Mercurial > illumos > illumos-gate
view usr/src/lib/libkmf/include/kmftypes.h @ 3692:b717db492822
6525220 KMF_ValidateCert() and KMF_FindCertInCRL() should take a subject certificate as input
| author | hylee |
|---|---|
| date | Wed, 21 Feb 2007 15:26:17 -0800 |
| parents | 2971a4d3cf72 |
| children | 79eeec53e95c |
line wrap: on
line source
/* * Copyright (c) 1995-2000 Intel Corporation. All rights reserved. */ /* * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _KMFTYPES_H #define _KMFTYPES_H #pragma ident "%Z%%M% %I% %E% SMI" #include <sys/types.h> #include <stdlib.h> #include <strings.h> #include <pthread.h> #include <security/cryptoki.h> #ifdef __cplusplus extern "C" { #endif typedef uint32_t KMF_BOOL; #define KMF_FALSE (0) #define KMF_TRUE (1) /* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */ typedef struct _kmf_handle *KMF_HANDLE_T; /* * KMF_DATA * The KMF_DATA structure is used to associate a length, in bytes, with * an arbitrary block of contiguous memory. */ typedef struct kmf_data { size_t Length; /* in bytes */ uchar_t *Data; } KMF_DATA; typedef struct { uchar_t *val; size_t len; } KMF_BIGINT; /* * KMF_OID * The object identifier (OID) structure is used to hold a unique identifier for * the atomic data fields and the compound substructure that comprise the fields * of a certificate or CRL. */ typedef KMF_DATA KMF_OID; typedef struct kmf_x509_private { int keystore_type; int flags; /* see below */ char *label; #define KMF_FLAG_CERT_VALID 1 /* contains valid certificate */ #define KMF_FLAG_CERT_SIGNED 2 /* this is a signed certificate */ } KMF_X509_PRIVATE, KMF_X509_PRIVATE_PTR; /* * KMF_X509_DER_CERT * This structure associates packed DER certificate data. * Also, it contains the private information internal used * by KMF layer. */ typedef struct { KMF_DATA certificate; KMF_X509_PRIVATE kmf_private; } KMF_X509_DER_CERT; typedef enum { KMF_KEYSTORE_NSS = 1, KMF_KEYSTORE_OPENSSL = 2, KMF_KEYSTORE_PK11TOKEN = 3, KMF_KEYSTORE_DEFAULT /* based on configuration */ } KMF_KEYSTORE_TYPE; #define VALID_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\ (t <= KMF_KEYSTORE_PK11TOKEN)) typedef enum { KMF_FORMAT_UNDEF = 0, KMF_FORMAT_ASN1 = 1, /* DER */ KMF_FORMAT_PEM = 2, KMF_FORMAT_PKCS12 = 3, KMF_FORMAT_RAWKEY = 4, /* For FindKey operation */ KMF_FORMAT_PEM_KEYPAIR = 5 } KMF_ENCODE_FORMAT; #define KMF_FORMAT_NATIVE KMF_FORMAT_UNDEF typedef enum { KMF_ALL_CERTS = 0, KMF_NONEXPIRED_CERTS = 1, KMF_EXPIRED_CERTS = 2 } KMF_CERT_VALIDITY; typedef enum { KMF_KU_SIGN_CERT = 0, KMF_KU_SIGN_DATA = 1, KMF_KU_ENCRYPT_DATA = 2 } KMF_KU_PURPOSE; /* Keystore Configuration */ typedef struct { char *configdir; char *certPrefix; char *keyPrefix; char *secModName; } KMF_NSS_CONFIG; typedef struct { char *label; boolean_t readonly; } KMF_PKCS11_CONFIG; typedef struct { KMF_KEYSTORE_TYPE kstype; union { KMF_NSS_CONFIG nss_conf; KMF_PKCS11_CONFIG pkcs11_conf; } ks_config_u; } KMF_CONFIG_PARAMS; #define nssconfig ks_config_u.nss_conf #define pkcs11config ks_config_u.pkcs11_conf /* * Generic credential structure used by other structures below * to convey authentication information to the underlying * mechanisms. */ typedef struct { char *cred; uint32_t credlen; } KMF_CREDENTIAL; typedef struct { char *trustflag; char *slotlabel; /* "internal" by default */ int issuerId; int subjectId; char *crlfile; /* for ImportCRL */ boolean_t crl_check; /* for ImportCRL */ /* * The following 2 variables are for FindCertInCRL. The caller can * either specify certLabel or provide the entire certificate in * DER format as input. */ char *certLabel; /* for FindCertInCRL */ KMF_DATA *certificate; /* for FindCertInCRL */ /* * crl_subjName and crl_issuerName are used as the CRL deletion * criteria. One should be non-NULL and the other one should be NULL. * If crl_subjName is not NULL, then delete CRL by the subject name. * Othewise, delete by the issuer name. */ char *crl_subjName; char *crl_issuerName; } KMF_NSS_PARAMS; typedef struct { char *dirpath; char *certfile; char *crlfile; char *keyfile; char *outcrlfile; boolean_t crl_check; /* CRL import check; default is true */ KMF_ENCODE_FORMAT format; /* output file format */ } KMF_OPENSSL_PARAMS; typedef struct { boolean_t private; /* for finding CKA_PRIVATE objects */ boolean_t sensitive; boolean_t not_extractable; boolean_t token; /* true == token object, false == session */ } KMF_PKCS11_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; char *certLabel; char *issuer; char *subject; char *idstr; KMF_BIGINT *serial; KMF_CERT_VALIDITY find_cert_validity; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; KMF_PKCS11_PARAMS pkcs11_opts; } ks_opt_u; } KMF_FINDCERT_PARAMS, KMF_DELETECERT_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; KMF_DATA *certificate; KMF_DATA *ocsp_response; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; KMF_PKCS11_PARAMS pkcs11_opts; } ks_opt_u; } KMF_VALIDATECERT_PARAMS; typedef enum { KMF_KEYALG_NONE = 0, KMF_RSA = 1, KMF_DSA = 2, KMF_AES = 3, KMF_RC4 = 4, KMF_DES = 5, KMF_DES3 = 6 }KMF_KEY_ALG; typedef enum { KMF_KEYCLASS_NONE = 0, KMF_ASYM_PUB = 1, /* public key of an asymmetric keypair */ KMF_ASYM_PRI = 2, /* private key of an asymmetric keypair */ KMF_SYMMETRIC = 3 /* symmetric key */ }KMF_KEY_CLASS; typedef struct { KMF_KEYSTORE_TYPE kstype; KMF_CREDENTIAL cred; KMF_KEY_CLASS keyclass; KMF_KEY_ALG keytype; KMF_ENCODE_FORMAT format; /* for key */ char *findLabel; char *idstr; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; KMF_PKCS11_PARAMS pkcs11_opts; } ks_opt_u; } KMF_FINDKEY_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; /* all */ char *certLabel; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; } ks_opt_u; } KMF_STORECERT_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; KMF_CREDENTIAL cred; KMF_DATA *certificate; char *label; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; } ks_opt_u; } KMF_STOREKEY_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; KMF_CREDENTIAL cred; union { KMF_NSS_PARAMS nss_opts; } ks_opt_u; } KMF_DELETEKEY_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; char *certfile; char *certLabel; union { KMF_NSS_PARAMS nss_opts; } ks_opt_u; } KMF_IMPORTCERT_PARAMS; typedef enum { KMF_CERT = 0, KMF_CSR = 1, KMF_CRL = 2 }KMF_OBJECT_TYPE; typedef struct { KMF_KEYSTORE_TYPE kstype; KMF_KEY_ALG keytype; uint32_t keylength; char *keylabel; KMF_CREDENTIAL cred; KMF_BIGINT rsa_exponent; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; }ks_opt_u; } KMF_CREATEKEYPAIR_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; } ks_opt_u; } KMF_IMPORTCRL_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; } ks_opt_u; } KMF_DELETECRL_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; } ks_opt_u; } KMF_LISTCRL_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; union { KMF_NSS_PARAMS nss_opts; } ks_opt_u; } KMF_FINDCRL_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; } ks_opt_u; } KMF_FINDCERTINCRL_PARAMS; typedef struct { char *crl_name; KMF_DATA *tacert; } KMF_VERIFYCRL_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; KMF_CREDENTIAL cred; KMF_ENCODE_FORMAT format; /* for key */ char *certLabel; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; }ks_opt_u; } KMF_CRYPTOWITHCERT_PARAMS; typedef struct { char *crl_name; } KMF_CHECKCRLDATE_PARAMS; typedef struct { CK_SLOT_ID slot; } pk11_setpin_opts; typedef struct { KMF_KEYSTORE_TYPE kstype; char *tokenname; KMF_CREDENTIAL cred; /* current token PIN */ union { KMF_NSS_PARAMS nss_opts; pk11_setpin_opts pkcs11_opts; }ks_opt_u; } KMF_SETPIN_PARAMS; typedef struct { KMF_BIGINT mod; KMF_BIGINT pubexp; KMF_BIGINT priexp; KMF_BIGINT prime1; KMF_BIGINT prime2; KMF_BIGINT exp1; KMF_BIGINT exp2; KMF_BIGINT coef; } KMF_RAW_RSA_KEY; typedef struct { KMF_BIGINT prime; KMF_BIGINT subprime; KMF_BIGINT base; KMF_BIGINT value; } KMF_RAW_DSA_KEY; typedef struct { KMF_BIGINT keydata; } KMF_RAW_SYM_KEY; typedef struct { KMF_KEY_ALG keytype; union { KMF_RAW_RSA_KEY rsa; KMF_RAW_DSA_KEY dsa; KMF_RAW_SYM_KEY sym; }rawdata; } KMF_RAW_KEY_DATA; typedef struct { KMF_KEYSTORE_TYPE kstype; char *certLabel; char *issuer; char *subject; char *idstr; KMF_BIGINT *serial; KMF_CREDENTIAL cred; /* cred for accessing the token */ KMF_CREDENTIAL p12cred; /* cred used for securing the file */ union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; }ks_opt_u; } KMF_EXPORTP12_PARAMS; typedef struct { KMF_KEYSTORE_TYPE kstype; KMF_KEY_ALG keytype; uint32_t keylength; char *keylabel; KMF_CREDENTIAL cred; union { KMF_NSS_PARAMS nss_opts; KMF_OPENSSL_PARAMS openssl_opts; KMF_PKCS11_PARAMS pkcs11_opts; }ks_opt_u; } KMF_CREATESYMKEY_PARAMS; /* Data structures for OCSP support */ typedef struct { KMF_DATA *issuer_cert; KMF_DATA *user_cert; } KMF_OCSPREQUEST_PARAMS; typedef struct { KMF_DATA *response; KMF_DATA *issuer_cert; KMF_DATA *user_cert; KMF_DATA *signer_cert; /* can be NULL */ boolean_t ignore_response_sign; /* default is FALSE */ uint32_t response_lifetime; /* in seconds */ } KMF_OCSPRESPONSE_PARAMS_INPUT; typedef enum { OCSP_GOOD = 0, OCSP_REVOKED = 1, OCSP_UNKNOWN = 2 } KMF_OCSP_CERT_STATUS; typedef struct { int response_status; int reason; /* if revoked */ KMF_OCSP_CERT_STATUS cert_status; } KMF_OCSPRESPONSE_PARAMS_OUTPUT; #define nssparms ks_opt_u.nss_opts #define sslparms ks_opt_u.openssl_opts #define pkcs11parms ks_opt_u.pkcs11_opts typedef struct { KMF_KEYSTORE_TYPE kstype; KMF_KEY_ALG keyalg; KMF_KEY_CLASS keyclass; boolean_t israw; char *keylabel; void *keyp; } KMF_KEY_HANDLE; typedef struct { KMF_KEYSTORE_TYPE kstype; uint32_t errcode; } KMF_ERROR; /* * Typenames to use with subjectAltName */ typedef enum { GENNAME_OTHERNAME = 0x00, GENNAME_RFC822NAME, GENNAME_DNSNAME, GENNAME_X400ADDRESS, GENNAME_DIRECTORYNAME, GENNAME_EDIPARTYNAME, GENNAME_URI, GENNAME_IPADDRESS, GENNAME_REGISTEREDID } KMF_GENERALNAMECHOICES; /* * KMF_FIELD * This structure contains the OID/value pair for any item that can be * identified by an OID. */ typedef struct { KMF_OID FieldOid; KMF_DATA FieldValue; } KMF_FIELD; typedef enum { KMF_OK = 0x00, KMF_ERR_BAD_PARAMETER = 0x01, KMF_ERR_BAD_KEY_FORMAT = 0x02, KMF_ERR_BAD_ALGORITHM = 0x03, KMF_ERR_MEMORY = 0x04, KMF_ERR_ENCODING = 0x05, KMF_ERR_PLUGIN_INIT = 0x06, KMF_ERR_PLUGIN_NOTFOUND = 0x07, KMF_ERR_INTERNAL = 0x0b, KMF_ERR_BAD_CERT_FORMAT = 0x0c, KMF_ERR_KEYGEN_FAILED = 0x0d, KMF_ERR_UNINITIALIZED = 0x10, KMF_ERR_ISSUER = 0x11, KMF_ERR_NOT_REVOKED = 0x12, KMF_ERR_CERT_NOT_FOUND = 0x13, KMF_ERR_CRL_NOT_FOUND = 0x14, KMF_ERR_RDN_PARSER = 0x15, KMF_ERR_RDN_ATTR = 0x16, KMF_ERR_SLOTNAME = 0x17, KMF_ERR_EMPTY_CRL = 0x18, KMF_ERR_BUFFER_SIZE = 0x19, KMF_ERR_AUTH_FAILED = 0x1a, KMF_ERR_TOKEN_SELECTED = 0x1b, KMF_ERR_NO_TOKEN_SELECTED = 0x1c, KMF_ERR_TOKEN_NOT_PRESENT = 0x1d, KMF_ERR_EXTENSION_NOT_FOUND = 0x1e, KMF_ERR_POLICY_ENGINE = 0x1f, KMF_ERR_POLICY_DB_FORMAT = 0x20, KMF_ERR_POLICY_NOT_FOUND = 0x21, KMF_ERR_POLICY_DB_FILE = 0x22, KMF_ERR_POLICY_NAME = 0x23, KMF_ERR_OCSP_POLICY = 0x24, KMF_ERR_TA_POLICY = 0x25, KMF_ERR_KEY_NOT_FOUND = 0x26, KMF_ERR_OPEN_FILE = 0x27, KMF_ERR_OCSP_BAD_ISSUER = 0x28, KMF_ERR_OCSP_BAD_CERT = 0x29, KMF_ERR_OCSP_CREATE_REQUEST = 0x2a, KMF_ERR_CONNECT_SERVER = 0x2b, KMF_ERR_SEND_REQUEST = 0x2c, KMF_ERR_OCSP_CERTID = 0x2d, KMF_ERR_OCSP_MALFORMED_RESPONSE = 0x2e, KMF_ERR_OCSP_RESPONSE_STATUS = 0x2f, KMF_ERR_OCSP_NO_BASIC_RESPONSE = 0x30, KMF_ERR_OCSP_BAD_SIGNER = 0x31, KMF_ERR_OCSP_RESPONSE_SIGNATURE = 0x32, KMF_ERR_OCSP_UNKNOWN_CERT = 0x33, KMF_ERR_OCSP_STATUS_TIME_INVALID = 0x34, KMF_ERR_BAD_HTTP_RESPONSE = 0x35, KMF_ERR_RECV_RESPONSE = 0x36, KMF_ERR_RECV_TIMEOUT = 0x37, KMF_ERR_DUPLICATE_KEYFILE = 0x38, KMF_ERR_AMBIGUOUS_PATHNAME = 0x39, KMF_ERR_FUNCTION_NOT_FOUND = 0x3a, KMF_ERR_PKCS12_FORMAT = 0x3b, KMF_ERR_BAD_KEY_TYPE = 0x3c, KMF_ERR_BAD_KEY_CLASS = 0x3d, KMF_ERR_BAD_KEY_SIZE = 0x3e, KMF_ERR_BAD_HEX_STRING = 0x3f, KMF_ERR_KEYUSAGE = 0x40, KMF_ERR_VALIDITY_PERIOD = 0x41, KMF_ERR_OCSP_REVOKED = 0x42, KMF_ERR_CERT_MULTIPLE_FOUND = 0x43, KMF_ERR_WRITE_FILE = 0x44, KMF_ERR_BAD_URI = 0x45, KMF_ERR_BAD_CRLFILE = 0x46, KMF_ERR_BAD_CERTFILE = 0x47, KMF_ERR_GETKEYVALUE_FAILED = 0x48, KMF_ERR_BAD_KEYHANDLE = 0x49, KMF_ERR_BAD_OBJECT_TYPE = 0x4a, KMF_ERR_OCSP_RESPONSE_LIFETIME = 0x4b, KMF_ERR_UNKNOWN_CSR_ATTRIBUTE = 0x4c, KMF_ERR_UNINITIALIZED_TOKEN = 0x4d, KMF_ERR_INCOMPLETE_TBS_CERT = 0x4e, KMF_ERR_MISSING_ERRCODE = 0x4f, KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50, KMF_ERR_SENSITIVE_KEY = 0x51, KMF_ERR_UNEXTRACTABLE_KEY = 0x52, KMF_ERR_KEY_MISMATCH = 0x53 } KMF_RETURN; typedef enum { OCSP_SUCCESS = 0, OCSP_MALFORMED_REQUEST = 1, OCSP_INTERNAL_ERROR = 2, OCSP_TRYLATER = 3, OCSP_SIGREQUIRED = 4, OCSP_UNAUTHORIZED = 5 } KMF_OCSP_RESPONSE_STATUS; typedef enum { OCSP_NOSTATUS = -1, OCSP_UNSPECIFIED = 0, OCSP_KEYCOMPROMISE = 1, OCSP_CACOMPROMISE = 2, OCSP_AFFILIATIONCHANGE = 3, OCSP_SUPERCEDED = 4, OCSP_CESSATIONOFOPERATION = 5, OCSP_CERTIFICATEHOLD = 6, OCSP_REMOVEFROMCRL = 7 } KMF_OCSP_REVOKED_STATUS; typedef enum { KMF_ALGCLASS_NONE = 0, KMF_ALGCLASS_CUSTOM, KMF_ALGCLASS_SIGNATURE, KMF_ALGCLASS_SYMMETRIC, KMF_ALGCLASS_DIGEST, KMF_ALGCLASS_RANDOMGEN, KMF_ALGCLASS_UNIQUEGEN, KMF_ALGCLASS_MAC, KMF_ALGCLASS_ASYMMETRIC, KMF_ALGCLASS_KEYGEN, KMF_ALGCLASS_DERIVEKEY } KMF_ALGCLASS; /* * Algorithms * This type defines a set of constants used to identify cryptographic * algorithms. */ typedef enum { KMF_ALGID_NONE = 0, KMF_ALGID_CUSTOM, KMF_ALGID_SHA1, KMF_ALGID_RSA, KMF_ALGID_DSA, KMF_ALGID_MD5WithRSA, KMF_ALGID_MD2WithRSA, KMF_ALGID_SHA1WithRSA, KMF_ALGID_SHA1WithDSA } KMF_ALGORITHM_INDEX; typedef enum { KMF_CERT_ISSUER = 1, KMF_CERT_SUBJECT, KMF_CERT_VERSION, KMF_CERT_SERIALNUM, KMF_CERT_NOTBEFORE, KMF_CERT_NOTAFTER, KMF_CERT_PUBKEY_ALG, KMF_CERT_SIGNATURE_ALG, KMF_CERT_EMAIL, KMF_CERT_PUBKEY_DATA, KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD, KMF_X509_EXT_CERT_POLICIES, KMF_X509_EXT_SUBJ_ALTNAME, KMF_X509_EXT_ISSUER_ALTNAME, KMF_X509_EXT_BASIC_CONSTRAINTS, KMF_X509_EXT_NAME_CONSTRAINTS, KMF_X509_EXT_POLICY_CONSTRAINTS, KMF_X509_EXT_EXT_KEY_USAGE, KMF_X509_EXT_INHIBIT_ANY_POLICY, KMF_X509_EXT_AUTH_KEY_ID, KMF_X509_EXT_SUBJ_KEY_ID, KMF_X509_EXT_POLICY_MAPPINGS, KMF_X509_EXT_CRL_DIST_POINTS, KMF_X509_EXT_FRESHEST_CRL, KMF_X509_EXT_KEY_USAGE } KMF_PRINTABLE_ITEM; /* * KMF_X509_ALGORITHM_IDENTIFIER * This structure holds an object identifier naming a * cryptographic algorithm and an optional set of * parameters to be used as input to that algorithm. */ typedef struct { KMF_OID algorithm; KMF_DATA parameters; } KMF_X509_ALGORITHM_IDENTIFIER; /* * KMF_X509_TYPE_VALUE_PAIR * This structure contain an type-value pair. */ typedef struct { KMF_OID type; uint8_t valueType; /* The Tag to use when BER encoded */ KMF_DATA value; } KMF_X509_TYPE_VALUE_PAIR; /* * KMF_X509_RDN * This structure contains a Relative Distinguished Name * composed of an ordered set of type-value pairs. */ typedef struct { uint32_t numberOfPairs; KMF_X509_TYPE_VALUE_PAIR *AttributeTypeAndValue; } KMF_X509_RDN; /* * KMF_X509_NAME * This structure contains a set of Relative Distinguished Names. */ typedef struct { uint32_t numberOfRDNs; KMF_X509_RDN *RelativeDistinguishedName; } KMF_X509_NAME; /* * KMF_X509_SPKI * This structure contains the public key and the * description of the verification algorithm * appropriate for use with this key. */ typedef struct { KMF_X509_ALGORITHM_IDENTIFIER algorithm; KMF_DATA subjectPublicKey; } KMF_X509_SPKI; /* * KMF_X509_TIME * Time is represented as a string according to the * definitions of GeneralizedTime and UTCTime * defined in RFC 2459. */ typedef struct { uint8_t timeType; KMF_DATA time; } KMF_X509_TIME; /* * KMF_X509_VALIDITY */ typedef struct { KMF_X509_TIME notBefore; KMF_X509_TIME notAfter; } KMF_X509_VALIDITY; /* * KMF_X509EXT_BASICCONSTRAINTS */ typedef struct { KMF_BOOL cA; KMF_BOOL pathLenConstraintPresent; uint32_t pathLenConstraint; } KMF_X509EXT_BASICCONSTRAINTS; /* * KMF_X509EXT_DATA_FORMAT * This list defines the valid formats for a certificate extension. */ typedef enum { KMF_X509_DATAFORMAT_ENCODED = 0, KMF_X509_DATAFORMAT_PARSED, KMF_X509_DATAFORMAT_PAIR } KMF_X509EXT_DATA_FORMAT; /* * KMF_X509EXT_TAGandVALUE * This structure contains a BER/DER encoded * extension value and the type of that value. */ typedef struct { uint8_t type; KMF_DATA value; } KMF_X509EXT_TAGandVALUE; /* * KMF_X509EXT_PAIR * This structure aggregates two extension representations: * a tag and value, and a parsed X509 extension representation. */ typedef struct { KMF_X509EXT_TAGandVALUE tagAndValue; void *parsedValue; } KMF_X509EXT_PAIR; /* * KMF_X509_EXTENSION * This structure contains a complete certificate extension. */ typedef struct { KMF_OID extnId; KMF_BOOL critical; KMF_X509EXT_DATA_FORMAT format; union { KMF_X509EXT_TAGandVALUE *tagAndValue; void *parsedValue; KMF_X509EXT_PAIR *valuePair; } value; KMF_DATA BERvalue; } KMF_X509_EXTENSION; /* * KMF_X509_EXTENSIONS * This structure contains the set of all certificate * extensions contained in a certificate. */ typedef struct { uint32_t numberOfExtensions; KMF_X509_EXTENSION *extensions; } KMF_X509_EXTENSIONS; /* * KMF_X509_TBS_CERT * This structure contains a complete X.509 certificate. */ typedef struct { KMF_DATA version; KMF_BIGINT serialNumber; KMF_X509_ALGORITHM_IDENTIFIER signature; KMF_X509_NAME issuer; KMF_X509_VALIDITY validity; KMF_X509_NAME subject; KMF_X509_SPKI subjectPublicKeyInfo; KMF_DATA issuerUniqueIdentifier; KMF_DATA subjectUniqueIdentifier; KMF_X509_EXTENSIONS extensions; } KMF_X509_TBS_CERT; /* * KMF_X509_SIGNATURE * This structure contains a cryptographic digital signature. */ typedef struct { KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier; KMF_DATA encrypted; } KMF_X509_SIGNATURE; /* * KMF_X509_CERTIFICATE * This structure associates a set of decoded certificate * values with the signature covering those values. */ typedef struct { KMF_X509_TBS_CERT certificate; KMF_X509_SIGNATURE signature; } KMF_X509_CERTIFICATE; #define CERT_ALG_OID(c) &c->certificate.signature.algorithm #define CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm /* * KMF_TBS_CSR * This structure contains a complete PKCS#10 certificate request */ typedef struct { KMF_DATA version; KMF_X509_NAME subject; KMF_X509_SPKI subjectPublicKeyInfo; KMF_X509_EXTENSIONS extensions; } KMF_TBS_CSR; /* * KMF_CSR_DATA * This structure contains a complete PKCS#10 certificate signed request */ typedef struct { KMF_TBS_CSR csr; KMF_X509_SIGNATURE signature; } KMF_CSR_DATA; /* * KMF_X509EXT_POLICYQUALIFIERINFO */ typedef struct { KMF_OID policyQualifierId; KMF_DATA value; } KMF_X509EXT_POLICYQUALIFIERINFO; /* * KMF_X509EXT_POLICYQUALIFIERS */ typedef struct { uint32_t numberOfPolicyQualifiers; KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier; } KMF_X509EXT_POLICYQUALIFIERS; /* * KMF_X509EXT_POLICYINFO */ typedef struct { KMF_OID policyIdentifier; KMF_X509EXT_POLICYQUALIFIERS policyQualifiers; } KMF_X509EXT_POLICYINFO; typedef struct { uint32_t numberOfPolicyInfo; KMF_X509EXT_POLICYINFO *policyInfo; } KMF_X509EXT_CERT_POLICIES; typedef struct { uchar_t critical; uint16_t KeyUsageBits; } KMF_X509EXT_KEY_USAGE; typedef struct { uchar_t critical; uint16_t nEKUs; KMF_OID *keyPurposeIdList; } KMF_X509EXT_EKU; /* * X509 AuthorityInfoAccess extension */ typedef struct { KMF_OID AccessMethod; KMF_DATA AccessLocation; } KMF_X509EXT_ACCESSDESC; typedef struct { uint32_t numberOfAccessDescription; KMF_X509EXT_ACCESSDESC *AccessDesc; } KMF_X509EXT_AUTHINFOACCESS; /* * X509 Crl Distribution Point extension */ typedef struct { KMF_GENERALNAMECHOICES choice; KMF_DATA name; } KMF_GENERALNAME; typedef struct { uint32_t number; KMF_GENERALNAME *namelist; } KMF_GENERALNAMES; typedef enum { DP_GENERAL_NAME = 1, DP_RELATIVE_NAME = 2 } KMF_CRL_DIST_POINT_TYPE; typedef struct { KMF_CRL_DIST_POINT_TYPE type; union { KMF_GENERALNAMES full_name; KMF_DATA relative_name; } name; KMF_DATA reasons; KMF_GENERALNAMES crl_issuer; } KMF_CRL_DIST_POINT; typedef struct { uint32_t number; KMF_CRL_DIST_POINT *dplist; } KMF_X509EXT_CRLDISTPOINTS; /* * Definitions for common X.509v3 certificate attribute OIDs */ #define OID_ISO_MEMBER 42 /* Also in PKCS */ #define OID_US OID_ISO_MEMBER, 134, 72 /* Also in PKCS */ #define OID_CA OID_ISO_MEMBER, 124 #define OID_ISO_IDENTIFIED_ORG 43 #define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 #define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 #define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 #define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */ #define OID_ISO_CCITT_DIR_SERVICE 85 #define OID_ISO_CCITT_COUNTRY 96 #define OID_COUNTRY_US OID_ISO_CCITT_COUNTRY, 134, 72 #define OID_COUNTRY_CA OID_ISO_CCITT_COUNTRY, 124 #define OID_COUNTRY_US_ORG OID_COUNTRY_US, 1 #define OID_COUNTRY_US_MHS_MD OID_COUNTRY_US, 2 #define OID_COUNTRY_US_STATE OID_COUNTRY_US, 3 /* From the PKCS Standards */ #define OID_ISO_MEMBER_LENGTH 1 #define OID_US_LENGTH (OID_ISO_MEMBER_LENGTH + 2) #define OID_RSA OID_US, 134, 247, 13 #define OID_RSA_LENGTH (OID_US_LENGTH + 3) #define OID_RSA_HASH OID_RSA, 2 #define OID_RSA_HASH_LENGTH (OID_RSA_LENGTH + 1) #define OID_RSA_ENCRYPT OID_RSA, 3 #define OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1) #define OID_PKCS OID_RSA, 1 #define OID_PKCS_LENGTH (OID_RSA_LENGTH + 1) #define OID_PKCS_1 OID_PKCS, 1 #define OID_PKCS_1_LENGTH (OID_PKCS_LENGTH + 1) #define OID_PKCS_2 OID_PKCS, 2 #define OID_PKCS_3 OID_PKCS, 3 #define OID_PKCS_3_LENGTH (OID_PKCS_LENGTH + 1) #define OID_PKCS_4 OID_PKCS, 4 #define OID_PKCS_5 OID_PKCS, 5 #define OID_PKCS_5_LENGTH (OID_PKCS_LENGTH + 1) #define OID_PKCS_6 OID_PKCS, 6 #define OID_PKCS_7 OID_PKCS, 7 #define OID_PKCS_7_LENGTH (OID_PKCS_LENGTH + 1) #define OID_PKCS_7_Data OID_PKCS_7, 1 #define OID_PKCS_7_SignedData OID_PKCS_7, 2 #define OID_PKCS_7_EnvelopedData OID_PKCS_7, 3 #define OID_PKCS_7_SignedAndEnvelopedData OID_PKCS_7, 4 #define OID_PKCS_7_DigestedData OID_PKCS_7, 5 #define OID_PKCS_7_EncryptedData OID_PKCS_7, 6 #define OID_PKCS_8 OID_PKCS, 8 #define OID_PKCS_9 OID_PKCS, 9 #define OID_PKCS_9_LENGTH (OID_PKCS_LENGTH + 1) #define OID_PKCS_9_CONTENT_TYPE OID_PKCS_9, 3 #define OID_PKCS_9_MESSAGE_DIGEST OID_PKCS_9, 4 #define OID_PKCS_9_SIGNING_TIME OID_PKCS_9, 5 #define OID_PKCS_9_COUNTER_SIGNATURE OID_PKCS_9, 6 #define OID_PKCS_9_EXTENSION_REQUEST OID_PKCS_9, 14 #define OID_PKCS_10 OID_PKCS, 10 #define OID_PKCS_12 OID_PKCS, 12 #define OID_PKCS_12_LENGTH (OID_PKCS_LENGTH + 1) #define PBEWithSHAAnd128BitRC4 OID_PKCS_12, 1, 1 #define PBEWithSHAAnd40BitRC4 OID_PKCS_12, 1, 2 #define PBEWithSHAAnd3KeyTripleDES_CBC OID_PKCS_12, 1, 3 #define PBEWithSHAAnd2KeyTripleDES_CBC OID_PKCS_12, 1, 4 #define PBEWithSHAAnd128BitRC2_CBC OID_PKCS_12, 1, 5 #define PBEWithSHAAnd40BitRC2_CBC OID_PKCS_12, 1, 6 #define OID_BAG_TYPES OID_PKCS_12, 10, 1 #define OID_KeyBag OID_BAG_TYPES, 1 #define OID_PKCS8ShroudedKeyBag OID_BAG_TYPES, 2 #define OID_CertBag OID_BAG_TYPES, 3 #define OID_CrlBag OID_BAG_TYPES, 4 #define OID_SecretBag OID_BAG_TYPES, 5 #define OID_SafeContentsBag OID_BAG_TYPES, 6 #define OID_ContentInfo OID_PKCS_7, 0, 1 #define OID_CERT_TYPES OID_PKCS_9, 22 #define OID_x509Certificate OID_CERT_TYPES, 1 #define OID_sdsiCertificate OID_CERT_TYPES, 2 #define OID_CRL_TYPES OID_PKCS_9, 23 #define OID_x509Crl OID_CRL_TYPES, 1 #define OID_DS OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */ #define OID_DS_LENGTH 1 #define OID_ATTR_TYPE OID_DS, 4 /* Also in X.501 */ #define OID_ATTR_TYPE_LENGTH (OID_DS_LENGTH + 1) #define OID_DSALG OID_DS, 8 /* Also in X.501 */ #define OID_DSALG_LENGTH (OID_DS_LENGTH + 1) #define OID_EXTENSION OID_DS, 29 /* Also in X.501 */ #define OID_EXTENSION_LENGTH (OID_DS_LENGTH + 1) /* * From RFC 1274: * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) } */ #define OID_PILOT 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1 #define OID_PILOT_LENGTH 9 #define OID_USERID OID_PILOT 1 #define OID_USERID_LENGTH (OID_PILOT_LENGTH + 1) /* * From PKIX part1 * { iso(1) identified-organization(3) dod(6) internet(1) * security(5) mechanisms(5) pkix(7) } */ #define OID_PKIX 43, 6, 1, 5, 5, 7 #define OID_PKIX_LENGTH 6 /* private certificate extensions, { id-pkix 1 } */ #define OID_PKIX_PE OID_PKIX, 1 #define OID_PKIX_PE_LENGTH (OID_PKIX_LENGTH + 1) /* policy qualifier types {id-pkix 2 } */ #define OID_PKIX_QT OID_PKIX, 2 #define OID_PKIX_QT_LENGTH (OID_PKIX_LENGTH + 1) /* CPS qualifier, { id-qt 1 } */ #define OID_PKIX_QT_CPS OID_PKIX_QT, 1 #define OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1) /* user notice qualifier, { id-qt 2 } */ #define OID_PKIX_QT_UNOTICE OID_PKIX_QT, 2 #define OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1) /* extended key purpose OIDs {id-pkix 3 } */ #define OID_PKIX_KP OID_PKIX, 3 #define OID_PKIX_KP_LENGTH (OID_PKIX_LENGTH + 1) /* access descriptors {id-pkix 4 } */ #define OID_PKIX_AD OID_PKIX, 48 #define OID_PKIX_AD_LENGTH (OID_PKIX_LENGTH + 1) /* access descriptors */ /* OCSP */ #define OID_PKIX_AD_OCSP OID_PKIX_AD, 1 #define OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1) /* cAIssuers */ #define OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2 #define OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1) /* end PKIX part1 */ #define OID_APPL_TCP_PROTO 43, 6, 1, 2, 1, 27, 4 #define OID_APPL_TCP_PROTO_LENGTH 8 #define OID_DAP OID_DS, 3, 1 #define OID_DAP_LENGTH (OID_DS_LENGTH + 2) /* From x9.57 */ #define OID_OIW_LENGTH 2 #define OID_OIW_SECSIG OID_OIW, 3 #define OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1) #define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 #define OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1) #define OID_OIWDIR OID_OIW, 7, 2 #define OID_OIWDIR_LENGTH (OID_OIW_LENGTH + 2) #define OID_OIWDIR_CRPT OID_OIWDIR, 1 #define OID_OIWDIR_HASH OID_OIWDIR, 2 #define OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1) #define OID_OIWDIR_SIGN OID_OIWDIR, 3 #define OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1) #define OID_X9CM OID_US, 206, 56 #define OID_X9CM_MODULE OID_X9CM, 1 #define OID_X9CM_INSTRUCTION OID_X9CM, 2 #define OID_X9CM_ATTR OID_X9CM, 3 #define OID_X9CM_X9ALGORITHM OID_X9CM, 4 #define OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1) #define INTEL 96, 134, 72, 1, 134, 248, 77 #define INTEL_LENGTH 7 #define INTEL_SEC_FORMATS INTEL_CDSASECURITY, 1 #define INTEL_SEC_FORMATS_LENGTH (INTEL_CDSASECURITY_LENGTH + 1) #define INTEL_SEC_ALGS INTEL_CDSASECURITY, 2, 5 #define INTEL_SEC_ALGS_LENGTH (INTEL_CDSASECURITY_LENGTH + 2) extern const KMF_OID KMFOID_AliasedEntryName, KMFOID_AuthorityRevocationList, KMFOID_BusinessCategory, KMFOID_CACertificate, KMFOID_CertificateRevocationList, KMFOID_ChallengePassword, KMFOID_CollectiveFacsimileTelephoneNumber, KMFOID_CollectiveInternationalISDNNumber, KMFOID_CollectiveOrganizationName, KMFOID_CollectiveOrganizationalUnitName, KMFOID_CollectivePhysicalDeliveryOfficeName, KMFOID_CollectivePostOfficeBox, KMFOID_CollectivePostalAddress, KMFOID_CollectivePostalCode, KMFOID_CollectiveStateProvinceName, KMFOID_CollectiveStreetAddress, KMFOID_CollectiveTelephoneNumber, KMFOID_CollectiveTelexNumber, KMFOID_CollectiveTelexTerminalIdentifier, KMFOID_CommonName, KMFOID_ContentType, KMFOID_CounterSignature, KMFOID_CountryName, KMFOID_CrossCertificatePair, KMFOID_DNQualifier, KMFOID_Description, KMFOID_DestinationIndicator, KMFOID_DistinguishedName, KMFOID_EmailAddress, KMFOID_EnhancedSearchGuide, KMFOID_ExtendedCertificateAttributes, KMFOID_ExtensionRequest, KMFOID_FacsimileTelephoneNumber, KMFOID_GenerationQualifier, KMFOID_GivenName, KMFOID_HouseIdentifier, KMFOID_Initials, KMFOID_InternationalISDNNumber, KMFOID_KnowledgeInformation, KMFOID_LocalityName, KMFOID_Member, KMFOID_MessageDigest, KMFOID_Name, KMFOID_ObjectClass, KMFOID_OrganizationName, KMFOID_OrganizationalUnitName, KMFOID_Owner, KMFOID_PhysicalDeliveryOfficeName, KMFOID_PostOfficeBox, KMFOID_PostalAddress, KMFOID_PostalCode, KMFOID_PreferredDeliveryMethod, KMFOID_PresentationAddress, KMFOID_ProtocolInformation, KMFOID_RFC822mailbox, KMFOID_RegisteredAddress, KMFOID_RoleOccupant, KMFOID_SearchGuide, KMFOID_SeeAlso, KMFOID_SerialNumber, KMFOID_SigningTime, KMFOID_StateProvinceName, KMFOID_StreetAddress, KMFOID_SupportedApplicationContext, KMFOID_Surname, KMFOID_TelephoneNumber, KMFOID_TelexNumber, KMFOID_TelexTerminalIdentifier, KMFOID_Title, KMFOID_UniqueIdentifier, KMFOID_UniqueMember, KMFOID_UnstructuredAddress, KMFOID_UnstructuredName, KMFOID_UserCertificate, KMFOID_UserPassword, KMFOID_X_121Address, KMFOID_domainComponent, KMFOID_userid; extern const KMF_OID KMFOID_AuthorityKeyID, KMFOID_AuthorityInfoAccess, KMFOID_VerisignCertificatePolicy, KMFOID_KeyUsageRestriction, KMFOID_SubjectDirectoryAttributes, KMFOID_SubjectKeyIdentifier, KMFOID_KeyUsage, KMFOID_PrivateKeyUsagePeriod, KMFOID_SubjectAltName, KMFOID_IssuerAltName, KMFOID_BasicConstraints, KMFOID_CrlNumber, KMFOID_CrlReason, KMFOID_HoldInstructionCode, KMFOID_InvalidityDate, KMFOID_DeltaCrlIndicator, KMFOID_IssuingDistributionPoints, KMFOID_NameConstraints, KMFOID_CrlDistributionPoints, KMFOID_CertificatePolicies, KMFOID_PolicyMappings, KMFOID_PolicyConstraints, KMFOID_AuthorityKeyIdentifier, KMFOID_ExtendedKeyUsage, KMFOID_PkixAdOcsp, KMFOID_PkixAdCaIssuers, KMFOID_PKIX_PQ_CPSuri, KMFOID_PKIX_PQ_Unotice, KMFOID_PKIX_KP_ServerAuth, KMFOID_PKIX_KP_ClientAuth, KMFOID_PKIX_KP_CodeSigning, KMFOID_PKIX_KP_EmailProtection, KMFOID_PKIX_KP_IPSecEndSystem, KMFOID_PKIX_KP_IPSecTunnel, KMFOID_PKIX_KP_IPSecUser, KMFOID_PKIX_KP_TimeStamping, KMFOID_PKIX_KP_OCSPSigning; /* * KMF Certificate validation codes. These may be masked together. */ #define KMF_CERT_VALIDATE_OK 0x00 #define KMF_CERT_VALIDATE_ERR_TA 0x01 #define KMF_CERT_VALIDATE_ERR_USER 0x02 #define KMF_CERT_VALIDATE_ERR_SIGNATURE 0x04 #define KMF_CERT_VALIDATE_ERR_KEYUSAGE 0x08 #define KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE 0x10 #define KMF_CERT_VALIDATE_ERR_TIME 0x20 #define KMF_CERT_VALIDATE_ERR_CRL 0x40 #define KMF_CERT_VALIDATE_ERR_OCSP 0x80 #define KMF_CERT_VALIDATE_ERR_ISSUER 0x100 /* * KMF Key Usage bitmasks */ #define KMF_digitalSignature 0x8000 #define KMF_nonRepudiation 0x4000 #define KMF_keyEncipherment 0x2000 #define KMF_dataEncipherment 0x1000 #define KMF_keyAgreement 0x0800 #define KMF_keyCertSign 0x0400 #define KMF_cRLSign 0x0200 #define KMF_encipherOnly 0x0100 #define KMF_decipherOnly 0x0080 #define KMF_KUBITMASK 0xFF80 /* * KMF Extended KeyUsage OID definitions */ #define KMF_EKU_SERVERAUTH 0x01 #define KMF_EKU_CLIENTAUTH 0x02 #define KMF_EKU_CODESIGNING 0x04 #define KMF_EKU_EMAIL 0x08 #define KMF_EKU_TIMESTAMP 0x10 #define KMF_EKU_OCSPSIGNING 0x20 #ifdef __cplusplus } #endif #endif /* _KMFTYPES_H */