
PK11CertListUserUnique = 5, /* get one instance of user certs */
PK11CertListAll = 6 /* get all instances of all certs */
} PK11CertListType;
/*
* Entry into the array which lists all the legal bits for the default flags
* in the slot, their definition, and the PKCS #11 mechanism they represent.
* Always statically allocated.
*/
struct PK11DefaultArrayEntryStr {
const char *name;
unsigned long flag;
unsigned long mechanism; /* this is a long so we don't include the
* whole pkcs 11 world to use this header */
};
/*
* PK11AttrFlags
*
* A 32-bit bitmask of PK11_ATTR_XXX flags
*/
typedef PRUint32 PK11AttrFlags;
/*
* PK11_ATTR_XXX
*
* The following PK11_ATTR_XXX bitflags are used to specify
* PKCS #11 object attributes that have Boolean values. Some NSS
* functions have a "PK11AttrFlags attrFlags" parameter whose value
* is the logical OR of these bitflags. NSS use these bitflags on
* private keys or secret keys. Some of these bitflags also apply
* to the public keys associated with the private keys.
*
* For each PKCS #11 object attribute, we need two bitflags to
* specify not only "true" and "false" but also "default". For
* example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
* CKA_PRIVATE attribute. If PK11_ATTR_PRIVATE is set, we add
* { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
* to the template. If PK11_ATTR_PUBLIC is set, we add
* { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
* to the template. If neither flag is set, we don't add any
* CKA_PRIVATE entry to the template.
*/
/*
* Attributes for PKCS #11 storage objects, which include not only
* keys but also certificates and domain parameters.
*/
/*
* PK11_ATTR_TOKEN
* PK11_ATTR_SESSION
*
* These two flags determine whether the object is a token or
* session object.
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_TOKEN flag is set, the object is a token
* object. If the PK11_ATTR_SESSION flag is set, the object is
* a session object. If neither flag is set, the object is *by
* default* a session object.
*
* These two flags specify the value of the PKCS #11 CKA_TOKEN
* attribute.
*/
#define PK11_ATTR_TOKEN 0x00000001L
#define PK11_ATTR_SESSION 0x00000002L
/*
* PK11_ATTR_PRIVATE
* PK11_ATTR_PUBLIC
*
* These two flags determine whether the object is a private or
* public object. A user may not access a private object until the
* user has authenticated to the token.
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_PRIVATE flag is set, the object is a private
* object. If the PK11_ATTR_PUBLIC flag is set, the object is a
* public object. If neither flag is set, it is token-specific
* whether the object is private or public.
*
* These two flags specify the value of the PKCS #11 CKA_PRIVATE
* attribute. NSS only uses this attribute on private and secret
* keys, so public keys created by NSS get the token-specific
* default value of the CKA_PRIVATE attribute.
*/
#define PK11_ATTR_PRIVATE 0x00000004L
#define PK11_ATTR_PUBLIC 0x00000008L
/*
* PK11_ATTR_MODIFIABLE
* PK11_ATTR_UNMODIFIABLE
*
* These two flags determine whether the object is modifiable or
* read-only.
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_MODIFIABLE flag is set, the object can be
* modified. If the PK11_ATTR_UNMODIFIABLE flag is set, the object
* is read-only. If neither flag is set, the object is *by default*
* modifiable.
*
* These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
* attribute.
*/
#define PK11_ATTR_MODIFIABLE 0x00000010L
#define PK11_ATTR_UNMODIFIABLE 0x00000020L
/* Attributes for PKCS #11 key objects. */
/*
* PK11_ATTR_SENSITIVE
* PK11_ATTR_INSENSITIVE
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
* If the PK11_ATTR_INSENSITIVE flag is set, the key is not
* sensitive. If neither flag is set, it is token-specific whether
* the key is sensitive or not.
*
* If a key is sensitive, certain attributes of the key cannot be
* revealed in plaintext outside the token.
*
* This flag specifies the value of the PKCS #11 CKA_SENSITIVE
* attribute. Although the default value of the CKA_SENSITIVE
* attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
* tokens set the default value to CK_TRUE because only CK_TRUE
* is allowed. So in practice the default value of this attribute
* is token-specific, hence the need for two bitflags.
*/
#define PK11_ATTR_SENSITIVE 0x00000040L
#define PK11_ATTR_INSENSITIVE 0x00000080L
/*
* PK11_ATTR_EXTRACTABLE
* PK11_ATTR_UNEXTRACTABLE
*
* These two flags are related and cannot both be set.
* If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
* and can be wrapped. If the PK11_ATTR_UNEXTRACTABLE flag is set,
* the key is not extractable, and certain attributes of the key
* cannot be revealed in plaintext outside the token (just like a
* sensitive key). If neither flag is set, it is token-specific
* whether the key is extractable or not.
*
* These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
* attribute.
*/
#define PK11_ATTR_EXTRACTABLE 0x00000100L
#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
/* Cryptographic module types */
#define SECMOD_EXTERNAL 0 /* external module */
#define SECMOD_INTERNAL 1 /* internal default module */
#define SECMOD_FIPS 2 /* internal fips module */
/* default module configuration strings */
#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
#define SECMOD_MAKE_NSS_FLAGS(fips, slot) \
"Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})"
#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1)
#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3)
/*
* What is the origin of a given Key. Normally this doesn't matter, but
* the fortezza code needs to know if it needs to invoke the SSL3 fortezza
* hack.
*/
typedef enum {
PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */
PK11_OriginDerive = 1, /* Key was derived from some other key */
PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */
PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */
PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */
} PK11Origin;
/* PKCS #11 disable reasons */
typedef enum {
PK11_DIS_NONE = 0,
PK11_DIS_USER_SELECTED = 1,
PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
PK11_DIS_TOKEN_VERIFY_FAILED = 3,
PK11_DIS_TOKEN_NOT_PRESENT = 4
} PK11DisableReasons;
/* types of PKCS #11 objects
* used to identify which NSS data structure is
* passed to the PK11_Raw* functions. Types map as follows:
* PK11_TypeGeneric PK11GenericObject *
* PK11_TypePrivKey SECKEYPrivateKey *
* PK11_TypePubKey SECKEYPublicKey *
* PK11_TypeSymKey PK11SymKey *
* PK11_TypeCert CERTCertificate * (currently not used).
*/
typedef enum {
PK11_TypeGeneric = 0,
PK11_TypePrivKey = 1,
PK11_TypePubKey = 2,
PK11_TypeCert = 3,
PK11_TypeSymKey = 4
} PK11ObjectType;
/* function pointer type for password callback function.
* This type is passed in to PK11_SetPasswordFunc()
*/
typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
/*
* Special strings the password callback function can return only if
* the slot is an protected auth path slot.
*/
#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate \
* has already been made, just retry \
* the operation */
#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \
* has completed. Continue without \
* another call to C_Login */
/* All other non-null values mean that that NSS could call C_Login to force
* the authentication. The following define is to aid applications in
* documenting that is what it's trying to do */
#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \
* to the user, initiate a C_Login \
* to authenticate the token */
/*
* PKCS #11 key structures
*/
/*
** Attributes
*/
struct SECKEYAttributeStr {
SECItem attrType;
SECItem **attrValue;
};
typedef struct SECKEYAttributeStr SECKEYAttribute;
/*
** A PKCS#8 private key info object
*/
struct SECKEYPrivateKeyInfoStr {
PLArenaPool *arena;
SECItem version;
SECAlgorithmID algorithm;
SECItem privateKey;
SECKEYAttribute **attributes;
};
typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
/*
** A PKCS#8 private key info object
*/
struct SECKEYEncryptedPrivateKeyInfoStr {
PLArenaPool *arena;
SECAlgorithmID algorithm;
SECItem encryptedData;
};
typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
/*
* token removal detection
*/
typedef enum {
PK11TokenNotRemovable = 0,
PK11TokenPresent = 1,
PK11TokenChanged = 2,
PK11TokenRemoved = 3
} PK11TokenStatus;
typedef enum {
PK11TokenRemovedOrChangedEvent = 0,
PK11TokenPresentEvent = 1
} PK11TokenEvent;
/*
* CRL Import Flags
*/
#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
#define CRL_IMPORT_BYPASS_CHECKS 0x00000001
/*
* Merge Error Log
*/
typedef struct PK11MergeLogStr PK11MergeLog;
typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
/* These need to be global, leave some open fields so we can 'expand'
* these without breaking binary compatibility */
struct PK11MergeLogNodeStr {
PK11MergeLogNode *next; /* next entry in the list */
PK11MergeLogNode *prev; /* last entry in the list */
PK11GenericObject *object; /* object that failed */
int error; /* what the error was */
CK_RV reserved1;
unsigned long reserved2; /* future flags */
unsigned long reserved3; /* future scalar */
void *reserved4; /* future pointer */
void *reserved5; /* future expansion pointer */
};
struct PK11MergeLogStr {
PK11MergeLogNode *head;
PK11MergeLogNode *tail;
PLArenaPool *arena;
int version;
unsigned long reserved1;
unsigned long reserved2;
unsigned long reserved3;
void *reserverd4;
void *reserverd5;
};
#endif /*_SECMODT_H_ */

140
openflow/usr/include/nss/secoid.h Normal file
View File

@@ -0,0 +1,140 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECOID_H_
#define _SECOID_H_
#include "utilrename.h"
/*
* secoid.h - public data structures and prototypes for ASN.1 OID functions
*/
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "secasn1t.h"
SEC_BEGIN_PROTOS
extern const SEC_ASN1Template SECOID_AlgorithmIDTemplate[];
/* This functions simply returns the address of the above-declared template. */
SEC_ASN1_CHOOSER_DECLARE(SECOID_AlgorithmIDTemplate)
/*
* OID handling routines
*/
extern SECOidData *SECOID_FindOID(const SECItem *oid);
extern SECOidTag SECOID_FindOIDTag(const SECItem *oid);
extern SECOidData *SECOID_FindOIDByTag(SECOidTag tagnum);
extern SECOidData *SECOID_FindOIDByMechanism(unsigned long mechanism);
/****************************************/
/*
** Algorithm id handling operations
*/
/*
** Fill in an algorithm-ID object given a tag and some parameters.
** "aid" where the DER encoded algorithm info is stored (memory
** is allocated)
** "tag" the tag number defining the algorithm
** "params" if not NULL, the parameters to go with the algorithm
*/
extern SECStatus SECOID_SetAlgorithmID(PLArenaPool *arena, SECAlgorithmID *aid,
SECOidTag tag, SECItem *params);
/*
** Copy the "src" object to "dest". Memory is allocated in "dest" for
** each of the appropriate sub-objects. Memory in "dest" is not freed
** before memory is allocated (use SECOID_DestroyAlgorithmID(dest, PR_FALSE)
** to do that).
*/
extern SECStatus SECOID_CopyAlgorithmID(PLArenaPool *arena, SECAlgorithmID *dest,
const SECAlgorithmID *src);
/*
** Get the tag number for the given algorithm-id object.
*/
extern SECOidTag SECOID_GetAlgorithmTag(const SECAlgorithmID *aid);
/*
** Destroy an algorithm-id object.
** "aid" the certificate-request to destroy
** "freeit" if PR_TRUE then free the object as well as its sub-objects
*/
extern void SECOID_DestroyAlgorithmID(SECAlgorithmID *aid, PRBool freeit);
/*
** Compare two algorithm-id objects, returning the difference between
** them.
*/
extern SECComparison SECOID_CompareAlgorithmID(SECAlgorithmID *a,
SECAlgorithmID *b);
extern PRBool SECOID_KnownCertExtenOID(SECItem *extenOid);
/* Given a tag number, return a string describing it.
*/
extern const char *SECOID_FindOIDTagDescription(SECOidTag tagnum);
/* Add a dynamic SECOidData to the dynamic OID table.
** Routine copies the src entry, and returns the new SECOidTag.
** Returns SEC_OID_INVALID if failed to add for some reason.
*/
extern SECOidTag SECOID_AddEntry(const SECOidData *src);
/*
* initialize the oid data structures.
*/
extern SECStatus SECOID_Init(void);
/*
* free up the oid data structures.
*/
extern SECStatus SECOID_Shutdown(void);
/* if to->data is not NULL, and to->len is large enough to hold the result,
* then the resultant OID will be copyed into to->data, and to->len will be
* changed to show the actual OID length.
* Otherwise, memory for the OID will be allocated (from the caller's
* PLArenaPool, if pool is non-NULL) and to->data will receive the address
* of the allocated data, and to->len will receive the OID length.
* The original value of to->data is not freed when a new buffer is allocated.
*
* The input string may begin with "OID." and this still be ignored.
* The length of the input string is given in len. If len == 0, then
* len will be computed as strlen(from), meaning it must be NUL terminated.
* It is an error if from == NULL, or if *from == '\0'.
*/
extern SECStatus SEC_StringToOID(PLArenaPool *pool, SECItem *to,
const char *from, PRUint32 len);
extern void UTIL_SetForkState(PRBool forked);
/*
* Accessor functions for new opaque extended SECOID table.
* Any of these functions may return SECSuccess or SECFailure with the error
* code set to SEC_ERROR_UNKNOWN_OBJECT_TYPE if the SECOidTag is out of range.
*/
/* The Get function outputs the 32-bit value associated with the SECOidTag.
* Flags bits are the NSS_USE_ALG_ #defines in "secoidt.h".
* Default value for any algorithm is 0xffffffff (enabled for all purposes).
* No value is output if function returns SECFailure.
*/
extern SECStatus NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue);
/* The Set function modifies the stored value according to the following
* algorithm:
* policy[tag] = (policy[tag] & ~clearBits) | setBits;
*/
extern SECStatus
NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits);
SEC_END_PROTOS
#endif /* _SECOID_H_ */

540
openflow/usr/include/nss/secoidt.h Normal file
View File

@@ -0,0 +1,540 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECOIDT_H_
#define _SECOIDT_H_
#include "utilrename.h"
/*
* secoidt.h - public data structures for ASN.1 OID functions
*/
#include "secitem.h"
typedef struct SECOidDataStr SECOidData;
typedef struct SECAlgorithmIDStr SECAlgorithmID;
/*
** An X.500 algorithm identifier
*/
struct SECAlgorithmIDStr {
SECItem algorithm;
SECItem parameters;
};
/*
* Misc object IDs - these numbers are for convenient handling.
* They are mapped into real object IDs
*
* NOTE: the order of these entries must mach the array "oids" of SECOidData
* in util/secoid.c.
*/
typedef enum {
SEC_OID_UNKNOWN = 0,
SEC_OID_MD2 = 1,
SEC_OID_MD4 = 2,
SEC_OID_MD5 = 3,
SEC_OID_SHA1 = 4,
SEC_OID_RC2_CBC = 5,
SEC_OID_RC4 = 6,
SEC_OID_DES_EDE3_CBC = 7,
SEC_OID_RC5_CBC_PAD = 8,
SEC_OID_DES_ECB = 9,
SEC_OID_DES_CBC = 10,
SEC_OID_DES_OFB = 11,
SEC_OID_DES_CFB = 12,
SEC_OID_DES_MAC = 13,
SEC_OID_DES_EDE = 14,
SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE = 15,
SEC_OID_PKCS1_RSA_ENCRYPTION = 16,
SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION = 17,
SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION = 18,
SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION = 19,
SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION = 20,
SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC = 21,
SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC = 22,
SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC = 23,
SEC_OID_PKCS7 = 24,
SEC_OID_PKCS7_DATA = 25,
SEC_OID_PKCS7_SIGNED_DATA = 26,
SEC_OID_PKCS7_ENVELOPED_DATA = 27,
SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA = 28,
SEC_OID_PKCS7_DIGESTED_DATA = 29,
SEC_OID_PKCS7_ENCRYPTED_DATA = 30,
SEC_OID_PKCS9_EMAIL_ADDRESS = 31,
SEC_OID_PKCS9_UNSTRUCTURED_NAME = 32,
SEC_OID_PKCS9_CONTENT_TYPE = 33,
SEC_OID_PKCS9_MESSAGE_DIGEST = 34,
SEC_OID_PKCS9_SIGNING_TIME = 35,
SEC_OID_PKCS9_COUNTER_SIGNATURE = 36,
SEC_OID_PKCS9_CHALLENGE_PASSWORD = 37,
SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS = 38,
SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES = 39,
SEC_OID_PKCS9_SMIME_CAPABILITIES = 40,
SEC_OID_AVA_COMMON_NAME = 41,
SEC_OID_AVA_COUNTRY_NAME = 42,
SEC_OID_AVA_LOCALITY = 43,
SEC_OID_AVA_STATE_OR_PROVINCE = 44,
SEC_OID_AVA_ORGANIZATION_NAME = 45,
SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME = 46,
SEC_OID_AVA_DN_QUALIFIER = 47,
SEC_OID_AVA_DC = 48,
SEC_OID_NS_TYPE_GIF = 49,
SEC_OID_NS_TYPE_JPEG = 50,
SEC_OID_NS_TYPE_URL = 51,
SEC_OID_NS_TYPE_HTML = 52,
SEC_OID_NS_TYPE_CERT_SEQUENCE = 53,
SEC_OID_MISSI_KEA_DSS_OLD = 54,
SEC_OID_MISSI_DSS_OLD = 55,
SEC_OID_MISSI_KEA_DSS = 56,
SEC_OID_MISSI_DSS = 57,
SEC_OID_MISSI_KEA = 58,
SEC_OID_MISSI_ALT_KEA = 59,
/* Netscape private certificate extensions */
SEC_OID_NS_CERT_EXT_NETSCAPE_OK = 60,
SEC_OID_NS_CERT_EXT_ISSUER_LOGO = 61,
SEC_OID_NS_CERT_EXT_SUBJECT_LOGO = 62,
SEC_OID_NS_CERT_EXT_CERT_TYPE = 63,
SEC_OID_NS_CERT_EXT_BASE_URL = 64,
SEC_OID_NS_CERT_EXT_REVOCATION_URL = 65,
SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL = 66,
SEC_OID_NS_CERT_EXT_CA_CRL_URL = 67,
SEC_OID_NS_CERT_EXT_CA_CERT_URL = 68,
SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL = 69,
SEC_OID_NS_CERT_EXT_CA_POLICY_URL = 70,
SEC_OID_NS_CERT_EXT_HOMEPAGE_URL = 71,
SEC_OID_NS_CERT_EXT_ENTITY_LOGO = 72,
SEC_OID_NS_CERT_EXT_USER_PICTURE = 73,
SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME = 74,
SEC_OID_NS_CERT_EXT_COMMENT = 75,
SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL = 76,
SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME = 77,
SEC_OID_NS_KEY_USAGE_GOVT_APPROVED = 78,
/* x.509 v3 Extensions */
SEC_OID_X509_SUBJECT_DIRECTORY_ATTR = 79,
SEC_OID_X509_SUBJECT_KEY_ID = 80,
SEC_OID_X509_KEY_USAGE = 81,
SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD = 82,
SEC_OID_X509_SUBJECT_ALT_NAME = 83,
SEC_OID_X509_ISSUER_ALT_NAME = 84,
SEC_OID_X509_BASIC_CONSTRAINTS = 85,
SEC_OID_X509_NAME_CONSTRAINTS = 86,
SEC_OID_X509_CRL_DIST_POINTS = 87,
SEC_OID_X509_CERTIFICATE_POLICIES = 88,
SEC_OID_X509_POLICY_MAPPINGS = 89,
SEC_OID_X509_POLICY_CONSTRAINTS = 90,
SEC_OID_X509_AUTH_KEY_ID = 91,
SEC_OID_X509_EXT_KEY_USAGE = 92,
SEC_OID_X509_AUTH_INFO_ACCESS = 93,
SEC_OID_X509_CRL_NUMBER = 94,
SEC_OID_X509_REASON_CODE = 95,
SEC_OID_X509_INVALID_DATE = 96,
/* End of x.509 v3 Extensions */
SEC_OID_X500_RSA_ENCRYPTION = 97,
/* alg 1485 additions */
SEC_OID_RFC1274_UID = 98,
SEC_OID_RFC1274_MAIL = 99,
/* PKCS 12 additions */
SEC_OID_PKCS12 = 100,
SEC_OID_PKCS12_MODE_IDS = 101,
SEC_OID_PKCS12_ESPVK_IDS = 102,
SEC_OID_PKCS12_BAG_IDS = 103,
SEC_OID_PKCS12_CERT_BAG_IDS = 104,
SEC_OID_PKCS12_OIDS = 105,
SEC_OID_PKCS12_PBE_IDS = 106,
SEC_OID_PKCS12_SIGNATURE_IDS = 107,
SEC_OID_PKCS12_ENVELOPING_IDS = 108,
/* SEC_OID_PKCS12_OFFLINE_TRANSPORT_MODE,
SEC_OID_PKCS12_ONLINE_TRANSPORT_MODE, */
SEC_OID_PKCS12_PKCS8_KEY_SHROUDING = 109,
SEC_OID_PKCS12_KEY_BAG_ID = 110,
SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID = 111,
SEC_OID_PKCS12_SECRET_BAG_ID = 112,
SEC_OID_PKCS12_X509_CERT_CRL_BAG = 113,
SEC_OID_PKCS12_SDSI_CERT_BAG = 114,
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4 = 115,
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4 = 116,
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC = 117,
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 118,
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 119,
SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4 = 120,
SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4 = 121,
SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES = 122,
SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST = 123,
/* end of PKCS 12 additions */
/* DSA signatures */
SEC_OID_ANSIX9_DSA_SIGNATURE = 124,
SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST = 125,
SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST = 126,
/* Verisign OIDs */
SEC_OID_VERISIGN_USER_NOTICES = 127,
/* PKIX OIDs */
SEC_OID_PKIX_CPS_POINTER_QUALIFIER = 128,
SEC_OID_PKIX_USER_NOTICE_QUALIFIER = 129,
SEC_OID_PKIX_OCSP = 130,
SEC_OID_PKIX_OCSP_BASIC_RESPONSE = 131,
SEC_OID_PKIX_OCSP_NONCE = 132,
SEC_OID_PKIX_OCSP_CRL = 133,
SEC_OID_PKIX_OCSP_RESPONSE = 134,
SEC_OID_PKIX_OCSP_NO_CHECK = 135,
SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF = 136,
SEC_OID_PKIX_OCSP_SERVICE_LOCATOR = 137,
SEC_OID_PKIX_REGCTRL_REGTOKEN = 138,
SEC_OID_PKIX_REGCTRL_AUTHENTICATOR = 139,
SEC_OID_PKIX_REGCTRL_PKIPUBINFO = 140,
SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS = 141,
SEC_OID_PKIX_REGCTRL_OLD_CERT_ID = 142,
SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY = 143,
SEC_OID_PKIX_REGINFO_UTF8_PAIRS = 144,
SEC_OID_PKIX_REGINFO_CERT_REQUEST = 145,
SEC_OID_EXT_KEY_USAGE_SERVER_AUTH = 146,
SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH = 147,
SEC_OID_EXT_KEY_USAGE_CODE_SIGN = 148,
SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT = 149,
SEC_OID_EXT_KEY_USAGE_TIME_STAMP = 150,
SEC_OID_OCSP_RESPONDER = 151,
/* Netscape Algorithm OIDs */
SEC_OID_NETSCAPE_SMIME_KEA = 152,
/* Skipjack OID -- ### mwelch temporary */
SEC_OID_FORTEZZA_SKIPJACK = 153,
/* PKCS 12 V2 oids */
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4 = 154,
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4 = 155,
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC = 156,
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC = 157,
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 158,
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 159,
SEC_OID_PKCS12_SAFE_CONTENTS_ID = 160,
SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID = 161,
SEC_OID_PKCS12_V1_KEY_BAG_ID = 162,
SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID = 163,
SEC_OID_PKCS12_V1_CERT_BAG_ID = 164,
SEC_OID_PKCS12_V1_CRL_BAG_ID = 165,
SEC_OID_PKCS12_V1_SECRET_BAG_ID = 166,
SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID = 167,
SEC_OID_PKCS9_X509_CERT = 168,
SEC_OID_PKCS9_SDSI_CERT = 169,
SEC_OID_PKCS9_X509_CRL = 170,
SEC_OID_PKCS9_FRIENDLY_NAME = 171,
SEC_OID_PKCS9_LOCAL_KEY_ID = 172,
SEC_OID_BOGUS_KEY_USAGE = 173,
/*Diffe Helman OIDS */
SEC_OID_X942_DIFFIE_HELMAN_KEY = 174,
/* Netscape other name types */
/* SEC_OID_NETSCAPE_NICKNAME is an otherName field of type IA5String
* in the subjectAltName certificate extension. NSS dropped support
* for SEC_OID_NETSCAPE_NICKNAME in NSS 3.13. */
SEC_OID_NETSCAPE_NICKNAME = 175,
/* Cert Server OIDS */
SEC_OID_NETSCAPE_RECOVERY_REQUEST = 176,
/* New PSM certificate management OIDs */
SEC_OID_CERT_RENEWAL_LOCATOR = 177,
SEC_OID_NS_CERT_EXT_SCOPE_OF_USE = 178,
/* CMS (RFC2630) OIDs */
SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN = 179,
SEC_OID_CMS_3DES_KEY_WRAP = 180,
SEC_OID_CMS_RC2_KEY_WRAP = 181,
/* SMIME attributes */
SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE = 182,
/* AES OIDs */
SEC_OID_AES_128_ECB = 183,
SEC_OID_AES_128_CBC = 184,
SEC_OID_AES_192_ECB = 185,
SEC_OID_AES_192_CBC = 186,
SEC_OID_AES_256_ECB = 187,
SEC_OID_AES_256_CBC = 188,
SEC_OID_SDN702_DSA_SIGNATURE = 189,
SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE = 190,
SEC_OID_SHA256 = 191,
SEC_OID_SHA384 = 192,
SEC_OID_SHA512 = 193,
SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION = 194,
SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION = 195,
SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION = 196,
SEC_OID_AES_128_KEY_WRAP = 197,
SEC_OID_AES_192_KEY_WRAP = 198,
SEC_OID_AES_256_KEY_WRAP = 199,
/* Elliptic Curve Cryptography (ECC) OIDs */
SEC_OID_ANSIX962_EC_PUBLIC_KEY = 200,
SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE = 201,
#define SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST \
SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE
/* ANSI X9.62 named elliptic curves (prime field) */
SEC_OID_ANSIX962_EC_PRIME192V1 = 202,
SEC_OID_ANSIX962_EC_PRIME192V2 = 203,
SEC_OID_ANSIX962_EC_PRIME192V3 = 204,
SEC_OID_ANSIX962_EC_PRIME239V1 = 205,
SEC_OID_ANSIX962_EC_PRIME239V2 = 206,
SEC_OID_ANSIX962_EC_PRIME239V3 = 207,
SEC_OID_ANSIX962_EC_PRIME256V1 = 208,
/* SECG named elliptic curves (prime field) */
SEC_OID_SECG_EC_SECP112R1 = 209,
SEC_OID_SECG_EC_SECP112R2 = 210,
SEC_OID_SECG_EC_SECP128R1 = 211,
SEC_OID_SECG_EC_SECP128R2 = 212,
SEC_OID_SECG_EC_SECP160K1 = 213,
SEC_OID_SECG_EC_SECP160R1 = 214,
SEC_OID_SECG_EC_SECP160R2 = 215,
SEC_OID_SECG_EC_SECP192K1 = 216,
/* SEC_OID_SECG_EC_SECP192R1 is SEC_OID_ANSIX962_EC_PRIME192V1 */
SEC_OID_SECG_EC_SECP224K1 = 217,
SEC_OID_SECG_EC_SECP224R1 = 218,
SEC_OID_SECG_EC_SECP256K1 = 219,
/* SEC_OID_SECG_EC_SECP256R1 is SEC_OID_ANSIX962_EC_PRIME256V1 */
SEC_OID_SECG_EC_SECP384R1 = 220,
SEC_OID_SECG_EC_SECP521R1 = 221,
/* ANSI X9.62 named elliptic curves (characteristic two field) */
SEC_OID_ANSIX962_EC_C2PNB163V1 = 222,
SEC_OID_ANSIX962_EC_C2PNB163V2 = 223,
SEC_OID_ANSIX962_EC_C2PNB163V3 = 224,
SEC_OID_ANSIX962_EC_C2PNB176V1 = 225,
SEC_OID_ANSIX962_EC_C2TNB191V1 = 226,
SEC_OID_ANSIX962_EC_C2TNB191V2 = 227,
SEC_OID_ANSIX962_EC_C2TNB191V3 = 228,
SEC_OID_ANSIX962_EC_C2ONB191V4 = 229,
SEC_OID_ANSIX962_EC_C2ONB191V5 = 230,
SEC_OID_ANSIX962_EC_C2PNB208W1 = 231,
SEC_OID_ANSIX962_EC_C2TNB239V1 = 232,
SEC_OID_ANSIX962_EC_C2TNB239V2 = 233,
SEC_OID_ANSIX962_EC_C2TNB239V3 = 234,
SEC_OID_ANSIX962_EC_C2ONB239V4 = 235,
SEC_OID_ANSIX962_EC_C2ONB239V5 = 236,
SEC_OID_ANSIX962_EC_C2PNB272W1 = 237,
SEC_OID_ANSIX962_EC_C2PNB304W1 = 238,
SEC_OID_ANSIX962_EC_C2TNB359V1 = 239,
SEC_OID_ANSIX962_EC_C2PNB368W1 = 240,
SEC_OID_ANSIX962_EC_C2TNB431R1 = 241,
/* SECG named elliptic curves (characteristic two field) */
SEC_OID_SECG_EC_SECT113R1 = 242,
SEC_OID_SECG_EC_SECT113R2 = 243,
SEC_OID_SECG_EC_SECT131R1 = 244,
SEC_OID_SECG_EC_SECT131R2 = 245,
SEC_OID_SECG_EC_SECT163K1 = 246,
SEC_OID_SECG_EC_SECT163R1 = 247,
SEC_OID_SECG_EC_SECT163R2 = 248,
SEC_OID_SECG_EC_SECT193R1 = 249,
SEC_OID_SECG_EC_SECT193R2 = 250,
SEC_OID_SECG_EC_SECT233K1 = 251,
SEC_OID_SECG_EC_SECT233R1 = 252,
SEC_OID_SECG_EC_SECT239K1 = 253,
SEC_OID_SECG_EC_SECT283K1 = 254,
SEC_OID_SECG_EC_SECT283R1 = 255,
SEC_OID_SECG_EC_SECT409K1 = 256,
SEC_OID_SECG_EC_SECT409R1 = 257,
SEC_OID_SECG_EC_SECT571K1 = 258,
SEC_OID_SECG_EC_SECT571R1 = 259,
SEC_OID_NETSCAPE_AOLSCREENNAME = 260,
SEC_OID_AVA_SURNAME = 261,
SEC_OID_AVA_SERIAL_NUMBER = 262,
SEC_OID_AVA_STREET_ADDRESS = 263,
SEC_OID_AVA_TITLE = 264,
SEC_OID_AVA_POSTAL_ADDRESS = 265,
SEC_OID_AVA_POSTAL_CODE = 266,
SEC_OID_AVA_POST_OFFICE_BOX = 267,
SEC_OID_AVA_GIVEN_NAME = 268,
SEC_OID_AVA_INITIALS = 269,
SEC_OID_AVA_GENERATION_QUALIFIER = 270,
SEC_OID_AVA_HOUSE_IDENTIFIER = 271,
SEC_OID_AVA_PSEUDONYM = 272,
/* More OIDs */
SEC_OID_PKIX_CA_ISSUERS = 273,
SEC_OID_PKCS9_EXTENSION_REQUEST = 274,
/* new EC Signature oids */
SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST = 275,
SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST = 276,
SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE = 277,
SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE = 278,
SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE = 279,
SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE = 280,
/* More id-ce and id-pe OIDs from RFC 3280 */
SEC_OID_X509_HOLD_INSTRUCTION_CODE = 281,
SEC_OID_X509_DELTA_CRL_INDICATOR = 282,
SEC_OID_X509_ISSUING_DISTRIBUTION_POINT = 283,
SEC_OID_X509_CERT_ISSUER = 284,
SEC_OID_X509_FRESHEST_CRL = 285,
SEC_OID_X509_INHIBIT_ANY_POLICY = 286,
SEC_OID_X509_SUBJECT_INFO_ACCESS = 287,
/* Camellia OIDs (RFC3657)*/
SEC_OID_CAMELLIA_128_CBC = 288,
SEC_OID_CAMELLIA_192_CBC = 289,
SEC_OID_CAMELLIA_256_CBC = 290,
/* PKCS 5 V2 OIDS */
SEC_OID_PKCS5_PBKDF2 = 291,
SEC_OID_PKCS5_PBES2 = 292,
SEC_OID_PKCS5_PBMAC1 = 293,
SEC_OID_HMAC_SHA1 = 294,
SEC_OID_HMAC_SHA224 = 295,
SEC_OID_HMAC_SHA256 = 296,
SEC_OID_HMAC_SHA384 = 297,
SEC_OID_HMAC_SHA512 = 298,
SEC_OID_PKIX_TIMESTAMPING = 299,
SEC_OID_PKIX_CA_REPOSITORY = 300,
SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE = 301,
SEC_OID_SEED_CBC = 302,
SEC_OID_X509_ANY_POLICY = 303,
SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION = 304,
SEC_OID_PKCS1_MGF1 = 305,
SEC_OID_PKCS1_PSPECIFIED = 306,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE = 307,
SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION = 308,
SEC_OID_SHA224 = 309,
SEC_OID_EV_INCORPORATION_LOCALITY = 310,
SEC_OID_EV_INCORPORATION_STATE = 311,
SEC_OID_EV_INCORPORATION_COUNTRY = 312,
SEC_OID_BUSINESS_CATEGORY = 313,
SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST = 314,
SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST = 315,
/* Microsoft Trust List Signing
* szOID_KP_CTL_USAGE_SIGNING
* where KP stands for Key Purpose
*/
SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING = 316,
/* The 'name' attribute type in X.520 */
SEC_OID_AVA_NAME = 317,
SEC_OID_AES_128_GCM = 318,
SEC_OID_AES_192_GCM = 319,
SEC_OID_AES_256_GCM = 320,
SEC_OID_IDEA_CBC = 321,
/* pseudo - OIDs */
SEC_OID_RC2_40_CBC = 322,
SEC_OID_DES_40_CBC = 323,
SEC_OID_RC4_40 = 324,
SEC_OID_RC4_56 = 325,
SEC_OID_NULL_CIPHER = 326,
SEC_OID_HMAC_MD5 = 327,
SEC_OID_TLS_RSA = 328,
SEC_OID_TLS_DHE_RSA = 329,
SEC_OID_TLS_DHE_DSS = 330,
SEC_OID_TLS_DH_RSA = 331,
SEC_OID_TLS_DH_DSS = 332,
SEC_OID_TLS_DH_ANON = 333,
SEC_OID_TLS_ECDHE_ECDSA = 334,
SEC_OID_TLS_ECDHE_RSA = 335,
SEC_OID_TLS_ECDH_ECDSA = 336,
SEC_OID_TLS_ECDH_RSA = 337,
SEC_OID_TLS_ECDH_ANON = 338,
SEC_OID_TLS_RSA_EXPORT = 339,
SEC_OID_TLS_DHE_RSA_EXPORT = 340,
SEC_OID_TLS_DHE_DSS_EXPORT = 341,
SEC_OID_TLS_DH_RSA_EXPORT = 342,
SEC_OID_TLS_DH_DSS_EXPORT = 343,
SEC_OID_TLS_DH_ANON_EXPORT = 344,
SEC_OID_APPLY_SSL_POLICY = 345,
SEC_OID_CHACHA20_POLY1305 = 346,
SEC_OID_TLS_ECDHE_PSK = 347,
SEC_OID_TLS_DHE_PSK = 348,
SEC_OID_TLS_FFDHE_2048 = 349,
SEC_OID_TLS_FFDHE_3072 = 350,
SEC_OID_TLS_FFDHE_4096 = 351,
SEC_OID_TLS_FFDHE_6144 = 352,
SEC_OID_TLS_FFDHE_8192 = 353,
SEC_OID_TLS_DHE_CUSTOM = 354,
SEC_OID_CURVE25519 = 355,
SEC_OID_TLS13_KEA_ANY = 356,
SEC_OID_TOTAL
} SECOidTag;
#define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1
#define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1
#define SEC_OID_PKCS12_KEY_USAGE SEC_OID_X509_KEY_USAGE
/* fake OID for DSS sign/verify */
#define SEC_OID_SHA SEC_OID_MISS_DSS
typedef enum {
INVALID_CERT_EXTENSION = 0,
UNSUPPORTED_CERT_EXTENSION = 1,
SUPPORTED_CERT_EXTENSION = 2
} SECSupportExtenTag;
struct SECOidDataStr {
SECItem oid;
SECOidTag offset;
const char* desc;
unsigned long mechanism;
SECSupportExtenTag supportedExtension;
/* only used for x.509 v3 extensions, so
that we can print the names of those
extensions that we don't even support */
};
/* New Opaque extended OID table API.
* These are algorithm policy Flags, used with functions
* NSS_SetAlgorithmPolicy & NSS_GetAlgorithmPolicy.
*/
#define NSS_USE_ALG_IN_CERT_SIGNATURE 0x00000001 /* CRLs and OCSP, too */
#define NSS_USE_ALG_IN_CMS_SIGNATURE 0x00000002 /* used in S/MIME */
#define NSS_USE_ALG_IN_SSL_KX 0x00000004 /* used in SSL key exchange */
#define NSS_USE_ALG_IN_SSL 0x00000008 /* used in SSL record protocol */
#define NSS_USE_POLICY_IN_SSL 0x00000010 /* enable policy in SSL protocol */
#define NSS_USE_ALG_RESERVED 0xfffffffc /* may be used in future */
/* Code MUST NOT SET or CLEAR reserved bits, and must NOT depend on them
* being all zeros or having any other known value. The reserved bits
* must be ignored.
*/
#endif /* _SECOIDT_H_ */

61
openflow/usr/include/nss/secpkcs5.h Normal file
View File

@@ -0,0 +1,61 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SECPKCS5_H_
#define _SECPKCS5_H_
#include "seccomon.h"
#include "secmodt.h"
/* used for V2 PKCS 12 Draft Spec */
typedef enum {
pbeBitGenIDNull = 0,
pbeBitGenCipherKey = 0x01,
pbeBitGenCipherIV = 0x02,
pbeBitGenIntegrityKey = 0x03
} PBEBitGenID;
typedef struct PBEBitGenContextStr PBEBitGenContext;
SEC_BEGIN_PROTOS
/* private */
SECAlgorithmID *
sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, SECOidTag cipherAlgorithm,
SECOidTag prfAlg, SECOidTag *pPbeAlgorithm,
int keyLengh, SECItem *salt, int iteration);
/* Get the initialization vector. The password is passed in, hashing
* is performed, and the initialization vector is returned.
* algid is a pointer to a PBE algorithm ID
* pwitem is the password
* If an error occurs or the algorithm id is not a PBE algrithm,
* NULL is returned. Otherwise, the iv is returned in a secitem.
*/
SECItem *
SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES);
SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid);
PRBool SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid);
PRBool SEC_PKCS5IsAlgorithmPBEAlgTag(SECOidTag algTag);
SECOidTag SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen);
int SEC_PKCS5GetKeyLength(SECAlgorithmID *algid);
/**********************************************************************
* Deprecated PBE functions. Use the PBE functions in pk11func.h
* instead.
**********************************************************************/
PBEBitGenContext *
PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
unsigned int iterations);
void
PBE_DestroyContext(PBEBitGenContext *context);
SECItem *
PBE_GenerateBits(PBEBitGenContext *context);
SEC_END_PROTOS
#endif /* _SECPKS5_H_ */

606
openflow/usr/include/nss/secpkcs7.h Normal file
View File

@@ -0,0 +1,606 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Interface to the PKCS7 implementation.
*/
#ifndef _SECPKCS7_H_
#define _SECPKCS7_H_
#include "seccomon.h"
#include "secoidt.h"
#include "certt.h"
#include "keyt.h"
#include "hasht.h"
#include "pkcs7t.h"
extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
/************************************************************************/
SEC_BEGIN_PROTOS
/************************************************************************
* Miscellaneous
************************************************************************/
/*
* Returns the content type of the given contentInfo.
*/
extern SECOidTag SEC_PKCS7ContentType(SEC_PKCS7ContentInfo *cinfo);
/*
* Destroy a PKCS7 contentInfo and all of its sub-pieces.
*/
extern void SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
/*
* Copy a PKCS7 contentInfo. A Destroy is needed on *each* copy.
*/
extern SEC_PKCS7ContentInfo *
SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
/*
* Return a pointer to the actual content. In the case of those types
* which are encrypted, this returns the *plain* content.
*/
extern SECItem *SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo);
/************************************************************************
* PKCS7 Decoding, Verification, etc..
************************************************************************/
extern SEC_PKCS7DecoderContext *
SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback callback,
void *callback_arg,
SECKEYGetPasswordKey pwfn, void *pwfn_arg,
SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb,
void *decrypt_key_cb_arg,
SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
extern SECStatus
SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
const char *buf, unsigned long len);
extern SEC_PKCS7ContentInfo *
SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx);
/* Abort the underlying ASN.1 stream & set an error */
void SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error);
extern SEC_PKCS7ContentInfo *
SEC_PKCS7DecodeItem(SECItem *p7item,
SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
SECKEYGetPasswordKey pwfn, void *pwfn_arg,
SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb,
void *decrypt_key_cb_arg,
SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
extern PRBool SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo);
/* checks to see if the contents of the content info is
* empty. it so, PR_TRUE is returned. PR_FALSE, otherwise.
*
* minLen is used to specify a minimum size. if content size <= minLen,
* content is assumed empty.
*/
extern PRBool
SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen);
extern PRBool SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo);
/*
* If the PKCS7 content has a signature (not just *could* have a signature)
* return true; false otherwise. This can/should be called before calling
* VerifySignature, which will always indicate failure if no signature is
* present, but that does not mean there even was a signature!
* Note that the content itself can be empty (detached content was sent
* another way); it is the presence of the signature that matters.
*/
extern PRBool SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo);
/*
* SEC_PKCS7VerifySignature
* Look at a PKCS7 contentInfo and check if the signature is good.
* The verification checks that the signing cert is valid and trusted
* for the purpose specified by "certusage".
*
* In addition, if "keepcerts" is true, add any new certificates found
* into our local database.
*/
extern PRBool SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
SECCertUsage certusage,
PRBool keepcerts);
/*
* SEC_PKCS7VerifyDetachedSignature
* Look at a PKCS7 contentInfo and check if the signature matches
* a passed-in digest (calculated, supposedly, from detached contents).
* The verification checks that the signing cert is valid and trusted
* for the purpose specified by "certusage".
*
* In addition, if "keepcerts" is true, add any new certificates found
* into our local database.
*/
extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
SECCertUsage certusage,
const SECItem *detached_digest,
HASH_HashType digest_type,
PRBool keepcerts);
/*
* SEC_PKCS7VerifyDetachedSignatureAtTime
* Look at a PKCS7 contentInfo and check if the signature matches
* a passed-in digest (calculated, supposedly, from detached contents).
* The verification checks that the signing cert is valid and trusted
* for the purpose specified by "certusage" at time "atTime".
*
* In addition, if "keepcerts" is true, add any new certificates found
* into our local database.
*/
extern PRBool
SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
SECCertUsage certusage,
const SECItem *detached_digest,
HASH_HashType digest_type,
PRBool keepcerts,
PRTime atTime);
/*
* SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
* The passed-in contentInfo is espected to be Signed, and these
* functions return the specified portion of the full signer name.
*
* Returns a pointer to allocated memory, which must be freed.
* A NULL return value is an error.
*/
extern char *SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo);
extern char *SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo);
/*
* Return the the signing time, in UTCTime format, of a PKCS7 contentInfo.
*/
extern SECItem *SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo);
/************************************************************************
* PKCS7 Creation and Encoding.
************************************************************************/
/*
* Start a PKCS7 signing context.
*
* "cert" is the cert that will be used to sign the data. It will be
* checked for validity.
*
* "certusage" describes the signing usage (e.g. certUsageEmailSigner)
* XXX Maybe SECCertUsage should be split so that our caller just says
* "email" and *we* add the "signing" part -- otherwise our caller
* could be lying about the usage; we do not want to allow encryption
* certs for signing or vice versa.
*
* "certdb" is the cert database to use for verifying the cert.
* It can be NULL if a default database is available (like in the client).
*
* "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
*
* "digest" is the actual digest of the data. It must be provided in
* the case of detached data or NULL if the content will be included.
*
* The return value can be passed to functions which add things to
* it like attributes, then eventually to SEC_PKCS7Encode() or to
* SEC_PKCS7EncoderStart() to create the encoded data, and finally to
* SEC_PKCS7DestroyContentInfo().
*
* An error results in a return value of NULL and an error set.
* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
*/
extern SEC_PKCS7ContentInfo *
SEC_PKCS7CreateSignedData(CERTCertificate *cert,
SECCertUsage certusage,
CERTCertDBHandle *certdb,
SECOidTag digestalg,
SECItem *digest,
SECKEYGetPasswordKey pwfn, void *pwfn_arg);
/*
* Create a PKCS7 certs-only container.
*
* "cert" is the (first) cert that will be included.
*
* "include_chain" specifies whether the entire chain for "cert" should
* be included.
*
* "certdb" is the cert database to use for finding the chain.
* It can be NULL in when "include_chain" is false, or when meaning
* use the default database.
*
* More certs and chains can be added via AddCertficate and AddCertChain.
*
* An error results in a return value of NULL and an error set.
* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
*/
extern SEC_PKCS7ContentInfo *
SEC_PKCS7CreateCertsOnly(CERTCertificate *cert,
PRBool include_chain,
CERTCertDBHandle *certdb);
/*
* Start a PKCS7 enveloping context.
*
* "cert" is the cert for the recipient. It will be checked for validity.
*
* "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
* XXX Maybe SECCertUsage should be split so that our caller just says
* "email" and *we* add the "recipient" part -- otherwise our caller
* could be lying about the usage; we do not want to allow encryption
* certs for signing or vice versa.
*
* "certdb" is the cert database to use for verifying the cert.
* It can be NULL if a default database is available (like in the client).
*
* "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
*
* "keysize" specifies the bulk encryption key size, in bits.
*
* The return value can be passed to functions which add things to
* it like more recipients, then eventually to SEC_PKCS7Encode() or to
* SEC_PKCS7EncoderStart() to create the encoded data, and finally to
* SEC_PKCS7DestroyContentInfo().
*
* An error results in a return value of NULL and an error set.
* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
*/
extern SEC_PKCS7ContentInfo *
SEC_PKCS7CreateEnvelopedData(CERTCertificate *cert,
SECCertUsage certusage,
CERTCertDBHandle *certdb,
SECOidTag encalg,
int keysize,
SECKEYGetPasswordKey pwfn, void *pwfn_arg);
/*
* XXX There will be a similar routine for creating signedAndEnvelopedData.
* But its parameters will be different and I have no plans to implement
* it any time soon because we have no current need for it.
*/
/*
* Create an empty PKCS7 data content info.
*
* An error results in a return value of NULL and an error set.
* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
*/
extern SEC_PKCS7ContentInfo *SEC_PKCS7CreateData(void);
/*
* Create an empty PKCS7 encrypted content info.
*
* "algorithm" specifies the bulk encryption algorithm to use.
*
* An error results in a return value of NULL and an error set.
* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
*/
extern SEC_PKCS7ContentInfo *
SEC_PKCS7CreateEncryptedData(SECOidTag algorithm, int keysize,
SECKEYGetPasswordKey pwfn, void *pwfn_arg);
/*
* All of the following things return SECStatus to signal success or failure.
* Failure should have a more specific error status available via
* PORT_GetError()/XP_GetError().
*/
/*
* Add the specified attribute to the authenticated (i.e. signed) attributes
* of "cinfo" -- "oidtag" describes the attribute and "value" is the
* value to be associated with it. NOTE! "value" must already be encoded;
* no interpretation of "oidtag" is done. Also, it is assumed that this
* signedData has only one signer -- if we ever need to add attributes
* when there is more than one signature, we need a way to specify *which*
* signature should get the attribute.
*
* XXX Technically, a signed attribute can have multiple values; if/when
* we ever need to support an attribute which takes multiple values, we
* either need to change this interface or create an AddSignedAttributeValue
* which can be called subsequently, and would then append a value.
*
* "cinfo" should be of type signedData (the only kind of pkcs7 data
* that is allowed authenticated attributes); SECFailure will be returned
* if it is not.
*/
extern SECStatus SEC_PKCS7AddSignedAttribute(SEC_PKCS7ContentInfo *cinfo,
SECOidTag oidtag,
SECItem *value);
/*
* Add "cert" and its entire chain to the set of certs included in "cinfo".
*
* "certdb" is the cert database to use for finding the chain.
* It can be NULL, meaning use the default database.
*
* "cinfo" should be of type signedData or signedAndEnvelopedData;
* SECFailure will be returned if it is not.
*/
extern SECStatus SEC_PKCS7AddCertChain(SEC_PKCS7ContentInfo *cinfo,
CERTCertificate *cert,
CERTCertDBHandle *certdb);
/*
* Add "cert" to the set of certs included in "cinfo".
*
* "cinfo" should be of type signedData or signedAndEnvelopedData;
* SECFailure will be returned if it is not.
*/
extern SECStatus SEC_PKCS7AddCertificate(SEC_PKCS7ContentInfo *cinfo,
CERTCertificate *cert);
/*
* Add another recipient to an encrypted message.
*
* "cinfo" should be of type envelopedData or signedAndEnvelopedData;
* SECFailure will be returned if it is not.
*
* "cert" is the cert for the recipient. It will be checked for validity.
*
* "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
* XXX Maybe SECCertUsage should be split so that our caller just says
* "email" and *we* add the "recipient" part -- otherwise our caller
* could be lying about the usage; we do not want to allow encryption
* certs for signing or vice versa.
*
* "certdb" is the cert database to use for verifying the cert.
* It can be NULL if a default database is available (like in the client).
*/
extern SECStatus SEC_PKCS7AddRecipient(SEC_PKCS7ContentInfo *cinfo,
CERTCertificate *cert,
SECCertUsage certusage,
CERTCertDBHandle *certdb);
/*
* Add the signing time to the authenticated (i.e. signed) attributes
* of "cinfo". This is expected to be included in outgoing signed
* messages for email (S/MIME) but is likely useful in other situations.
*
* This should only be added once; a second call will either do
* nothing or replace an old signing time with a newer one.
*
* XXX This will probably just shove the current time into "cinfo"
* but it will not actually get signed until the entire item is
* processed for encoding. Is this (expected to be small) delay okay?
*
* "cinfo" should be of type signedData (the only kind of pkcs7 data
* that is allowed authenticated attributes); SECFailure will be returned
* if it is not.
*/
extern SECStatus SEC_PKCS7AddSigningTime(SEC_PKCS7ContentInfo *cinfo);
/*
* Add the signer's symmetric capabilities to the authenticated
* (i.e. signed) attributes of "cinfo". This is expected to be
* included in outgoing signed messages for email (S/MIME).
*
* This can only be added once; a second call will return SECFailure.
*
* "cinfo" should be of type signedData or signedAndEnvelopedData;
* SECFailure will be returned if it is not.
*/
extern SECStatus SEC_PKCS7AddSymmetricCapabilities(SEC_PKCS7ContentInfo *cinfo);
/*
* Mark that the signer's certificate and its issuing chain should
* be included in the encoded data. This is expected to be used
* in outgoing signed messages for email (S/MIME).
*
* "certdb" is the cert database to use for finding the chain.
* It can be NULL, meaning use the default database.
*
* "cinfo" should be of type signedData or signedAndEnvelopedData;
* SECFailure will be returned if it is not.
*/
extern SECStatus SEC_PKCS7IncludeCertChain(SEC_PKCS7ContentInfo *cinfo,
CERTCertDBHandle *certdb);
/*
* Set the content; it will be included and also hashed and/or encrypted
* as appropriate. This is for in-memory content (expected to be "small")
* that will be included in the PKCS7 object. All others should stream the
* content through when encoding (see SEC_PKCS7Encoder{Start,Update,Finish}).
*
* "buf" points to data of length "len"; it will be copied.
*/
extern SECStatus SEC_PKCS7SetContent(SEC_PKCS7ContentInfo *cinfo,
const char *buf, unsigned long len);
/*
* Encode a PKCS7 object, in one shot. All necessary components
* of the object must already be specified. Either the data has
* already been included (via SetContent), or the data is detached,
* or there is no data at all (certs-only).
*
* "cinfo" specifies the object to be encoded.
*
* "outputfn" is where the encoded bytes will be passed.
*
* "outputarg" is an opaque argument to the above callback.
*
* "bulkkey" specifies the bulk encryption key to use. This argument
* can be NULL if no encryption is being done, or if the bulk key should
* be generated internally (usually the case for EnvelopedData but never
* for EncryptedData, which *must* provide a bulk encryption key).
*
* "pwfn" is a callback for getting the password which protects the
* private key of the signer. This argument can be NULL if it is known
* that no signing is going to be done.
*
* "pwfnarg" is an opaque argument to the above callback.
*/
extern SECStatus SEC_PKCS7Encode(SEC_PKCS7ContentInfo *cinfo,
SEC_PKCS7EncoderOutputCallback outputfn,
void *outputarg,
PK11SymKey *bulkkey,
SECKEYGetPasswordKey pwfn,
void *pwfnarg);
/*
* Encode a PKCS7 object, in one shot. All necessary components
* of the object must already be specified. Either the data has
* already been included (via SetContent), or the data is detached,
* or there is no data at all (certs-only). The output, rather than
* being passed to an output function as is done above, is all put
* into a SECItem.
*
* "pool" specifies a pool from which to allocate the result.
* It can be NULL, in which case memory is allocated generically.
*
* "dest" specifies a SECItem in which to put the result data.
* It can be NULL, in which case the entire item is allocated, too.
*
* "cinfo" specifies the object to be encoded.
*
* "bulkkey" specifies the bulk encryption key to use. This argument
* can be NULL if no encryption is being done, or if the bulk key should
* be generated internally (usually the case for EnvelopedData but never
* for EncryptedData, which *must* provide a bulk encryption key).
*
* "pwfn" is a callback for getting the password which protects the
* private key of the signer. This argument can be NULL if it is known
* that no signing is going to be done.
*
* "pwfnarg" is an opaque argument to the above callback.
*/
extern SECItem *SEC_PKCS7EncodeItem(PLArenaPool *pool,
SECItem *dest,
SEC_PKCS7ContentInfo *cinfo,
PK11SymKey *bulkkey,
SECKEYGetPasswordKey pwfn,
void *pwfnarg);
/*
* For those who want to simply point to the pkcs7 contentInfo ASN.1
* template, and *not* call the encoding functions directly, the
* following function can be used -- after it is called, the entire
* PKCS7 contentInfo is ready to be encoded.
*/
extern SECStatus SEC_PKCS7PrepareForEncode(SEC_PKCS7ContentInfo *cinfo,
PK11SymKey *bulkkey,
SECKEYGetPasswordKey pwfn,
void *pwfnarg);
/*
* Start the process of encoding a PKCS7 object. The first part of
* the encoded object will be passed to the output function right away;
* after that it is expected that SEC_PKCS7EncoderUpdate will be called,
* streaming in the actual content that is getting included as well as
* signed or encrypted (or both).
*
* "cinfo" specifies the object to be encoded.
*
* "outputfn" is where the encoded bytes will be passed.
*
* "outputarg" is an opaque argument to the above callback.
*
* "bulkkey" specifies the bulk encryption key to use. This argument
* can be NULL if no encryption is being done, or if the bulk key should
* be generated internally (usually the case for EnvelopedData but never
* for EncryptedData, which *must* provide a bulk encryption key).
*
* Returns an object to be passed to EncoderUpdate and EncoderFinish.
*/
extern SEC_PKCS7EncoderContext *
SEC_PKCS7EncoderStart(SEC_PKCS7ContentInfo *cinfo,
SEC_PKCS7EncoderOutputCallback outputfn,
void *outputarg,
PK11SymKey *bulkkey);
/*
* Encode more contents, hashing and/or encrypting along the way.
*/
extern SECStatus SEC_PKCS7EncoderUpdate(SEC_PKCS7EncoderContext *p7ecx,
const char *buf,
unsigned long len);
/*
* No more contents; finish the signature creation, if appropriate,
* and then the encoding.
*
* "pwfn" is a callback for getting the password which protects the
* signer's private key. This argument can be NULL if it is known
* that no signing is going to be done.
*
* "pwfnarg" is an opaque argument to the above callback.
*/
extern SECStatus SEC_PKCS7EncoderFinish(SEC_PKCS7EncoderContext *p7ecx,
SECKEYGetPasswordKey pwfn,
void *pwfnarg);
/* Abort the underlying ASN.1 stream & set an error */
void SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7dcx, int error);
/* retrieve the algorithm ID used to encrypt the content info
* for encrypted and enveloped data. The SECAlgorithmID pointer
* returned needs to be freed as it is a copy of the algorithm
* id in the content info.
*/
extern SECAlgorithmID *
SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo);
/* the content of an encrypted data content info is encrypted.
* it is assumed that for encrypted data, that the data has already
* been set and is in the "plainContent" field of the content info.
*
* cinfo is the content info to encrypt
*
* key is the key with which to perform the encryption. if the
* algorithm is a password based encryption algorithm, the
* key is actually a password which will be processed per
* PKCS #5.
*
* in the event of an error, SECFailure is returned. SECSuccess
* indicates a success.
*/
extern SECStatus
SEC_PKCS7EncryptContents(PLArenaPool *poolp,
SEC_PKCS7ContentInfo *cinfo,
SECItem *key,
void *wincx);
/* the content of an encrypted data content info is decrypted.
* it is assumed that for encrypted data, that the data has already
* been set and is in the "encContent" field of the content info.
*
* cinfo is the content info to decrypt
*
* key is the key with which to perform the decryption. if the
* algorithm is a password based encryption algorithm, the
* key is actually a password which will be processed per
* PKCS #5.
*
* in the event of an error, SECFailure is returned. SECSuccess
* indicates a success.
*/
extern SECStatus
SEC_PKCS7DecryptContents(PLArenaPool *poolp,
SEC_PKCS7ContentInfo *cinfo,
SECItem *key,
void *wincx);
/* retrieve the certificate list from the content info. the list
* is a pointer to the list in the content info. this should not
* be deleted or freed in any way short of calling
* SEC_PKCS7DestroyContentInfo
*/
extern SECItem **
SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo);
/* Returns the key length (in bits) of the algorithm used to encrypt
this object. Returns 0 if it's not encrypted, or the key length is
irrelevant. */
extern int
SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo);
/************************************************************************/
SEC_END_PROTOS
#endif /* _SECPKCS7_H_ */

287
openflow/usr/include/nss/secport.h Normal file
View File

@@ -0,0 +1,287 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* secport.h - portability interfaces for security libraries
*/
#ifndef _SECPORT_H_
#define _SECPORT_H_
#include "utilrename.h"
#include "prlink.h"
/*
* define XP_WIN, XP_BEOS, or XP_UNIX, in case they are not defined
* by anyone else
*/
#ifdef _WINDOWS
#ifndef XP_WIN
#define XP_WIN
#endif
#if defined(_WIN32) || defined(WIN32)
#ifndef XP_WIN32
#define XP_WIN32
#endif
#endif
#endif
#ifdef __BEOS__
#ifndef XP_BEOS
#define XP_BEOS
#endif
#endif
#ifdef unix
#ifndef XP_UNIX
#define XP_UNIX
#endif
#endif
#include <sys/types.h>
#include <ctype.h>
#include <string.h>
#include <stddef.h>
#include <stdlib.h>
#include "prtypes.h"
#include "prlog.h" /* for PR_ASSERT */
#include "plarena.h"
#include "plstr.h"
/*
* HACK for NSS 2.8 to allow Admin to compile without source changes.
*/
#ifndef SEC_BEGIN_PROTOS
#include "seccomon.h"
#endif
/*
* The PORT_*Arena* function signatures mostly involve PLArenaPool* arguments.
* But this is misleading! It's not actually safe to use vanilla PLArenaPools
* with them. There are two "subclasses" of PLArenaPool that should be used
* instead.
*
* - PORTArenaPool (defined in secport.c): this "subclass" is always
* heap-allocated and uses a (heap-allocated) lock to protect all accesses.
* Use PORT_NewArena() and PORT_FreeArena() to create and destroy
* PORTArenaPools.
*
* - PORTCheapArenaPool (defined here): this "subclass" can be stack-allocated
* and does not use a lock to protect accesses. This makes it cheaper but
* less general. It is best used for arena pools that (a) are hot, (b) have
* lifetimes bounded within a single function, and (c) don't need locking.
* Use PORT_InitArena() and PORT_DestroyArena() to initialize and finalize
* PORTCheapArenaPools.
*
* All the other PORT_Arena* functions will operate safely with either
* subclass.
*/
typedef struct PORTCheapArenaPool_str {
PLArenaPool arena;
PRUint32 magic; /* This is used to distinguish the two subclasses. */
} PORTCheapArenaPool;
SEC_BEGIN_PROTOS
extern void *PORT_Alloc(size_t len);
extern void *PORT_Realloc(void *old, size_t len);
extern void *PORT_ZAlloc(size_t len);
extern void PORT_Free(void *ptr);
extern void PORT_ZFree(void *ptr, size_t len);
extern char *PORT_Strdup(const char *s);
extern void PORT_SetError(int value);
extern int PORT_GetError(void);
/* These functions are for use with PORTArenaPools. */
extern PLArenaPool *PORT_NewArena(unsigned long chunksize);
extern void PORT_FreeArena(PLArenaPool *arena, PRBool zero);
/* These functions are for use with PORTCheapArenaPools. */
extern void PORT_InitCheapArena(PORTCheapArenaPool *arena,
unsigned long chunksize);
extern void PORT_DestroyCheapArena(PORTCheapArenaPool *arena);
/* These functions work with both kinds of arena pool. */
extern void *PORT_ArenaAlloc(PLArenaPool *arena, size_t size);
extern void *PORT_ArenaZAlloc(PLArenaPool *arena, size_t size);
extern void *PORT_ArenaGrow(PLArenaPool *arena, void *ptr,
size_t oldsize, size_t newsize);
extern void *PORT_ArenaMark(PLArenaPool *arena);
extern void PORT_ArenaRelease(PLArenaPool *arena, void *mark);
extern void PORT_ArenaZRelease(PLArenaPool *arena, void *mark);
extern void PORT_ArenaUnmark(PLArenaPool *arena, void *mark);
extern char *PORT_ArenaStrdup(PLArenaPool *arena, const char *str);
SEC_END_PROTOS
#define PORT_Assert PR_ASSERT
/* This runs a function that should return SECSuccess.
* Intended for NSS internal use only.
* The return value is asserted in a debug build, otherwise it is ignored.
* This is no substitute for proper error handling. It is OK only if you
* have ensured that the function cannot fail by other means such as checking
* prerequisites. In that case this can be used as a safeguard against
* unexpected changes in a function.
*/
#ifdef DEBUG
#define PORT_CheckSuccess(f) PR_ASSERT((f) == SECSuccess)
#else
#define PORT_CheckSuccess(f) (f)
#endif
#define PORT_ZNew(type) (type *)PORT_ZAlloc(sizeof(type))
#define PORT_New(type) (type *)PORT_Alloc(sizeof(type))
#define PORT_ArenaNew(poolp, type) \
(type *)PORT_ArenaAlloc(poolp, sizeof(type))
#define PORT_ArenaZNew(poolp, type) \
(type *)PORT_ArenaZAlloc(poolp, sizeof(type))
#define PORT_NewArray(type, num) \
(type *)PORT_Alloc(sizeof(type) * (num))
#define PORT_ZNewArray(type, num) \
(type *)PORT_ZAlloc(sizeof(type) * (num))
#define PORT_ArenaNewArray(poolp, type, num) \
(type *)PORT_ArenaAlloc(poolp, sizeof(type) * (num))
#define PORT_ArenaZNewArray(poolp, type, num) \
(type *)PORT_ArenaZAlloc(poolp, sizeof(type) * (num))
/* Please, keep these defines sorted alphabetically. Thanks! */
#define PORT_Atoi(buff) (int)strtol(buff, NULL, 10)
/* Returns a UTF-8 encoded constant error string for err.
* Returns NULL if initialization of the error tables fails
* due to insufficient memory.
*
* This string must not be modified by the application.
*/
#define PORT_ErrorToString(err) PR_ErrorToString((err), PR_LANGUAGE_I_DEFAULT)
#define PORT_ErrorToName PR_ErrorToName
#define PORT_Memcmp memcmp
#define PORT_Memcpy memcpy
#ifndef SUNOS4
#define PORT_Memmove memmove
#else /*SUNOS4*/
#define PORT_Memmove(s, ct, n) bcopy((ct), (s), (n))
#endif /*SUNOS4*/
#define PORT_Memset memset
#define PORT_Strcasecmp PL_strcasecmp
#define PORT_Strcat strcat
#define PORT_Strchr strchr
#define PORT_Strrchr strrchr
#define PORT_Strcmp strcmp
#define PORT_Strcpy strcpy
#define PORT_Strlen(s) strlen(s)
#define PORT_Strncasecmp PL_strncasecmp
#define PORT_Strncat strncat
#define PORT_Strncmp strncmp
#define PORT_Strncpy strncpy
#define PORT_Strpbrk strpbrk
#define PORT_Strstr strstr
#define PORT_Strtok strtok
#define PORT_Tolower tolower
typedef PRBool(PR_CALLBACK *PORTCharConversionWSwapFunc)(PRBool toUnicode,
unsigned char *inBuf, unsigned int inBufLen,
unsigned char *outBuf, unsigned int maxOutBufLen,
unsigned int *outBufLen, PRBool swapBytes);
typedef PRBool(PR_CALLBACK *PORTCharConversionFunc)(PRBool toUnicode,
unsigned char *inBuf, unsigned int inBufLen,
unsigned char *outBuf, unsigned int maxOutBufLen,
unsigned int *outBufLen);
SEC_BEGIN_PROTOS
void PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
void PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc);
PRBool PORT_UCS4_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
unsigned int inBufLen, unsigned char *outBuf,
unsigned int maxOutBufLen, unsigned int *outBufLen);
PRBool PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
unsigned int inBufLen, unsigned char *outBuf,
unsigned int maxOutBufLen, unsigned int *outBufLen,
PRBool swapBytes);
void PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
PRBool PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
unsigned int inBufLen, unsigned char *outBuf,
unsigned int maxOutBufLen, unsigned int *outBufLen);
/* One-way conversion from ISO-8859-1 to UTF-8 */
PRBool PORT_ISO88591_UTF8Conversion(const unsigned char *inBuf,
unsigned int inBufLen, unsigned char *outBuf,
unsigned int maxOutBufLen, unsigned int *outBufLen);
extern PRBool
sec_port_ucs4_utf8_conversion_function(
PRBool toUnicode,
unsigned char *inBuf,
unsigned int inBufLen,
unsigned char *outBuf,
unsigned int maxOutBufLen,
unsigned int *outBufLen);
extern PRBool
sec_port_ucs2_utf8_conversion_function(
PRBool toUnicode,
unsigned char *inBuf,
unsigned int inBufLen,
unsigned char *outBuf,
unsigned int maxOutBufLen,
unsigned int *outBufLen);
/* One-way conversion from ISO-8859-1 to UTF-8 */
extern PRBool
sec_port_iso88591_utf8_conversion_function(
const unsigned char *inBuf,
unsigned int inBufLen,
unsigned char *outBuf,
unsigned int maxOutBufLen,
unsigned int *outBufLen);
extern int NSS_PutEnv(const char *envVarName, const char *envValue);
extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
/*
* Load a shared library called "newShLibName" in the same directory as
* a shared library that is already loaded, called existingShLibName.
* A pointer to a static function in that shared library,
* staticShLibFunc, is required.
*
* existingShLibName:
* The file name of the shared library that shall be used as the
* "reference library". The loader will attempt to load the requested
* library from the same directory as the reference library.
*
* staticShLibFunc:
* Pointer to a static function in the "reference library".
*
* newShLibName:
* The simple file name of the new shared library to be loaded.
*
* We use PR_GetLibraryFilePathname to get the pathname of the loaded
* shared lib that contains this function, and then do a
* PR_LoadLibraryWithFlags with an absolute pathname for the shared
* library to be loaded.
*
* On Windows, the "alternate search path" strategy is employed, if available.
* On Unix, if existingShLibName is a symbolic link, and no link exists for the
* new library, the original link will be resolved, and the new library loaded
* from the resolved location.
*
* If the new shared library is not found in the same location as the reference
* library, it will then be loaded from the normal system library path.
*/
PRLibrary *
PORT_LoadLibraryFromOrigin(const char *existingShLibName,
PRFuncPtr staticShLibFunc,
const char *newShLibName);
SEC_END_PROTOS
#endif /* _SECPORT_H_ */

14
openflow/usr/include/nss/shsign.h Normal file
View File

@@ -0,0 +1,14 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SHSIGN_H_
#define _SHSIGN_H_
#define SGN_SUFFIX ".chk"
#define NSS_SIGN_CHK_MAGIC1 0xf1
#define NSS_SIGN_CHK_MAGIC2 0xc5
#define NSS_SIGN_CHK_MAJOR_VERSION 0x01
#define NSS_SIGN_CHK_MINOR_VERSION 0x02
#endif /* _SHSIGN_H_ */

141
openflow/usr/include/nss/smime.h Normal file
View File

@@ -0,0 +1,141 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Header file for routines specific to S/MIME. Keep things that are pure
* pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
*/
#ifndef _SMIME_H_
#define _SMIME_H_ 1
#include "cms.h"
/************************************************************************/
SEC_BEGIN_PROTOS
/*
* Initialize the local recording of the user S/MIME cipher preferences.
* This function is called once for each cipher, the order being
* important (first call records greatest preference, and so on).
* When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
* If the function is called again after that, it is assumed that
* the preferences are being reset, and the old preferences are
* discarded.
*
* XXX This is for a particular user, and right now the storage is
* XXX local, static. The preference should be stored elsewhere to allow
* XXX for multiple uses of one library? How does SSL handle this;
* XXX it has something similar?
*
* - The "which" values are defined in ciferfam.h (the SMIME_* values,
* for example SMIME_DES_CBC_56).
* - If "on" is non-zero then the named cipher is enabled, otherwise
* it is disabled. (It is not necessary to call the function for
* ciphers that are disabled, however, as that is the default.)
*
* If the cipher preference is successfully recorded, SECSuccess
* is returned. Otherwise SECFailure is returned. The only errors
* are due to failure allocating memory or bad parameters/calls:
* SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
* SEC_ERROR_XXX (function is being called more times than there
* are known/expected ciphers)
*/
extern SECStatus NSS_SMIMEUtil_EnableCipher(long which, int on);
/*
* Initialize the local recording of the S/MIME policy.
* This function is called to allow/disallow a particular cipher.
*
* XXX This is for the current module, I think, so local, static storage
* XXX is okay. Is that correct, or could multiple uses of the same
* XXX library expect to operate under different policies?
*
* - The "which" values are defined in ciferfam.h (the SMIME_* values,
* for example SMIME_DES_CBC_56).
* - If "on" is non-zero then the named cipher is enabled, otherwise
* it is disabled.
*/
extern SECStatus NSS_SMIMEUtils_AllowCipher(long which, int on);
/*
* Does the current policy allow S/MIME decryption of this particular
* algorithm and keysize?
*/
extern PRBool NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
/*
* Does the current policy allow *any* S/MIME encryption (or decryption)?
*
* This tells whether or not *any* S/MIME encryption can be done,
* according to policy. Callers may use this to do nicer user interface
* (say, greying out a checkbox so a user does not even try to encrypt
* a message when they are not allowed to) or for any reason they want
* to check whether S/MIME encryption (or decryption, for that matter)
* may be done.
*
* It takes no arguments. The return value is a simple boolean:
* PR_TRUE means encryption (or decryption) is *possible*
* (but may still fail due to other reasons, like because we cannot
* find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
* PR_FALSE means encryption (or decryption) is not permitted
*
* There are no errors from this routine.
*/
extern PRBool NSS_SMIMEUtil_EncryptionPossible(void);
/*
* NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities attr value
*
* scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
* S/MIME capabilities attribute value.
*/
extern SECStatus NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest);
/*
* NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
*/
extern SECStatus NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp,
SECItem *dest, CERTCertificate *cert);
/*
* NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid
*/
extern SECStatus NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp,
SECItem *dest, CERTCertificate *cert);
/*
* NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - find cert marked by EncryptionKeyPreference
* attribute
*/
extern CERTCertificate *NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb,
SECItem *DERekp);
/*
* NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients
*/
extern SECStatus
NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts,
SECOidTag *bulkalgtag, int *keysize);
/*
* Return a boolean that indicates whether the underlying library
* will perform as the caller expects.
*
* The only argument is a string, which should be the version
* identifier of the NSS library. That string will be compared
* against a string that represents the actual build version of
* the S/MIME library.
*/
extern PRBool NSSSMIME_VersionCheck(const char *importedVersion);
/*
* Returns a const string of the S/MIME library version.
*/
extern const char *NSSSMIME_GetVersion(void);
/************************************************************************/
SEC_END_PROTOS
#endif /* _SECMIME_H_ */

1344
openflow/usr/include/nss/ssl.h Normal file
View File

File diff suppressed because it is too large Load Diff

253
openflow/usr/include/nss/sslerr.h Normal file
View File

@@ -0,0 +1,253 @@
/*
* Enumeration of all SSL-specific error codes.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __SSL_ERR_H_
#define __SSL_ERR_H_
/* clang-format off */
#define SSL_ERROR_BASE (-0x3000)
#define SSL_ERROR_LIMIT (SSL_ERROR_BASE + 1000)
#define IS_SSL_ERROR(code) \
(((code) >= SSL_ERROR_BASE) && ((code) < SSL_ERROR_LIMIT))
#ifndef NO_SECURITY_ERROR_ENUM
typedef enum {
SSL_ERROR_EXPORT_ONLY_SERVER = (SSL_ERROR_BASE + 0),
/* error 0 is obsolete */
SSL_ERROR_US_ONLY_SERVER = (SSL_ERROR_BASE + 1),
/* error 1 is obsolete */
SSL_ERROR_NO_CYPHER_OVERLAP = (SSL_ERROR_BASE + 2),
/*
* Received an alert reporting what we did wrong. (more alerts below)
*/
SSL_ERROR_NO_CERTIFICATE /*_ALERT */ = (SSL_ERROR_BASE + 3),
SSL_ERROR_BAD_CERTIFICATE = (SSL_ERROR_BASE + 4),
/* error 4 is obsolete */
SSL_ERROR_UNUSED_5 = (SSL_ERROR_BASE + 5),
/* error 5 is obsolete */
SSL_ERROR_BAD_CLIENT = (SSL_ERROR_BASE + 6),
SSL_ERROR_BAD_SERVER = (SSL_ERROR_BASE + 7),
SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE = (SSL_ERROR_BASE + 8),
/* error 8 is obsolete */
SSL_ERROR_UNSUPPORTED_VERSION = (SSL_ERROR_BASE + 9),
SSL_ERROR_UNUSED_10 = (SSL_ERROR_BASE + 10),
/* error 10 is obsolete */
SSL_ERROR_WRONG_CERTIFICATE = (SSL_ERROR_BASE + 11),
/* error 11 is obsolete */
SSL_ERROR_BAD_CERT_DOMAIN = (SSL_ERROR_BASE + 12),
SSL_ERROR_POST_WARNING = (SSL_ERROR_BASE + 13),
/* error 13 is obsolete */
SSL_ERROR_SSL2_DISABLED = (SSL_ERROR_BASE + 14),
/* error 14 is obsolete */
SSL_ERROR_BAD_MAC_READ = (SSL_ERROR_BASE + 15),
/*
* Received an alert reporting what we did wrong.
* (two more alerts above, and many more below)
*/
SSL_ERROR_BAD_MAC_ALERT = (SSL_ERROR_BASE + 16),
SSL_ERROR_BAD_CERT_ALERT = (SSL_ERROR_BASE + 17),
SSL_ERROR_REVOKED_CERT_ALERT = (SSL_ERROR_BASE + 18),
SSL_ERROR_EXPIRED_CERT_ALERT = (SSL_ERROR_BASE + 19),
SSL_ERROR_SSL_DISABLED = (SSL_ERROR_BASE + 20),
SSL_ERROR_FORTEZZA_PQG = (SSL_ERROR_BASE + 21),
/* error 21 is obsolete */
SSL_ERROR_UNKNOWN_CIPHER_SUITE = (SSL_ERROR_BASE + 22),
SSL_ERROR_NO_CIPHERS_SUPPORTED = (SSL_ERROR_BASE + 23),
SSL_ERROR_BAD_BLOCK_PADDING = (SSL_ERROR_BASE + 24),
SSL_ERROR_RX_RECORD_TOO_LONG = (SSL_ERROR_BASE + 25),
SSL_ERROR_TX_RECORD_TOO_LONG = (SSL_ERROR_BASE + 26),
/*
* Received a malformed (too long or short) SSL handshake.
*/
SSL_ERROR_RX_MALFORMED_HELLO_REQUEST = (SSL_ERROR_BASE + 27),
SSL_ERROR_RX_MALFORMED_CLIENT_HELLO = (SSL_ERROR_BASE + 28),
SSL_ERROR_RX_MALFORMED_SERVER_HELLO = (SSL_ERROR_BASE + 29),
SSL_ERROR_RX_MALFORMED_CERTIFICATE = (SSL_ERROR_BASE + 30),
SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH = (SSL_ERROR_BASE + 31),
SSL_ERROR_RX_MALFORMED_CERT_REQUEST = (SSL_ERROR_BASE + 32),
SSL_ERROR_RX_MALFORMED_HELLO_DONE = (SSL_ERROR_BASE + 33),
SSL_ERROR_RX_MALFORMED_CERT_VERIFY = (SSL_ERROR_BASE + 34),
SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH = (SSL_ERROR_BASE + 35),
SSL_ERROR_RX_MALFORMED_FINISHED = (SSL_ERROR_BASE + 36),
/*
* Received a malformed (too long or short) SSL record.
*/
SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER = (SSL_ERROR_BASE + 37),
SSL_ERROR_RX_MALFORMED_ALERT = (SSL_ERROR_BASE + 38),
SSL_ERROR_RX_MALFORMED_HANDSHAKE = (SSL_ERROR_BASE + 39),
SSL_ERROR_RX_MALFORMED_APPLICATION_DATA = (SSL_ERROR_BASE + 40),
/*
* Received an SSL handshake that was inappropriate for the state we're in.
* E.g. Server received message from server, or wrong state in state machine.
*/
SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST = (SSL_ERROR_BASE + 41),
SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO = (SSL_ERROR_BASE + 42),
SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO = (SSL_ERROR_BASE + 43),
SSL_ERROR_RX_UNEXPECTED_CERTIFICATE = (SSL_ERROR_BASE + 44),
SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH = (SSL_ERROR_BASE + 45),
SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST = (SSL_ERROR_BASE + 46),
SSL_ERROR_RX_UNEXPECTED_HELLO_DONE = (SSL_ERROR_BASE + 47),
SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY = (SSL_ERROR_BASE + 48),
SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH = (SSL_ERROR_BASE + 49),
SSL_ERROR_RX_UNEXPECTED_FINISHED = (SSL_ERROR_BASE + 50),
/*
* Received an SSL record that was inappropriate for the state we're in.
*/
SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER = (SSL_ERROR_BASE + 51),
SSL_ERROR_RX_UNEXPECTED_ALERT = (SSL_ERROR_BASE + 52),
SSL_ERROR_RX_UNEXPECTED_HANDSHAKE = (SSL_ERROR_BASE + 53),
SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA = (SSL_ERROR_BASE + 54),
/*
* Received record/message with unknown discriminant.
*/
SSL_ERROR_RX_UNKNOWN_RECORD_TYPE = (SSL_ERROR_BASE + 55),
SSL_ERROR_RX_UNKNOWN_HANDSHAKE = (SSL_ERROR_BASE + 56),
SSL_ERROR_RX_UNKNOWN_ALERT = (SSL_ERROR_BASE + 57),
/*
* Received an alert reporting what we did wrong. (more alerts above)
*/
SSL_ERROR_CLOSE_NOTIFY_ALERT = (SSL_ERROR_BASE + 58),
SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT = (SSL_ERROR_BASE + 59),
SSL_ERROR_DECOMPRESSION_FAILURE_ALERT = (SSL_ERROR_BASE + 60),
SSL_ERROR_HANDSHAKE_FAILURE_ALERT = (SSL_ERROR_BASE + 61),
SSL_ERROR_ILLEGAL_PARAMETER_ALERT = (SSL_ERROR_BASE + 62),
SSL_ERROR_UNSUPPORTED_CERT_ALERT = (SSL_ERROR_BASE + 63),
SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT = (SSL_ERROR_BASE + 64),
SSL_ERROR_GENERATE_RANDOM_FAILURE = (SSL_ERROR_BASE + 65),
SSL_ERROR_SIGN_HASHES_FAILURE = (SSL_ERROR_BASE + 66),
SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE = (SSL_ERROR_BASE + 67),
SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE = (SSL_ERROR_BASE + 68),
SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE = (SSL_ERROR_BASE + 69),
SSL_ERROR_ENCRYPTION_FAILURE = (SSL_ERROR_BASE + 70),
SSL_ERROR_DECRYPTION_FAILURE = (SSL_ERROR_BASE + 71),
/* error 71 is obsolete */
SSL_ERROR_SOCKET_WRITE_FAILURE = (SSL_ERROR_BASE + 72),
SSL_ERROR_MD5_DIGEST_FAILURE = (SSL_ERROR_BASE + 73),
SSL_ERROR_SHA_DIGEST_FAILURE = (SSL_ERROR_BASE + 74),
SSL_ERROR_MAC_COMPUTATION_FAILURE = (SSL_ERROR_BASE + 75),
SSL_ERROR_SYM_KEY_CONTEXT_FAILURE = (SSL_ERROR_BASE + 76),
SSL_ERROR_SYM_KEY_UNWRAP_FAILURE = (SSL_ERROR_BASE + 77),
SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED = (SSL_ERROR_BASE + 78),
/* error 78 is obsolete */
SSL_ERROR_IV_PARAM_FAILURE = (SSL_ERROR_BASE + 79),
SSL_ERROR_INIT_CIPHER_SUITE_FAILURE = (SSL_ERROR_BASE + 80),
SSL_ERROR_SESSION_KEY_GEN_FAILURE = (SSL_ERROR_BASE + 81),
SSL_ERROR_NO_SERVER_KEY_FOR_ALG = (SSL_ERROR_BASE + 82),
SSL_ERROR_TOKEN_INSERTION_REMOVAL = (SSL_ERROR_BASE + 83),
SSL_ERROR_TOKEN_SLOT_NOT_FOUND = (SSL_ERROR_BASE + 84),
SSL_ERROR_NO_COMPRESSION_OVERLAP = (SSL_ERROR_BASE + 85),
SSL_ERROR_HANDSHAKE_NOT_COMPLETED = (SSL_ERROR_BASE + 86),
SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE = (SSL_ERROR_BASE + 87),
SSL_ERROR_CERT_KEA_MISMATCH = (SSL_ERROR_BASE + 88),
SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA = (SSL_ERROR_BASE + 89),
/* error 89 is obsolete */
SSL_ERROR_SESSION_NOT_FOUND = (SSL_ERROR_BASE + 90),
SSL_ERROR_DECRYPTION_FAILED_ALERT = (SSL_ERROR_BASE + 91),
SSL_ERROR_RECORD_OVERFLOW_ALERT = (SSL_ERROR_BASE + 92),
SSL_ERROR_UNKNOWN_CA_ALERT = (SSL_ERROR_BASE + 93),
SSL_ERROR_ACCESS_DENIED_ALERT = (SSL_ERROR_BASE + 94),
SSL_ERROR_DECODE_ERROR_ALERT = (SSL_ERROR_BASE + 95),
SSL_ERROR_DECRYPT_ERROR_ALERT = (SSL_ERROR_BASE + 96),
SSL_ERROR_EXPORT_RESTRICTION_ALERT = (SSL_ERROR_BASE + 97),
SSL_ERROR_PROTOCOL_VERSION_ALERT = (SSL_ERROR_BASE + 98),
SSL_ERROR_INSUFFICIENT_SECURITY_ALERT = (SSL_ERROR_BASE + 99),
SSL_ERROR_INTERNAL_ERROR_ALERT = (SSL_ERROR_BASE + 100),
SSL_ERROR_USER_CANCELED_ALERT = (SSL_ERROR_BASE + 101),
SSL_ERROR_NO_RENEGOTIATION_ALERT = (SSL_ERROR_BASE + 102),
SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED = (SSL_ERROR_BASE + 103),
SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT = (SSL_ERROR_BASE + 104),
SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT = (SSL_ERROR_BASE + 105),
SSL_ERROR_UNRECOGNIZED_NAME_ALERT = (SSL_ERROR_BASE + 106),
SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT = (SSL_ERROR_BASE + 107),
SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT = (SSL_ERROR_BASE + 108),
SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET = (SSL_ERROR_BASE + 109),
SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET = (SSL_ERROR_BASE + 110),
SSL_ERROR_DECOMPRESSION_FAILURE = (SSL_ERROR_BASE + 111),
SSL_ERROR_RENEGOTIATION_NOT_ALLOWED = (SSL_ERROR_BASE + 112),
SSL_ERROR_UNSAFE_NEGOTIATION = (SSL_ERROR_BASE + 113),
SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD = (SSL_ERROR_BASE + 114),
SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = (SSL_ERROR_BASE + 115),
SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID = (SSL_ERROR_BASE + 116),
SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2 = (SSL_ERROR_BASE + 117),
/* error 117 is obsolete */
SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS = (SSL_ERROR_BASE + 118),
SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS = (SSL_ERROR_BASE + 119),
SSL_ERROR_INVALID_VERSION_RANGE = (SSL_ERROR_BASE + 120),
SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION = (SSL_ERROR_BASE + 121),
SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 122),
SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 123),
SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION = (SSL_ERROR_BASE + 124),
SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 125),
SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = (SSL_ERROR_BASE + 126),
SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127),
SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128),
SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK = (SSL_ERROR_BASE + 129),
SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL = (SSL_ERROR_BASE + 130),
SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT = (SSL_ERROR_BASE + 131),
SSL_ERROR_WEAK_SERVER_CERT_KEY = (SSL_ERROR_BASE + 132),
SSL_ERROR_RX_SHORT_DTLS_READ = (SSL_ERROR_BASE + 133),
SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 134),
SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 135),
SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET = (SSL_ERROR_BASE + 136),
SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET = (SSL_ERROR_BASE + 137),
SSL_ERROR_RX_MALFORMED_KEY_SHARE = (SSL_ERROR_BASE + 138),
SSL_ERROR_MISSING_KEY_SHARE = (SSL_ERROR_BASE + 139),
SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE = (SSL_ERROR_BASE + 140),
SSL_ERROR_RX_MALFORMED_DHE_KEY_SHARE = (SSL_ERROR_BASE + 141),
SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS = (SSL_ERROR_BASE + 142),
SSL_ERROR_MISSING_EXTENSION_ALERT = (SSL_ERROR_BASE + 143),
SSL_ERROR_KEY_EXCHANGE_FAILURE = (SSL_ERROR_BASE + 144),
SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION = (SSL_ERROR_BASE + 145),
SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS = (SSL_ERROR_BASE + 146),
SSL_ERROR_MALFORMED_PRE_SHARED_KEY = (SSL_ERROR_BASE + 147),
SSL_ERROR_MALFORMED_EARLY_DATA = (SSL_ERROR_BASE + 148),
SSL_ERROR_END_OF_EARLY_DATA_ALERT = (SSL_ERROR_BASE + 149),
SSL_ERROR_MISSING_ALPN_EXTENSION = (SSL_ERROR_BASE + 150),
SSL_ERROR_RX_UNEXPECTED_EXTENSION = (SSL_ERROR_BASE + 151),
SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION = (SSL_ERROR_BASE + 152),
SSL_ERROR_TOO_MANY_RECORDS = (SSL_ERROR_BASE + 153),
SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST = (SSL_ERROR_BASE + 154),
SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST = (SSL_ERROR_BASE + 155),
SSL_ERROR_BAD_2ND_CLIENT_HELLO = (SSL_ERROR_BASE + 156),
SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION = (SSL_ERROR_BASE + 157),
SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 158),
SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 159),
SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
} SSLErrorCodes;
#endif /* NO_SECURITY_ERROR_ENUM */
/* clang-format on */
#endif /* __SSL_ERR_H_ */

294
openflow/usr/include/nss/sslproto.h Normal file
View File

@@ -0,0 +1,294 @@
/*
* Various and sundry protocol constants. DON'T CHANGE THESE. These values
* are mostly defined by the SSL3 or TLS protocol specifications.
* Cipher kinds and ciphersuites are part of the public API.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __sslproto_h_
#define __sslproto_h_
/* clang-format off */
/* All versions less than 3_0 are treated as SSL version 2 */
#define SSL_LIBRARY_VERSION_2 0x0002
#define SSL_LIBRARY_VERSION_3_0 0x0300
#define SSL_LIBRARY_VERSION_TLS_1_0 0x0301
#define SSL_LIBRARY_VERSION_TLS_1_1 0x0302
#define SSL_LIBRARY_VERSION_TLS_1_2 0x0303
#define SSL_LIBRARY_VERSION_TLS_1_3 0x0304
/* Note: this is the internal format, not the wire format */
#define SSL_LIBRARY_VERSION_DTLS_1_0 SSL_LIBRARY_VERSION_TLS_1_1
#define SSL_LIBRARY_VERSION_DTLS_1_2 SSL_LIBRARY_VERSION_TLS_1_2
#define SSL_LIBRARY_VERSION_DTLS_1_3 SSL_LIBRARY_VERSION_TLS_1_3
/* deprecated old name */
#define SSL_LIBRARY_VERSION_3_1_TLS SSL_LIBRARY_VERSION_TLS_1_0
/* The DTLS versions used in the spec */
#define SSL_LIBRARY_VERSION_DTLS_1_0_WIRE ((~0x0100) & 0xffff)
#define SSL_LIBRARY_VERSION_DTLS_1_2_WIRE ((~0x0102) & 0xffff)
#define SSL_LIBRARY_VERSION_DTLS_1_3_WIRE SSL_LIBRARY_VERSION_DTLS_1_3
/* Certificate types */
#define SSL_CT_X509_CERTIFICATE 0x01
#if 0 /* XXX Not implemented yet */
#define SSL_PKCS6_CERTIFICATE 0x02
#endif
#define SSL_AT_MD5_WITH_RSA_ENCRYPTION 0x01
/* Error codes */
#define SSL_PE_NO_CYPHERS 0x0001
#define SSL_PE_NO_CERTIFICATE 0x0002
#define SSL_PE_BAD_CERTIFICATE 0x0004
#define SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
/* Deprecated SSL 3.0 & libssl names replaced by IANA-registered TLS names. */
#ifndef SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
#define SSL_NULL_WITH_NULL_NULL TLS_NULL_WITH_NULL_NULL
#define SSL_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_MD5
#define SSL_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_SHA
#define SSL_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_MD5
#define SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_SHA
#define SSL_RSA_WITH_IDEA_CBC_SHA TLS_RSA_WITH_IDEA_CBC_SHA
#define SSL_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA
#define SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA
#define SSL_DH_DSS_WITH_DES_CBC_SHA TLS_DH_DSS_WITH_DES_CBC_SHA
#define SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
#define SSL_DH_RSA_WITH_DES_CBC_SHA TLS_DH_RSA_WITH_DES_CBC_SHA
#define SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
#define SSL_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA
#define SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
#define SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA
#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
#define SSL_DH_ANON_WITH_RC4_128_MD5 TLS_DH_anon_WITH_RC4_128_MD5
#define SSL_DH_ANON_WITH_DES_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA
#define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
#define TLS_DH_ANON_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA
#define TLS_DH_ANON_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA
#define TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
#define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
#endif
#define TLS_NULL_WITH_NULL_NULL 0x0000
#define TLS_RSA_WITH_NULL_MD5 0x0001
#define TLS_RSA_WITH_NULL_SHA 0x0002
#define TLS_RSA_WITH_RC4_128_MD5 0x0004
#define TLS_RSA_WITH_RC4_128_SHA 0x0005
#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007
#define TLS_RSA_WITH_DES_CBC_SHA 0x0009
#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000a
#define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000c
#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000d
#define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000f
#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010
#define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012
#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013
#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016
#define TLS_DH_anon_WITH_RC4_128_MD5 0x0018
#define TLS_DH_anon_WITH_DES_CBC_SHA 0x001a
#define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001b
#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
#define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030
#define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031
#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033
#define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034
#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
#define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036
#define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037
#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039
#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A
#define TLS_RSA_WITH_NULL_SHA256 0x003B
#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040
#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041
#define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042
#define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0043
#define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045
#define TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA 0x0046
#define TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084
#define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085
#define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0086
#define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088
#define TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA 0x0089
#define TLS_RSA_WITH_SEED_CBC_SHA 0x0096
#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F
#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2
#define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3
/* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client.
* Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending
* back an empty Renegotiation Info (RI) server hello extension.
*/
#define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF
/* TLS_FALLBACK_SCSV is a signaling cipher suite value that indicates that a
* handshake is the result of TLS version fallback.
*/
#define TLS_FALLBACK_SCSV 0x5600
/* Cipher Suite Values starting with 0xC000 are defined in informational
* RFCs.
*/
#define TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001
#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002
#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003
#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
#define TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006
#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007
#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008
#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
#define TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B
#define TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C
#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D
#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
#define TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010
#define TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011
#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
#define TLS_ECDH_anon_WITH_NULL_SHA 0xC015
#define TLS_ECDH_anon_WITH_RC4_128_SHA 0xC016
#define TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC017
#define TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
#define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028
#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
/* draft-ietf-tls-chacha20-poly1305-04 */
#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8
#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9
#define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA
/* Special TLS 1.3 cipher suites that really just specify AEAD */
#define TLS_AES_128_GCM_SHA256 0x1301
#define TLS_AES_256_GCM_SHA384 0x1302
#define TLS_CHACHA20_POLY1305_SHA256 0x1303
/* PSK cipher suites. NSS doesn't actually support these, but we
* exposed them when TLS 1.3 used them so we need to keep them
* in the API. */
#define TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC
#define TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD
#define TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 0xD001
#define TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 0xD002
#define TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 0x00AA /* RFC 5487 */
#define TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 0x00AB /* RFC 5487 */
/* DTLS-SRTP cipher suites from RFC 5764 */
/* If you modify this, also modify MAX_DTLS_SRTP_CIPHER_SUITES in sslimpl.h */
#define SRTP_AES128_CM_HMAC_SHA1_80 0x0001
#define SRTP_AES128_CM_HMAC_SHA1_32 0x0002
#define SRTP_NULL_HMAC_SHA1_80 0x0005
#define SRTP_NULL_HMAC_SHA1_32 0x0006
/* DO NOT USE. (deprecated, will be removed) */
#define SSL_HL_ERROR_HBYTES 3
#define SSL_HL_CLIENT_HELLO_HBYTES 9
#define SSL_HL_CLIENT_MASTER_KEY_HBYTES 10
#define SSL_HL_CLIENT_FINISHED_HBYTES 1
#define SSL_HL_SERVER_HELLO_HBYTES 11
#define SSL_HL_SERVER_VERIFY_HBYTES 1
#define SSL_HL_SERVER_FINISHED_HBYTES 1
#define SSL_HL_REQUEST_CERTIFICATE_HBYTES 2
#define SSL_HL_CLIENT_CERTIFICATE_HBYTES 6
#define SSL_MT_ERROR 0
#define SSL_MT_CLIENT_HELLO 1
#define SSL_MT_CLIENT_MASTER_KEY 2
#define SSL_MT_CLIENT_FINISHED 3
#define SSL_MT_SERVER_HELLO 4
#define SSL_MT_SERVER_VERIFY 5
#define SSL_MT_SERVER_FINISHED 6
#define SSL_MT_REQUEST_CERTIFICATE 7
#define SSL_MT_CLIENT_CERTIFICATE 8
#define SSL_CK_RC4_128_WITH_MD5 0x01
#define SSL_CK_RC4_128_EXPORT40_WITH_MD5 0x02
#define SSL_CK_RC2_128_CBC_WITH_MD5 0x03
#define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x04
#define SSL_CK_IDEA_128_CBC_WITH_MD5 0x05
#define SSL_CK_DES_64_CBC_WITH_MD5 0x06
#define SSL_CK_DES_192_EDE3_CBC_WITH_MD5 0x07
#define SSL_EN_RC4_128_WITH_MD5 0xFF01
#define SSL_EN_RC4_128_EXPORT40_WITH_MD5 0xFF02
#define SSL_EN_RC2_128_CBC_WITH_MD5 0xFF03
#define SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 0xFF04
#define SSL_EN_IDEA_128_CBC_WITH_MD5 0xFF05
#define SSL_EN_DES_64_CBC_WITH_MD5 0xFF06
#define SSL_EN_DES_192_EDE3_CBC_WITH_MD5 0xFF07
#define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003
#define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006
#define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008
#define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x0062
#define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 0x0064
#define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014
#define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000e
#define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063
#define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x0065
#define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000b
#define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011
#define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017
#define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019
#define SSL_FORTEZZA_DMS_WITH_NULL_SHA 0x001c
#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA 0x001d
#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA 0x001e
#define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0
#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
#define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 0xfeff
#define SSL_RSA_FIPS_WITH_DES_CBC_SHA 0xfefe
#define SSL_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5
#define SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
#define SSL_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
#define SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
#define SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
#define SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
#define SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
#define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
#define SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
/* clang-format on */
#endif /* __sslproto_h_ */

415
openflow/usr/include/nss/sslt.h Normal file
View File

@@ -0,0 +1,415 @@
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
* This file contains prototypes for the public SSL functions.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __sslt_h_
#define __sslt_h_
#include "prtypes.h"
#include "secitem.h"
#include "certt.h"
typedef struct SSL3StatisticsStr {
/* statistics from ssl3_SendClientHello (sch) */
long sch_sid_cache_hits;
long sch_sid_cache_misses;
long sch_sid_cache_not_ok;
/* statistics from ssl3_HandleServerHello (hsh) */
long hsh_sid_cache_hits;
long hsh_sid_cache_misses;
long hsh_sid_cache_not_ok;
/* statistics from ssl3_HandleClientHello (hch) */
long hch_sid_cache_hits;
long hch_sid_cache_misses;
long hch_sid_cache_not_ok;
/* statistics related to stateless resume */
long sch_sid_stateless_resumes;
long hsh_sid_stateless_resumes;
long hch_sid_stateless_resumes;
long hch_sid_ticket_parse_failures;
} SSL3Statistics;
/* Key Exchange algorithm values */
typedef enum {
ssl_kea_null = 0,
ssl_kea_rsa = 1,
ssl_kea_dh = 2,
ssl_kea_fortezza = 3, /* deprecated, now unused */
ssl_kea_ecdh = 4,
ssl_kea_ecdh_psk = 5,
ssl_kea_dh_psk = 6,
ssl_kea_tls13_any = 7,
ssl_kea_size /* number of ssl_kea_ algorithms */
} SSLKEAType;
/* The following defines are for backwards compatibility.
** They will be removed in a forthcoming release to reduce namespace pollution.
** programs that use the kt_ symbols should convert to the ssl_kt_ symbols
** soon.
*/
#define kt_null ssl_kea_null
#define kt_rsa ssl_kea_rsa
#define kt_dh ssl_kea_dh
#define kt_fortezza ssl_kea_fortezza /* deprecated, now unused */
#define kt_ecdh ssl_kea_ecdh
#define kt_kea_size ssl_kea_size
/* Values of this enum match the SignatureAlgorithm enum from
* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
typedef enum {
ssl_sign_null = 0, /* "anonymous" in TLS */
ssl_sign_rsa = 1,
ssl_sign_dsa = 2,
ssl_sign_ecdsa = 3
} SSLSignType;
/* Values of this enum match the HashAlgorithm enum from
* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
typedef enum {
/* ssl_hash_none is used internally to mean the pre-1.2 combination of MD5
* and SHA1. The other values are only used in TLS 1.2. */
ssl_hash_none = 0,
ssl_hash_md5 = 1,
ssl_hash_sha1 = 2,
ssl_hash_sha224 = 3,
ssl_hash_sha256 = 4,
ssl_hash_sha384 = 5,
ssl_hash_sha512 = 6
} SSLHashType;
/* Deprecated */
typedef struct SSLSignatureAndHashAlgStr {
SSLHashType hashAlg;
SSLSignType sigAlg;
} SSLSignatureAndHashAlg;
typedef enum {
ssl_sig_none = 0,
ssl_sig_rsa_pkcs1_sha1 = 0x0201,
ssl_sig_rsa_pkcs1_sha256 = 0x0401,
ssl_sig_rsa_pkcs1_sha384 = 0x0501,
ssl_sig_rsa_pkcs1_sha512 = 0x0601,
/* For ECDSA, the pairing of the hash with a specific curve is only enforced
* in TLS 1.3; in TLS 1.2 any curve can be used with each of these. */
ssl_sig_ecdsa_secp256r1_sha256 = 0x0403,
ssl_sig_ecdsa_secp384r1_sha384 = 0x0503,
ssl_sig_ecdsa_secp521r1_sha512 = 0x0603,
ssl_sig_rsa_pss_sha256 = 0x0804,
ssl_sig_rsa_pss_sha384 = 0x0805,
ssl_sig_rsa_pss_sha512 = 0x0806,
ssl_sig_ed25519 = 0x0807,
ssl_sig_ed448 = 0x0808,
ssl_sig_dsa_sha1 = 0x0202,
ssl_sig_dsa_sha256 = 0x0402,
ssl_sig_dsa_sha384 = 0x0502,
ssl_sig_dsa_sha512 = 0x0602,
ssl_sig_ecdsa_sha1 = 0x0203,
/* The following value (which can't be used in the protocol), represents
* the RSA signature using SHA-1 and MD5 that is used in TLS 1.0 and 1.1.
* This is reported as a signature scheme when TLS 1.0 or 1.1 is used.
* This should not be passed to SSL_SignatureSchemePrefSet(); this
* signature scheme is always used and cannot be disabled. */
ssl_sig_rsa_pkcs1_sha1md5 = 0x10101,
} SSLSignatureScheme;
/*
** SSLAuthType describes the type of key that is used to authenticate a
** connection. That is, the type of key in the end-entity certificate.
*/
typedef enum {
ssl_auth_null = 0,
ssl_auth_rsa_decrypt = 1, /* static RSA */
ssl_auth_dsa = 2,
ssl_auth_kea = 3, /* unused */
ssl_auth_ecdsa = 4,
ssl_auth_ecdh_rsa = 5, /* ECDH cert with an RSA signature */
ssl_auth_ecdh_ecdsa = 6, /* ECDH cert with an ECDSA signature */
ssl_auth_rsa_sign = 7, /* RSA PKCS#1.5 signing */
ssl_auth_rsa_pss = 8,
ssl_auth_psk = 9,
ssl_auth_tls13_any = 10,
ssl_auth_size /* number of authentication types */
} SSLAuthType;
/* This is defined for backward compatibility reasons */
#define ssl_auth_rsa ssl_auth_rsa_decrypt
typedef enum {
ssl_calg_null = 0,
ssl_calg_rc4 = 1,
ssl_calg_rc2 = 2,
ssl_calg_des = 3,
ssl_calg_3des = 4,
ssl_calg_idea = 5,
ssl_calg_fortezza = 6, /* deprecated, now unused */
ssl_calg_aes = 7,
ssl_calg_camellia = 8,
ssl_calg_seed = 9,
ssl_calg_aes_gcm = 10,
ssl_calg_chacha20 = 11
} SSLCipherAlgorithm;
typedef enum {
ssl_mac_null = 0,
ssl_mac_md5 = 1,
ssl_mac_sha = 2,
ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
ssl_hmac_sha256 = 5,
ssl_mac_aead = 6,
ssl_hmac_sha384 = 7
} SSLMACAlgorithm;
typedef enum {
ssl_compression_null = 0,
ssl_compression_deflate = 1 /* RFC 3749 */
} SSLCompressionMethod;
typedef enum {
ssl_grp_ec_sect163k1 = 1,
ssl_grp_ec_sect163r1 = 2,
ssl_grp_ec_sect163r2 = 3,
ssl_grp_ec_sect193r1 = 4,
ssl_grp_ec_sect193r2 = 5,
ssl_grp_ec_sect233k1 = 6,
ssl_grp_ec_sect233r1 = 7,
ssl_grp_ec_sect239k1 = 8,
ssl_grp_ec_sect283k1 = 9,
ssl_grp_ec_sect283r1 = 10,
ssl_grp_ec_sect409k1 = 11,
ssl_grp_ec_sect409r1 = 12,
ssl_grp_ec_sect571k1 = 13,
ssl_grp_ec_sect571r1 = 14,
ssl_grp_ec_secp160k1 = 15,
ssl_grp_ec_secp160r1 = 16,
ssl_grp_ec_secp160r2 = 17,
ssl_grp_ec_secp192k1 = 18,
ssl_grp_ec_secp192r1 = 19,
ssl_grp_ec_secp224k1 = 20,
ssl_grp_ec_secp224r1 = 21,
ssl_grp_ec_secp256k1 = 22,
ssl_grp_ec_secp256r1 = 23,
ssl_grp_ec_secp384r1 = 24,
ssl_grp_ec_secp521r1 = 25,
ssl_grp_ec_curve25519 = 29, /* RFC4492 */
ssl_grp_ffdhe_2048 = 256, /* RFC7919 */
ssl_grp_ffdhe_3072 = 257,
ssl_grp_ffdhe_4096 = 258,
ssl_grp_ffdhe_6144 = 259,
ssl_grp_ffdhe_8192 = 260,
ssl_grp_none = 65537, /* special value */
ssl_grp_ffdhe_custom = 65538 /* special value */
} SSLNamedGroup;
typedef struct SSLExtraServerCertDataStr {
/* When this struct is passed to SSL_ConfigServerCert, and authType is set
* to a value other than ssl_auth_null, this limits the use of the key to
* the type defined; otherwise, the certificate is configured for all
* compatible types. */
SSLAuthType authType;
/* The remainder of the certificate chain. */
const CERTCertificateList* certChain;
/* A set of one or more stapled OCSP responses for the certificate. This is
* used to generate the OCSP stapling answer provided by the server. */
const SECItemArray* stapledOCSPResponses;
/* A serialized sign_certificate_timestamp extension, used to answer
* requests from clients for this data. */
const SECItem* signedCertTimestamps;
} SSLExtraServerCertData;
typedef struct SSLChannelInfoStr {
/* On return, SSL_GetChannelInfo sets |length| to the smaller of
* the |len| argument and the length of the struct used by NSS.
* Callers must ensure the application uses a version of NSS that
* isn't older than the version used at compile time. */
PRUint32 length;
PRUint16 protocolVersion;
PRUint16 cipherSuite;
/* server authentication info */
PRUint32 authKeyBits;
/* key exchange algorithm info */
PRUint32 keaKeyBits;
/* session info */
PRUint32 creationTime; /* seconds since Jan 1, 1970 */
PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
PRUint32 sessionIDLength; /* up to 32 */
PRUint8 sessionID[32];
/* The following fields are added in NSS 3.12.5. */
/* compression method info */
const char* compressionMethodName;
SSLCompressionMethod compressionMethod;
/* The following fields are added in NSS 3.21.
* This field only has meaning in TLS < 1.3 and will be set to
* PR_FALSE in TLS 1.3.
*/
PRBool extendedMasterSecretUsed;
/* The following fields were added in NSS 3.25.
* This field only has meaning in TLS >= 1.3, and indicates on the
* client side that the server accepted early (0-RTT) data.
*/
PRBool earlyDataAccepted;
/* The following fields were added in NSS 3.28. */
/* These fields have the same meaning as in SSLCipherSuiteInfo. */
SSLKEAType keaType;
SSLNamedGroup keaGroup;
SSLCipherAlgorithm symCipher;
SSLMACAlgorithm macAlgorithm;
SSLAuthType authType;
SSLSignatureScheme signatureScheme;
/* When adding new fields to this structure, please document the
* NSS version in which they were added. */
} SSLChannelInfo;
/* Preliminary channel info */
#define ssl_preinfo_version (1U << 0)
#define ssl_preinfo_cipher_suite (1U << 1)
#define ssl_preinfo_all (ssl_preinfo_version | ssl_preinfo_cipher_suite)
typedef struct SSLPreliminaryChannelInfoStr {
/* On return, SSL_GetPreliminaryChannelInfo sets |length| to the smaller of
* the |len| argument and the length of the struct used by NSS.
* Callers must ensure the application uses a version of NSS that
* isn't older than the version used at compile time. */
PRUint32 length;
/* A bitfield over SSLPreliminaryValueSet that describes which
* preliminary values are set (see ssl_preinfo_*). */
PRUint32 valuesSet;
/* Protocol version: test (valuesSet & ssl_preinfo_version) */
PRUint16 protocolVersion;
/* Cipher suite: test (valuesSet & ssl_preinfo_cipher_suite) */
PRUint16 cipherSuite;
/* When adding new fields to this structure, please document the
* NSS version in which they were added. */
} SSLPreliminaryChannelInfo;
typedef struct SSLCipherSuiteInfoStr {
/* On return, SSL_GetCipherSuitelInfo sets |length| to the smaller of
* the |len| argument and the length of the struct used by NSS.
* Callers must ensure the application uses a version of NSS that
* isn't older than the version used at compile time. */
PRUint16 length;
PRUint16 cipherSuite;
/* Cipher Suite Name */
const char* cipherSuiteName;
/* server authentication info */
const char* authAlgorithmName;
SSLAuthType authAlgorithm; /* deprecated, use |authType| */
/* key exchange algorithm info */
const char* keaTypeName;
SSLKEAType keaType;
/* symmetric encryption info */
const char* symCipherName;
SSLCipherAlgorithm symCipher;
PRUint16 symKeyBits;
PRUint16 symKeySpace;
PRUint16 effectiveKeyBits;
/* MAC info */
/* AEAD ciphers don't have a MAC. For an AEAD cipher, macAlgorithmName
* is "AEAD", macAlgorithm is ssl_mac_aead, and macBits is the length in
* bits of the authentication tag. */
const char* macAlgorithmName;
SSLMACAlgorithm macAlgorithm;
PRUint16 macBits;
PRUintn isFIPS : 1;
PRUintn isExportable : 1; /* deprecated, don't use */
PRUintn nonStandard : 1;
PRUintn reservedBits : 29;
/* The following fields were added in NSS 3.24. */
/* This reports the correct authentication type for the cipher suite, use
* this instead of |authAlgorithm|. */
SSLAuthType authType;
/* When adding new fields to this structure, please document the
* NSS version in which they were added. */
} SSLCipherSuiteInfo;
typedef enum {
ssl_variant_stream = 0,
ssl_variant_datagram = 1
} SSLProtocolVariant;
typedef struct SSLVersionRangeStr {
PRUint16 min;
PRUint16 max;
} SSLVersionRange;
typedef enum {
SSL_sni_host_name = 0,
SSL_sni_type_total
} SSLSniNameType;
/* Supported extensions. */
/* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */
typedef enum {
ssl_server_name_xtn = 0,
ssl_cert_status_xtn = 5,
ssl_supported_groups_xtn = 10,
ssl_ec_point_formats_xtn = 11,
ssl_signature_algorithms_xtn = 13,
ssl_use_srtp_xtn = 14,
ssl_app_layer_protocol_xtn = 16,
/* signed_certificate_timestamp extension, RFC 6962 */
ssl_signed_cert_timestamp_xtn = 18,
ssl_padding_xtn = 21,
ssl_extended_master_secret_xtn = 23,
ssl_session_ticket_xtn = 35,
ssl_tls13_key_share_xtn = 40,
ssl_tls13_pre_shared_key_xtn = 41,
ssl_tls13_early_data_xtn = 42,
ssl_tls13_supported_versions_xtn = 43,
ssl_tls13_cookie_xtn = 44,
ssl_tls13_psk_key_exchange_modes_xtn = 45,
ssl_tls13_ticket_early_data_info_xtn = 46,
ssl_next_proto_nego_xtn = 13172,
ssl_renegotiation_info_xtn = 0xff01,
ssl_tls13_short_header_xtn = 0xff03
} SSLExtensionType;
/* This is the old name for the supported_groups extensions. */
#define ssl_elliptic_curves_xtn ssl_supported_groups_xtn
/* SSL_MAX_EXTENSIONS doesn't include ssl_padding_xtn. It includes the maximum
* number of extensions that are supported for any single message type. That
* is, a ClientHello; ServerHello and TLS 1.3 NewSessionTicket and
* HelloRetryRequest extensions are smaller. */
#define SSL_MAX_EXTENSIONS 19
/* Deprecated */
typedef enum {
ssl_dhe_group_none = 0,
ssl_ff_dhe_2048_group = 1,
ssl_ff_dhe_3072_group = 2,
ssl_ff_dhe_4096_group = 3,
ssl_ff_dhe_6144_group = 4,
ssl_ff_dhe_8192_group = 5,
ssl_dhe_group_max
} SSLDHEGroupType;
#endif /* __sslt_h_ */

43
openflow/usr/include/nss/utilmodt.h Normal file
View File

@@ -0,0 +1,43 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _UTILMODT_H_
#define _UTILMODT_H_ 1
/*
* these are SECMOD flags that would normally be in secmodt.h, but are needed
* for the parser in util. Fort this reason we preserve the SECMOD names.
*/
#define SECMOD_RSA_FLAG 0x00000001L
#define SECMOD_DSA_FLAG 0x00000002L
#define SECMOD_RC2_FLAG 0x00000004L
#define SECMOD_RC4_FLAG 0x00000008L
#define SECMOD_DES_FLAG 0x00000010L
#define SECMOD_DH_FLAG 0x00000020L
#define SECMOD_FORTEZZA_FLAG 0x00000040L
#define SECMOD_RC5_FLAG 0x00000080L
#define SECMOD_SHA1_FLAG 0x00000100L
#define SECMOD_MD5_FLAG 0x00000200L
#define SECMOD_MD2_FLAG 0x00000400L
#define SECMOD_SSL_FLAG 0x00000800L
#define SECMOD_TLS_FLAG 0x00001000L
#define SECMOD_AES_FLAG 0x00002000L
#define SECMOD_SHA256_FLAG 0x00004000L /* also for SHA224 */
#define SECMOD_SHA512_FLAG 0x00008000L /* also for SHA384 */
#define SECMOD_CAMELLIA_FLAG 0x00010000L /* = PUBLIC_MECH_CAMELLIA_FLAG */
#define SECMOD_SEED_FLAG 0x00020000L
#define SECMOD_ECC_FLAG 0x00040000L
/* reserved bit for future, do not use */
#define SECMOD_RESERVED_FLAG 0X08000000L
#define SECMOD_FRIENDLY_FLAG 0x10000000L
#define SECMOD_RANDOM_FLAG 0x80000000L
#define PK11_OWN_PW_DEFAULTS 0x20000000L
#define PK11_DISABLE_FLAG 0x40000000L
/* need to make SECMOD and PK11 prefixes consistent. */
#define SECMOD_OWN_PW_DEFAULTS PK11_OWN_PW_DEFAULTS
#define SECMOD_DISABLE_FLAG PK11_DISABLE_FLAG
#endif /* _UTILMODT_H_ */

63
openflow/usr/include/nss/utilpars.h Normal file
View File

@@ -0,0 +1,63 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _UTILPARS_H_
#define _UTILPARS_H_ 1
#include "utilparst.h"
#include "plarena.h"
/* handle a module db request */
char **NSSUTIL_DoModuleDBFunction(unsigned long function, char *parameters, void *args);
/* parsing functions */
char *NSSUTIL_ArgFetchValue(const char *string, int *pcount);
const char *NSSUTIL_ArgStrip(const char *c);
char *NSSUTIL_ArgGetParamValue(const char *paramName, const char *parameters);
const char *NSSUTIL_ArgSkipParameter(const char *string);
char *NSSUTIL_ArgGetLabel(const char *inString, int *next);
long NSSUTIL_ArgDecodeNumber(const char *num);
PRBool NSSUTIL_ArgIsBlank(char c);
PRBool NSSUTIL_ArgHasFlag(const char *label, const char *flag,
const char *parameters);
long NSSUTIL_ArgReadLong(const char *label, const char *params, long defValue,
PRBool *isdefault);
/* quoting functions */
int NSSUTIL_EscapeSize(const char *string, char quote);
char *NSSUTIL_Escape(const char *string, char quote);
int NSSUTIL_QuoteSize(const char *string, char quote);
char *NSSUTIL_Quote(const char *string, char quote);
int NSSUTIL_DoubleEscapeSize(const char *string, char quote1, char quote2);
char *NSSUTIL_DoubleEscape(const char *string, char quote1, char quote2);
unsigned long NSSUTIL_ArgParseSlotFlags(const char *label, const char *params);
struct NSSUTILPreSlotInfoStr *NSSUTIL_ArgParseSlotInfo(PLArenaPool *arena,
const char *slotParams, int *retCount);
char *NSSUTIL_MkSlotString(unsigned long slotID, unsigned long defaultFlags,
unsigned long timeout, unsigned char askpw_in,
PRBool hasRootCerts, PRBool hasRootTrust);
SECStatus NSSUTIL_ArgParseModuleSpec(const char *modulespec, char **lib,
char **mod, char **parameters, char **nss);
SECStatus NSSUTIL_ArgParseModuleSpecEx(const char *modulespec, char **lib,
char **mod, char **parameters, char **nss, char **config);
char *NSSUTIL_MkModuleSpec(char *dllName, char *commonName,
char *parameters, char *NSS);
char *NSSUTIL_MkModuleSpecEx(char *dllName, char *commonName,
char *parameters, char *NSS, char *config);
void NSSUTIL_ArgParseCipherFlags(unsigned long *newCiphers,
const char *cipherList);
char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal,
PRBool isFIPS, PRBool isModuleDB, PRBool isModuleDBOnly,
PRBool isCritical, unsigned long trustOrder,
unsigned long cipherOrder, unsigned long ssl0, unsigned long ssl1);
/*
* private functions for softoken.
*/
char *_NSSUTIL_GetSecmodName(const char *param, NSSDBType *dbType,
char **appName, char **filename, PRBool *rw);
const char *_NSSUTIL_EvaluateConfigDir(const char *configdir, NSSDBType *dbType, char **app);
#endif /* _UTILPARS_H_ */

78
openflow/usr/include/nss/utilparst.h Normal file
View File

@@ -0,0 +1,78 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef UTILPARS_T_H
#define UTILPARS_T_H 1
#include "pkcs11t.h"
/*
* macros to handle parsing strings of blank sparated arguments.
* Several NSSUTIL_HANDLE_STRING() macros should be places one after another with no intervening
* code. The first ones have precedence over the later ones. The last Macro should be
* NSSUTIL_HANDLE_FINAL_ARG.
*
* param is the input parameters. On exit param will point to the next parameter to parse. If the
* last paramter has been returned, param points to a null byte (*param = '0');
* target is the location to store any data aquired from the parameter. Caller is responsible to free this data.
* value is the string value of the parameter.
* command is any commands you need to run to help process the parameter's data.
*/
#define NSSUTIL_HANDLE_STRING_ARG(param, target, value, command) \
if (PORT_Strncasecmp(param, value, sizeof(value) - 1) == 0) { \
param += sizeof(value) - 1; \
if (target) \
PORT_Free(target); \
target = NSSUTIL_ArgFetchValue(param, &next); \
param += next; \
command; \
} else
#define NSSUTIL_HANDLE_FINAL_ARG(param) \
{ \
param = NSSUTIL_ArgSkipParameter(param); \
} \
param = NSSUTIL_ArgStrip(param);
#define NSSUTIL_PATH_SEPARATOR "/"
/* default module configuration strings */
#define NSSUTIL_DEFAULT_INTERNAL_INIT1 \
"library= name=\"NSS Internal PKCS #11 Module\" parameters="
#define NSSUTIL_DEFAULT_INTERNAL_INIT2 \
" NSS=\"Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={"
#define NSSUTIL_DEFAULT_INTERNAL_INIT3 \
" askpw=any timeout=30})\""
#define NSSUTIL_DEFAULT_SFTKN_FLAGS \
"slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
#define NSSUTIL_DEFAULT_CIPHER_ORDER 0
#define NSSUTIL_DEFAULT_TRUST_ORDER 50
#define NSSUTIL_ARG_ESCAPE '\\'
/* hold slot default flags until we initialize a slot. This structure is only
* useful between the time we define a module (either by hand or from the
* database) and the time the module is loaded. Not reference counted */
struct NSSUTILPreSlotInfoStr {
CK_SLOT_ID slotID; /* slot these flags are for */
unsigned long defaultFlags; /* bit mask of default implementation this slot
* provides */
int askpw; /* slot specific password bits */
long timeout; /* slot specific timeout value */
char hasRootCerts; /* is this the root cert PKCS #11 module? */
char hasRootTrust; /* is this the root cert PKCS #11 module? */
int reserved0[2];
void *reserved1[2];
};
/*
* private functions for softoken.
*/
typedef enum {
NSS_DB_TYPE_NONE = 0,
NSS_DB_TYPE_SQL,
NSS_DB_TYPE_EXTERN,
NSS_DB_TYPE_LEGACY,
NSS_DB_TYPE_MULTIACCESS
} NSSDBType;
#endif /* UTILPARS_T_H */

Some files were not shown because too many files have changed in this diff Show More