1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Internal header file included only by files in pkcs11 dir, or in
* pkcs11 specific client and server files.
*/
#ifndef _SECMODTI_H_
#define _SECMODTI_H_ 1
#include "prmon.h"
#include "prtypes.h"
#include "nssilckt.h"
#include "secmodt.h"
#include "pkcs11t.h"
#include "nssdevt.h"
/* internal data structures */
/* Traverse slots callback */
typedef struct pk11TraverseSlotStr {
SECStatus (*callback)(PK11SlotInfo *, CK_OBJECT_HANDLE, void *);
void *callbackArg;
CK_ATTRIBUTE *findTemplate;
int templateCount;
} pk11TraverseSlot;
/* represent a pkcs#11 slot reference counted. */
struct PK11SlotInfoStr {
/* the PKCS11 function list for this slot */
void *functionList;
SECMODModule *module; /* our parent module */
/* Boolean to indicate the current state of this slot */
PRBool needTest; /* Has this slot been tested for Export complience */
PRBool isPerm; /* is this slot a permanment device */
PRBool isHW; /* is this slot a hardware device */
PRBool isInternal; /* is this slot one of our internal PKCS #11 devices */
PRBool disabled; /* is this slot disabled... */
PK11DisableReasons reason; /* Why this slot is disabled */
PRBool readOnly; /* is the token in this slot read-only */
PRBool needLogin; /* does the token of the type that needs
* authentication (still true even if token is logged
* in) */
PRBool hasRandom; /* can this token generated random numbers */
PRBool defRWSession; /* is the default session RW (we open our default
* session rw if the token can only handle one session
* at a time. */
PRBool isThreadSafe; /* copied from the module */
/* The actual flags (many of which are distilled into the above PRBools) */
CK_FLAGS flags; /* flags from PKCS #11 token Info */
/* a default session handle to do quick and dirty functions */
CK_SESSION_HANDLE session;
PZLock *sessionLock; /* lock for this session */
/* our ID */
CK_SLOT_ID slotID;
/* persistant flags saved from startup to startup */
unsigned long defaultFlags;
/* keep track of who is using us so we don't accidently get freed while
* still in use */
PRInt32 refCount; /* to be in/decremented by atomic calls ONLY! */
PZLock *freeListLock;
PK11SymKey *freeSymKeysWithSessionHead;
PK11SymKey *freeSymKeysHead;
int keyCount;
int maxKeyCount;
/* Password control functions for this slot. many of these are only
* active if the appropriate flag is on in defaultFlags */
int askpw; /* what our password options are */
int timeout; /* If we're ask_timeout, what is our timeout time is
* seconds */
int authTransact; /* allow multiple authentications off one password if
* they are all part of the same transaction */
PRTime authTime; /* when were we last authenticated */
int minPassword; /* smallest legal password */
int maxPassword; /* largest legal password */
PRUint16 series; /* break up the slot info into various groups of
* inserted tokens so that keys and certs can be
* invalidated */
PRUint16 flagSeries; /* record the last series for the last event
* returned for this slot */
PRBool flagState; /* record the state of the last event returned for this
* slot. */
PRUint16 wrapKey; /* current wrapping key for SSL master secrets */
CK_MECHANISM_TYPE wrapMechanism;
/* current wrapping mechanism for current wrapKey */
CK_OBJECT_HANDLE refKeys[1]; /* array of existing wrapping keys for */
CK_MECHANISM_TYPE *mechanismList; /* list of mechanism supported by this
* token */
int mechanismCount;
/* cache the certificates stored on the token of this slot */
CERTCertificate **cert_array;
int array_size;
int cert_count;
char serial[16];
/* since these are odd sizes, keep them last. They are odd sizes to
* allow them to become null terminated strings */
char slot_name[65];
char token_name[33];
PRBool hasRootCerts;
PRBool hasRootTrust;
PRBool hasRSAInfo;
CK_FLAGS RSAInfoFlags;
PRBool protectedAuthPath;
PRBool isActiveCard;
PRIntervalTime lastLoginCheck;
unsigned int lastState;
/* for Stan */
NSSToken *nssToken;
/* the tokeninfo struct */
CK_TOKEN_INFO tokenInfo;
/* fast mechanism lookup */
char mechanismBits[256];
CK_PROFILE_ID *profileList;
int profileCount;
};
/* Symetric Key structure. Reference Counted */
struct PK11SymKeyStr {
CK_MECHANISM_TYPE type; /* type of operation this key was created for*/
CK_OBJECT_HANDLE objectID; /* object id of this key in the slot */
PK11SlotInfo *slot; /* Slot this key is loaded into */
void *cx; /* window context in case we need to loggin */
PK11SymKey *next;
PRBool owner;
SECItem data; /* raw key data if available */
CK_SESSION_HANDLE session;
PRBool sessionOwner;
PRInt32 refCount; /* number of references to this key */
int size; /* key size in bytes */
PK11Origin origin; /* where this key came from
* (see def in secmodt.h) */
PK11SymKey *parent; /* potential owner key of the session */
PRUint16 series; /* break up the slot info into various groups
* of inserted tokens so that keys and certs
* can be invalidated */
void *userData; /* random data the application can attach to
* this key */
PK11FreeDataFunc freeFunc; /* function to free the user data */
};
/*
* hold a hash, encryption or signing context for multi-part operations.
* hold enough information so that multiple contexts can be interleaved
* if necessary. ... Not RefCounted.
*/
struct PK11ContextStr {
CK_ATTRIBUTE_TYPE operation; /* type of operation this context is
* doing (CKA_ENCRYPT, CKA_SIGN,
* CKA_HASH, etc.) */
PK11SymKey *key; /* symetric key for this context */
PK11SlotInfo *slot; /* slot this context is using */
CK_SESSION_HANDLE session; /* session this context is using */
PZLock *sessionLock; /* lock before accessing a PKCS #11
* session */
PRBool ownSession; /* do we own the session? */
void *cx; /* window context for login */
void *savedData; /* save data when we are
* multiplexing on a single context */
unsigned long savedLength; /* length of the saved context */
SECItem *param; /* mechanism parameters used to
* build this context */
PRBool init; /* this contexted been initialized? */
CK_MECHANISM_TYPE type; /* what is the PKCS #11 this context
* is representing (usually what
* algorithm is being used
* (CKM_RSA_PKCS, CKM_DES, CKM_SHA,
* etc. */
PRBool fortezzaHack; /* Fortezza SSL has some special
* non-standard semantics*/
PRBool simulate_message; /* We are initializing a message
* interface but the underlying
* PKCS #11 module does not support
* it. We simulate the interface with
* the PCKS #11 v2 interface */
CK_MECHANISM_TYPE simulate_mechanism; /* The mechanism we are simulating */
PRUint64 ivCounter; /* iv counter for simulated message */
PRUint64 ivMaxCount; /* total number of IVs valid for
* this key */
unsigned long ivLen; /* length of the iv in bytes */
unsigned int ivFixedBits; /* number of bits not generated
* for the iv */
CK_GENERATOR_FUNCTION ivGen; /* PKCS #11 iv generator value */
};
/*
* structure to hold a pointer to a unique PKCS #11 object
* (pointer to the slot and the object id).
*/
struct PK11GenericObjectStr {
PK11GenericObject *prev;
PK11GenericObject *next;
PK11SlotInfo *slot;
CK_OBJECT_HANDLE objectID;
PRBool owner;
};
#define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */
/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
#endif /* _SECMODTI_H_ */
|