2 * softoken.h - private data structures and prototypes for the softoken lib
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
21 * Convenience wrapper for doing a single PKCS#1 v1.5 RSA operations where the
22 * encoded digest info is computed internally, rather than by the caller.
24 * The HashSign variants expect as input the value of H, the computed hash
25 * from RFC 3447, Section 9.2, Step 1, and will compute the DER-encoded
26 * DigestInfo structure internally prior to signing/verifying.
29 RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
30 unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
31 const unsigned char *hash, unsigned int hashLen);
34 RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
35 const unsigned char *sig, unsigned int sigLen,
36 const unsigned char *hash, unsigned int hashLen);
40 ** pepare an ECParam structure from DEREncoded params
42 extern SECStatus EC_FillParams(PLArenaPool *arena,
43 const SECItem *encodedParams, ECParams *params);
44 extern SECStatus EC_DecodeParams(const SECItem *encodedParams,
46 extern SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
47 const ECParams *srcParams);
52 ** Prepare a buffer for padded CBC encryption, growing to the appropriate
53 ** boundary, filling with the appropriate padding.
55 ** blockSize must be a power of 2.
57 ** We add from 1 to blockSize bytes -- we *always* grow.
58 ** The extra bytes contain the value of the length of the padding:
59 ** if we have 2 bytes of padding, then the padding is "0x02, 0x02".
61 ** NOTE: If arena is non-NULL, we re-allocate from there, otherwise
62 ** we assume (and use) PR memory (re)allocation.
64 extern unsigned char * CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf,
65 unsigned int inlen, unsigned int *outlen,
69 /****************************************/
71 ** Power-Up selftests required for FIPS and invoked only
72 ** under PKCS #11 FIPS mode.
74 extern CK_RV sftk_fipsPowerUpSelfTest( void );
77 ** make known fixed PKCS #11 key types to their sizes in bytes
79 unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
82 ** FIPS 140-2 auditing
84 extern PRBool sftk_audit_enabled;
86 extern void sftk_LogAuditMessage(NSSAuditSeverity severity,
87 NSSAuditType, const char *msg);
89 extern void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
90 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
91 CK_OBJECT_HANDLE_PTR phObject, CK_RV rv);
93 extern void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
94 CK_OBJECT_HANDLE hObject,
95 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
96 CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv);
98 extern void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
99 CK_OBJECT_HANDLE hObject, CK_RV rv);
101 extern void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
102 CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize,
105 extern void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
106 CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
107 CK_ULONG ulCount, CK_RV rv);
109 extern void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
110 CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
111 CK_ULONG ulCount, CK_RV rv);
113 extern void sftk_AuditCryptInit(const char *opName,
114 CK_SESSION_HANDLE hSession,
115 CK_MECHANISM_PTR pMechanism,
116 CK_OBJECT_HANDLE hKey, CK_RV rv);
118 extern void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
119 CK_MECHANISM_PTR pMechanism,
120 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
121 CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
123 extern void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
124 CK_MECHANISM_PTR pMechanism,
125 CK_ATTRIBUTE_PTR pPublicKeyTemplate,
126 CK_ULONG ulPublicKeyAttributeCount,
127 CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
128 CK_ULONG ulPrivateKeyAttributeCount,
129 CK_OBJECT_HANDLE_PTR phPublicKey,
130 CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv);
132 extern void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
133 CK_MECHANISM_PTR pMechanism,
134 CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey,
135 CK_BYTE_PTR pWrappedKey,
136 CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv);
138 extern void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
139 CK_MECHANISM_PTR pMechanism,
140 CK_OBJECT_HANDLE hUnwrappingKey,
141 CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
142 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
143 CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
145 extern void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
146 CK_MECHANISM_PTR pMechanism,
147 CK_OBJECT_HANDLE hBaseKey,
148 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
149 CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
151 extern void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
152 CK_OBJECT_HANDLE hKey, CK_RV rv);
155 ** FIPS 140-2 Error state
157 extern PRBool sftk_fatalError;
160 ** macros to check for forked child process after C_Initialize
162 #if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
166 #define FORK_ASSERT() \
168 char* forkAssert = getenv("NSS_STRICT_NOFORK"); \
169 if ( (!forkAssert) || (0 == strcmp(forkAssert, "1")) ) { \
176 #define FORK_ASSERT()
180 /* we have 3 methods of implementing the fork checks :
181 * - Solaris "mixed" method
182 * - pthread_atfork method
186 #if !defined (CHECK_FORK_MIXED) && !defined(CHECK_FORK_PTHREAD) && \
187 !defined (CHECK_FORK_GETPID)
189 /* Choose fork check method automatically unless specified
190 * This section should be updated as more platforms get pthread fixes
191 * to unregister fork handlers in dlclose.
196 /* Solaris 8, s9 use PID checks, s10 uses pthread_atfork */
198 #define CHECK_FORK_MIXED
202 #define CHECK_FORK_PTHREAD
206 /* Other Unix platforms use only PID checks. Even if pthread_atfork is
207 * available, the behavior of dlclose isn't guaranteed by POSIX to
208 * unregister the fork handler. */
210 #define CHECK_FORK_GETPID
216 #if defined(CHECK_FORK_MIXED)
218 extern PRBool usePthread_atfork;
221 extern PRBool forked;
223 #define PARENT_FORKED() (usePthread_atfork ? forked : (myPid && myPid != getpid()))
225 #elif defined(CHECK_FORK_PTHREAD)
227 extern PRBool forked;
229 #define PARENT_FORKED() forked
231 #elif defined(CHECK_FORK_GETPID)
236 #define PARENT_FORKED() (myPid && myPid != getpid())
240 extern PRBool parentForkedAfterC_Initialize;
241 extern PRBool sftkForkCheckDisabled;
243 #define CHECK_FORK() \
245 if (!sftkForkCheckDisabled && PARENT_FORKED()) { \
247 return CKR_DEVICE_ERROR; \
251 #define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x
253 #define ENABLE_FORK_CHECK() \
255 char* doForkCheck = getenv("NSS_STRICT_NOFORK"); \
256 if ( doForkCheck && !strcmp(doForkCheck, "DISABLED") ) { \
257 sftkForkCheckDisabled = PR_TRUE; \
264 /* non-Unix platforms, or fork check disabled */
267 #define SKIP_AFTER_FORK(x) x
268 #define ENABLE_FORK_CHECK()
270 #ifndef NO_FORK_CHECK
271 #define NO_FORK_CHECK
279 #endif /* _SOFTOKEN_H_ */