gecko-dev/security/nss/lib/ckfw/nssckmdt.h
2008-06-06 08:40:11 -04:00

1982 lines
61 KiB
C

/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef NSSCKMDT_H
#define NSSCKMDT_H
#ifdef DEBUG
static const char NSSCKMDT_CVS_ID[] = "@(#) $RCSfile: nssckmdt.h,v $ $Revision: 1.6 $ $Date: 2005/12/16 00:48:01 $";
#endif /* DEBUG */
/*
* nssckmdt.h
*
* This file specifies the basic types that must be implemented by
* any Module using the NSS Cryptoki Framework.
*/
#ifndef NSSBASET_H
#include "nssbaset.h"
#endif /* NSSBASET_H */
#ifndef NSSCKT_H
#include "nssckt.h"
#endif /* NSSCKT_H */
#ifndef NSSCKFWT_H
#include "nssckfwt.h"
#endif /* NSSCKFWT_H */
typedef struct NSSCKMDInstanceStr NSSCKMDInstance;
typedef struct NSSCKMDSlotStr NSSCKMDSlot;
typedef struct NSSCKMDTokenStr NSSCKMDToken;
typedef struct NSSCKMDSessionStr NSSCKMDSession;
typedef struct NSSCKMDCryptoOperationStr NSSCKMDCryptoOperation;
typedef struct NSSCKMDFindObjectsStr NSSCKMDFindObjects;
typedef struct NSSCKMDMechanismStr NSSCKMDMechanism;
typedef struct NSSCKMDObjectStr NSSCKMDObject;
/*
* NSSCKFWItem
*
* This is a structure used by modules to return object attributes.
* The needsFreeing bit indicates whether the object needs to be freed.
* If so, the framework will call the FreeAttribute function on the item
* after it is done using it.
*
*/
typedef struct {
PRBool needsFreeing;
NSSItem* item;
} NSSCKFWItem ;
/*
* NSSCKMDInstance
*
* This is the basic handle for an instance of a PKCS#11 Module.
* It is returned by the Module's CreateInstance routine, and
* may be obtained from the corresponding NSSCKFWInstance object.
* It contains a pointer for use by the Module, to store any
* instance-related data, and it contains the EPV for a set of
* routines which the Module may implement for use by the Framework.
* Some of these routines are optional; others are mandatory.
*/
struct NSSCKMDInstanceStr {
/*
* The Module may use this pointer for its own purposes.
*/
void *etc;
/*
* This routine is called by the Framework to initialize
* the Module. This routine is optional; if unimplemented,
* it won't be called. If this routine returns an error,
* then the initialization will fail.
*/
CK_RV (PR_CALLBACK *Initialize)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSUTF8 *configurationData
);
/*
* This routine is called when the Framework is finalizing
* the PKCS#11 Module. It is the last thing called before
* the NSSCKFWInstance's NSSArena is destroyed. This routine
* is optional; if unimplemented, it merely won't be called.
*/
void (PR_CALLBACK *Finalize)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine gets the number of slots. This value must
* never change, once the instance is initialized. This
* routine must be implemented. It may return zero on error.
*/
CK_ULONG (PR_CALLBACK *GetNSlots)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns the version of the Cryptoki standard
* to which this Module conforms. This routine is optional;
* if unimplemented, the Framework uses the version to which
* ~it~ was implemented.
*/
CK_VERSION (PR_CALLBACK *GetCryptokiVersion)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns a pointer to a UTF8-encoded string
* containing the manufacturer ID for this Module. Only
* the characters completely encoded in the first thirty-
* two bytes are significant. This routine is optional.
* The string returned is never freed; if dynamically generated,
* the space for it should be allocated from the NSSArena
* that may be obtained from the NSSCKFWInstance. This
* routine may return NULL upon error; however if *pError
* is CKR_OK, the NULL will be considered the valid response.
*/
NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns a pointer to a UTF8-encoded string
* containing a description of this Module library. Only
* the characters completely encoded in the first thirty-
* two bytes are significant. This routine is optional.
* The string returned is never freed; if dynamically generated,
* the space for it should be allocated from the NSSArena
* that may be obtained from the NSSCKFWInstance. This
* routine may return NULL upon error; however if *pError
* is CKR_OK, the NULL will be considered the valid response.
*/
NSSUTF8 *(PR_CALLBACK *GetLibraryDescription)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns the version of this Module library.
* This routine is optional; if unimplemented, the Framework
* will assume a Module library version of 0.1.
*/
CK_VERSION (PR_CALLBACK *GetLibraryVersion)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if the Module wishes to
* handle session objects. This routine is optional.
* If this routine is NULL, or if it exists but returns
* CK_FALSE, the Framework will assume responsibility
* for managing session objects.
*/
CK_BBOOL (PR_CALLBACK *ModuleHandlesSessionObjects)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine stuffs pointers to NSSCKMDSlot objects into
* the specified array; one for each slot supported by this
* instance. The Framework will determine the size needed
* for the array by calling GetNSlots. This routine is
* required.
*/
CK_RV (PR_CALLBACK *GetSlots)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDSlot *slots[]
);
/*
* This call returns a pointer to the slot in which an event
* has occurred. If the block argument is CK_TRUE, the call
* should block until a slot event occurs; if CK_FALSE, it
* should check to see if an event has occurred, occurred,
* but return NULL (and set *pError to CK_NO_EVENT) if one
* hasn't. This routine is optional; if unimplemented, the
* Framework will assume that no event has happened. This
* routine may return NULL upon error.
*/
NSSCKMDSlot *(PR_CALLBACK *WaitForSlotEvent)(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_BBOOL block,
CK_RV *pError
);
/*
* This object may be extended in future versions of the
* NSS Cryptoki Framework. To allow for some flexibility
* in the area of binary compatibility, this field should
* be NULL.
*/
void *null;
};
/*
* NSSCKMDSlot
*
* This is the basic handle for a PKCS#11 Module Slot. It is
* created by the NSSCKMDInstance->GetSlots call, and may be
* obtained from the Framework's corresponding NSSCKFWSlot
* object. It contains a pointer for use by the Module, to
* store any slot-related data, and it contains the EPV for
* a set of routines which the Module may implement for use
* by the Framework. Some of these routines are optional.
*/
struct NSSCKMDSlotStr {
/*
* The Module may use this pointer for its own purposes.
*/
void *etc;
/*
* This routine is called during the Framework initialization
* step, after the Framework Instance has obtained the list
* of slots (by calling NSSCKMDInstance->GetSlots). Any slot-
* specific initialization can be done here. This routine is
* optional; if unimplemented, it won't be called. Note that
* if this routine returns an error, the entire Framework
* initialization for this Module will fail.
*/
CK_RV (PR_CALLBACK *Initialize)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine is called when the Framework is finalizing
* the PKCS#11 Module. This call (for each of the slots)
* is the last thing called before NSSCKMDInstance->Finalize.
* This routine is optional; if unimplemented, it merely
* won't be called. Note: In the rare circumstance that
* the Framework initialization cannot complete (due to,
* for example, memory limitations), this can be called with
* a NULL value for fwSlot.
*/
void (PR_CALLBACK *Destroy)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns a pointer to a UTF8-encoded string
* containing a description of this slot. Only the characters
* completely encoded in the first sixty-four bytes are
* significant. This routine is optional. The string
* returned is never freed; if dynamically generated,
* the space for it should be allocated from the NSSArena
* that may be obtained from the NSSCKFWInstance. This
* routine may return NULL upon error; however if *pError
* is CKR_OK, the NULL will be considered the valid response.
*/
NSSUTF8 *(PR_CALLBACK *GetSlotDescription)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns a pointer to a UTF8-encoded string
* containing a description of the manufacturer of this slot.
* Only the characters completely encoded in the first thirty-
* two bytes are significant. This routine is optional.
* The string returned is never freed; if dynamically generated,
* the space for it should be allocated from the NSSArena
* that may be obtained from the NSSCKFWInstance. This
* routine may return NULL upon error; however if *pError
* is CKR_OK, the NULL will be considered the valid response.
*/
NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns CK_TRUE if a token is present in this
* slot. This routine is optional; if unimplemented, CK_TRUE
* is assumed.
*/
CK_BBOOL (PR_CALLBACK *GetTokenPresent)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if the slot supports removable
* tokens. This routine is optional; if unimplemented, CK_FALSE
* is assumed.
*/
CK_BBOOL (PR_CALLBACK *GetRemovableDevice)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if this slot is a hardware
* device, or CK_FALSE if this slot is a software device. This
* routine is optional; if unimplemented, CK_FALSE is assumed.
*/
CK_BBOOL (PR_CALLBACK *GetHardwareSlot)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the version of this slot's hardware.
* This routine is optional; if unimplemented, the Framework
* will assume a hardware version of 0.1.
*/
CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the version of this slot's firmware.
* This routine is optional; if unimplemented, the Framework
* will assume a hardware version of 0.1.
*/
CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine should return a pointer to an NSSCKMDToken
* object corresponding to the token in the specified slot.
* The NSSCKFWToken object passed in has an NSSArena
* available which is dedicated for this token. This routine
* must be implemented. This routine may return NULL upon
* error.
*/
NSSCKMDToken *(PR_CALLBACK *GetToken)(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This object may be extended in future versions of the
* NSS Cryptoki Framework. To allow for some flexibility
* in the area of binary compatibility, this field should
* be NULL.
*/
void *null;
};
/*
* NSSCKMDToken
*
* This is the basic handle for a PKCS#11 Token. It is created by
* the NSSCKMDSlot->GetToken call, and may be obtained from the
* Framework's corresponding NSSCKFWToken object. It contains a
* pointer for use by the Module, to store any token-related
* data, and it contains the EPV for a set of routines which the
* Module may implement for use by the Framework. Some of these
* routines are optional.
*/
struct NSSCKMDTokenStr {
/*
* The Module may use this pointer for its own purposes.
*/
void *etc;
/*
* This routine is used to prepare a Module token object for
* use. It is called after the NSSCKMDToken object is obtained
* from NSSCKMDSlot->GetToken. It is named "Setup" here because
* Cryptoki already defines "InitToken" to do the process of
* wiping out any existing state on a token and preparing it for
* a new use. This routine is optional; if unimplemented, it
* merely won't be called.
*/
CK_RV (PR_CALLBACK *Setup)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine is called by the Framework whenever it notices
* that the token object is invalid. (Typically this is when a
* routine indicates an error such as CKR_DEVICE_REMOVED). This
* call is the last thing called before the NSSArena in the
* corresponding NSSCKFWToken is destroyed. This routine is
* optional; if unimplemented, it merely won't be called.
*/
void (PR_CALLBACK *Invalidate)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine initialises the token in the specified slot.
* This routine is optional; if unimplemented, the Framework
* will fail this operation with an error of CKR_DEVICE_ERROR.
*/
CK_RV (PR_CALLBACK *InitToken)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSItem *pin,
NSSUTF8 *label
);
/*
* This routine returns a pointer to a UTF8-encoded string
* containing this token's label. Only the characters
* completely encoded in the first thirty-two bytes are
* significant. This routine is optional. The string
* returned is never freed; if dynamically generated,
* the space for it should be allocated from the NSSArena
* that may be obtained from the NSSCKFWInstance. This
* routine may return NULL upon error; however if *pError
* is CKR_OK, the NULL will be considered the valid response.
*/
NSSUTF8 *(PR_CALLBACK *GetLabel)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns a pointer to a UTF8-encoded string
* containing this token's manufacturer ID. Only the characters
* completely encoded in the first thirty-two bytes are
* significant. This routine is optional. The string
* returned is never freed; if dynamically generated,
* the space for it should be allocated from the NSSArena
* that may be obtained from the NSSCKFWInstance. This
* routine may return NULL upon error; however if *pError
* is CKR_OK, the NULL will be considered the valid response.
*/
NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns a pointer to a UTF8-encoded string
* containing this token's model name. Only the characters
* completely encoded in the first thirty-two bytes are
* significant. This routine is optional. The string
* returned is never freed; if dynamically generated,
* the space for it should be allocated from the NSSArena
* that may be obtained from the NSSCKFWInstance. This
* routine may return NULL upon error; however if *pError
* is CKR_OK, the NULL will be considered the valid response.
*/
NSSUTF8 *(PR_CALLBACK *GetModel)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns a pointer to a UTF8-encoded string
* containing this token's serial number. Only the characters
* completely encoded in the first thirty-two bytes are
* significant. This routine is optional. The string
* returned is never freed; if dynamically generated,
* the space for it should be allocated from the NSSArena
* that may be obtained from the NSSCKFWInstance. This
* routine may return NULL upon error; however if *pError
* is CKR_OK, the NULL will be considered the valid response.
*/
NSSUTF8 *(PR_CALLBACK *GetSerialNumber)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns CK_TRUE if the token has its own
* random number generator. This routine is optional; if
* unimplemented, CK_FALSE is assumed.
*/
CK_BBOOL (PR_CALLBACK *GetHasRNG)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if this token is write-protected.
* This routine is optional; if unimplemented, CK_FALSE is
* assumed.
*/
CK_BBOOL (PR_CALLBACK *GetIsWriteProtected)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if this token requires a login.
* This routine is optional; if unimplemented, CK_FALSE is
* assumed.
*/
CK_BBOOL (PR_CALLBACK *GetLoginRequired)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if the normal user's PIN on this
* token has been initialised. This routine is optional; if
* unimplemented, CK_FALSE is assumed.
*/
CK_BBOOL (PR_CALLBACK *GetUserPinInitialized)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if a successful save of a
* session's cryptographic operations state ~always~ contains
* all keys needed to restore the state of the session. This
* routine is optional; if unimplemented, CK_FALSE is assumed.
*/
CK_BBOOL (PR_CALLBACK *GetRestoreKeyNotNeeded)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if the token has its own
* hardware clock. This routine is optional; if unimplemented,
* CK_FALSE is assumed.
*/
CK_BBOOL (PR_CALLBACK *GetHasClockOnToken)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if the token has a protected
* authentication path. This routine is optional; if
* unimplemented, CK_FALSE is assumed.
*/
CK_BBOOL (PR_CALLBACK *GetHasProtectedAuthenticationPath)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns CK_TRUE if the token supports dual
* cryptographic operations within a single session. This
* routine is optional; if unimplemented, CK_FALSE is assumed.
*/
CK_BBOOL (PR_CALLBACK *GetSupportsDualCryptoOperations)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* XXX fgmr-- should we have a call to return all the flags
* at once, for folks who already know about Cryptoki?
*/
/*
* This routine returns the maximum number of sessions that
* may be opened on this token. This routine is optional;
* if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
* is assumed. XXX fgmr-- or CK_EFFECTIVELY_INFINITE?
*/
CK_ULONG (PR_CALLBACK *GetMaxSessionCount)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the maximum number of read/write
* sesisons that may be opened on this token. This routine
* is optional; if unimplemented, the special value
* CK_UNAVAILABLE_INFORMATION is assumed. XXX fgmr-- or
* CK_EFFECTIVELY_INFINITE?
*/
CK_ULONG (PR_CALLBACK *GetMaxRwSessionCount)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the maximum PIN code length that is
* supported on this token. This routine is optional;
* if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
* is assumed.
*/
CK_ULONG (PR_CALLBACK *GetMaxPinLen)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the minimum PIN code length that is
* supported on this token. This routine is optional; if
* unimplemented, the special value CK_UNAVAILABLE_INFORMATION
* is assumed. XXX fgmr-- or 0?
*/
CK_ULONG (PR_CALLBACK *GetMinPinLen)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the total amount of memory on the token
* in which public objects may be stored. This routine is
* optional; if unimplemented, the special value
* CK_UNAVAILABLE_INFORMATION is assumed.
*/
CK_ULONG (PR_CALLBACK *GetTotalPublicMemory)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the amount of unused memory on the
* token in which public objects may be stored. This routine
* is optional; if unimplemented, the special value
* CK_UNAVAILABLE_INFORMATION is assumed.
*/
CK_ULONG (PR_CALLBACK *GetFreePublicMemory)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the total amount of memory on the token
* in which private objects may be stored. This routine is
* optional; if unimplemented, the special value
* CK_UNAVAILABLE_INFORMATION is assumed.
*/
CK_ULONG (PR_CALLBACK *GetTotalPrivateMemory)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the amount of unused memory on the
* token in which private objects may be stored. This routine
* is optional; if unimplemented, the special value
* CK_UNAVAILABLE_INFORMATION is assumed.
*/
CK_ULONG (PR_CALLBACK *GetFreePrivateMemory)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the version number of this token's
* hardware. This routine is optional; if unimplemented,
* the value 0.1 is assumed.
*/
CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the version number of this token's
* firmware. This routine is optional; if unimplemented,
* the value 0.1 is assumed.
*/
CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine stuffs the current UTC time, as obtained from
* the token, into the sixteen-byte buffer in the form
* YYYYMMDDhhmmss00. This routine need only be implemented
* by token which indicate that they have a real-time clock.
* XXX fgmr-- think about time formats.
*/
CK_RV (PR_CALLBACK *GetUTCTime)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_CHAR utcTime[16]
);
/*
* This routine creates a session on the token, and returns
* the corresponding NSSCKMDSession object. The value of
* rw will be CK_TRUE if the session is to be a read/write
* session, or CK_FALSE otherwise. An NSSArena dedicated to
* the new session is available from the specified NSSCKFWSession.
* This routine may return NULL upon error.
*/
NSSCKMDSession *(PR_CALLBACK *OpenSession)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKFWSession *fwSession,
CK_BBOOL rw,
CK_RV *pError
);
/*
* This routine returns the number of PKCS#11 Mechanisms
* supported by this token. This routine is optional; if
* unimplemented, zero is assumed.
*/
CK_ULONG (PR_CALLBACK *GetMechanismCount)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine stuffs into the specified array the types
* of the mechanisms supported by this token. The Framework
* determines the size of the array by calling GetMechanismCount.
*/
CK_RV (PR_CALLBACK *GetMechanismTypes)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_MECHANISM_TYPE types[]
);
/*
* This routine returns a pointer to a Module mechanism
* object corresponding to a specified type. This routine
* need only exist for tokens implementing at least one
* mechanism.
*/
NSSCKMDMechanism *(PR_CALLBACK *GetMechanism)(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_MECHANISM_TYPE which,
CK_RV *pError
);
/*
* This object may be extended in future versions of the
* NSS Cryptoki Framework. To allow for some flexibility
* in the area of binary compatibility, this field should
* be NULL.
*/
void *null;
};
/*
* NSSCKMDSession
*
* This is the basic handle for a session on a PKCS#11 Token. It
* is created by NSSCKMDToken->OpenSession, and may be obtained
* from the Framework's corresponding NSSCKFWSession object. It
* contains a pointer for use by the Module, to store any session-
* realted data, and it contains the EPV for a set of routines
* which the Module may implement for use by the Framework. Some
* of these routines are optional.
*/
struct NSSCKMDSessionStr {
/*
* The Module may use this pointer for its own purposes.
*/
void *etc;
/*
* This routine is called by the Framework when a session is
* closed. This call is the last thing called before the
* NSSArena in the correspoinding NSSCKFWSession is destroyed.
* This routine is optional; if unimplemented, it merely won't
* be called.
*/
void (PR_CALLBACK *Close)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine is used to get any device-specific error.
* This routine is optional.
*/
CK_ULONG (PR_CALLBACK *GetDeviceError)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine is used to log in a user to the token. This
* routine is optional, since the Framework's NSSCKFWSession
* object keeps track of the login state.
*/
CK_RV (PR_CALLBACK *Login)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_USER_TYPE userType,
NSSItem *pin,
CK_STATE oldState,
CK_STATE newState
);
/*
* This routine is used to log out a user from the token. This
* routine is optional, since the Framework's NSSCKFWSession
* object keeps track of the login state.
*/
CK_RV (PR_CALLBACK *Logout)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_STATE oldState,
CK_STATE newState
);
/*
* This routine is used to initialize the normal user's PIN or
* password. This will only be called in the "read/write
* security officer functions" state. If this token has a
* protected authentication path, then the pin argument will
* be NULL. This routine is optional; if unimplemented, the
* Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
*/
CK_RV (PR_CALLBACK *InitPIN)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSItem *pin
);
/*
* This routine is used to modify a user's PIN or password. This
* routine will only be called in the "read/write security officer
* functions" or "read/write user functions" state. If this token
* has a protected authentication path, then the pin arguments
* will be NULL. This routine is optional; if unimplemented, the
* Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
*/
CK_RV (PR_CALLBACK *SetPIN)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSItem *oldPin,
NSSItem *newPin
);
/*
* This routine is used to find out how much space would be required
* to save the current operational state. This routine is optional;
* if unimplemented, the Framework will reject any attempts to save
* the operational state with the error CKR_STATE_UNSAVEABLE. This
* routine may return zero on error.
*/
CK_ULONG (PR_CALLBACK *GetOperationStateLen)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine is used to store the current operational state. This
* routine is only required if GetOperationStateLen is implemented
* and can return a nonzero value. The buffer in the specified item
* will be pre-allocated, and the length will specify the amount of
* space available (which may be more than GetOperationStateLen
* asked for, but which will not be smaller).
*/
CK_RV (PR_CALLBACK *GetOperationState)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSItem *buffer
);
/*
* This routine is used to restore an operational state previously
* obtained with GetOperationState. The Framework will take pains
* to be sure that the state is (or was at one point) valid; if the
* Module notices that the state is invalid, it should return an
* error, but it is not required to be paranoid about the issue.
* [XXX fgmr-- should (can?) the framework verify the keys match up?]
* This routine is required only if GetOperationState is implemented.
*/
CK_RV (PR_CALLBACK *SetOperationState)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSItem *state,
NSSCKMDObject *mdEncryptionKey,
NSSCKFWObject *fwEncryptionKey,
NSSCKMDObject *mdAuthenticationKey,
NSSCKFWObject *fwAuthenticationKey
);
/*
* This routine is used to create an object. The specified template
* will only specify a session object if the Module has indicated
* that it wishes to handle its own session objects. This routine
* is optional; if unimplemented, the Framework will reject the
* operation with the error CKR_TOKEN_WRITE_PROTECTED. Space for
* token objects should come from the NSSArena available from the
* NSSCKFWToken object; space for session objects (if supported)
* should come from the NSSArena available from the NSSCKFWSession
* object. The appropriate NSSArena pointer will, as a convenience,
* be passed as the handyArenaPointer argument. This routine may
* return NULL upon error.
*/
NSSCKMDObject *(PR_CALLBACK *CreateObject)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSArena *handyArenaPointer,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError
);
/*
* This routine is used to make a copy of an object. It is entirely
* optional; if unimplemented, the Framework will try to use
* CreateObject instead. If the Module has indicated that it does
* not wish to handle session objects, then this routine will only
* be called to copy a token object to another token object.
* Otherwise, either the original object or the new may be of
* either the token or session variety. As with CreateObject, the
* handyArenaPointer will point to the appropriate arena for the
* new object. This routine may return NULL upon error.
*/
NSSCKMDObject *(PR_CALLBACK *CopyObject)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdOldObject,
NSSCKFWObject *fwOldObject,
NSSArena *handyArenaPointer,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError
);
/*
* This routine is used to begin an object search. This routine may
* be unimplemented only if the Module does not handle session
* objects, and if none of its tokens have token objects. The
* NSSCKFWFindObjects pointer has an NSSArena that may be used for
* storage for the life of this "find" operation. This routine may
* return NULL upon error. If the Module can determine immediately
* that the search will not find any matching objects, it may return
* NULL, and specify CKR_OK as the error.
*/
NSSCKMDFindObjects *(PR_CALLBACK *FindObjectsInit)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError
);
/*
* This routine seeds the random-number generator. It is
* optional, even if GetRandom is implemented. If unimplemented,
* the Framework will issue the error CKR_RANDOM_SEED_NOT_SUPPORTED.
*/
CK_RV (PR_CALLBACK *SeedRandom)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSItem *seed
);
/*
* This routine gets random data. It is optional. If unimplemented,
* the Framework will issue the error CKR_RANDOM_NO_RNG.
*/
CK_RV (PR_CALLBACK *GetRandom)(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSItem *buffer
);
/*
* This object may be extended in future versions of the
* NSS Cryptoki Framework. To allow for some flexibility
* in the area of binary compatibility, this field should
* be NULL.
*/
void *null;
};
/*
* NSSCKMDFindObjects
*
* This is the basic handle for an object search. It is
* created by NSSCKMDSession->FindObjectsInit, and may be
* obtained from the Framework's corresponding object.
* It contains a pointer for use by the Module, to store
* any search-related data, and it contains the EPV for a
* set of routines which the Module may implement for use
* by the Framework. Some of these routines are optional.
*/
struct NSSCKMDFindObjectsStr {
/*
* The Module may use this pointer for its own purposes.
*/
void *etc;
/*
* This routine is called by the Framework to finish a
* search operation. Note that the Framework may finish
* a search before it has completed. This routine is
* optional; if unimplemented, it merely won't be called.
*/
void (PR_CALLBACK *Final)(
NSSCKMDFindObjects *mdFindObjects,
NSSCKFWFindObjects *fwFindObjects,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine is used to obtain another pointer to an
* object matching the search criteria. This routine is
* required. If no (more) objects match the search, it
* should return NULL and set the error to CKR_OK.
*/
NSSCKMDObject *(PR_CALLBACK *Next)(
NSSCKMDFindObjects *mdFindObjects,
NSSCKFWFindObjects *fwFindObjects,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSArena *arena,
CK_RV *pError
);
/*
* This object may be extended in future versions of the
* NSS Cryptoki Framework. To allow for some flexibility
* in the area of binary compatibility, this field should
* be NULL.
*/
void *null;
};
/*
* NSSCKMDCryptoOperaion
*
* This is the basic handle for an encryption, decryption,
* sign, verify, or hash opertion.
* created by NSSCKMDMechanism->XXXXInit, and may be
* obtained from the Framework's corresponding object.
* It contains a pointer for use by the Module, to store
* any intermediate data, and it contains the EPV for a
* set of routines which the Module may implement for use
* by the Framework. Some of these routines are optional.
*/
struct NSSCKMDCryptoOperationStr {
/*
* The Module may use this pointer for its own purposes.
*/
void *etc;
/*
* This routine is called by the Framework clean up the mdCryptoOperation
* structure.
* This routine is optional; if unimplemented, it will be ignored.
*/
void (PR_CALLBACK *Destroy)(
NSSCKMDCryptoOperation *mdCryptoOperation,
NSSCKFWCryptoOperation *fwCryptoOperation,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* how many bytes do we need to finish this buffer?
* must be implemented if Final is implemented.
*/
CK_ULONG (PR_CALLBACK *GetFinalLength)(
NSSCKMDCryptoOperation *mdCryptoOperation,
NSSCKFWCryptoOperation *fwCryptoOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* how many bytes do we need to complete the next operation.
* used in both Update and UpdateFinal.
*/
CK_ULONG (PR_CALLBACK *GetOperationLength)(
NSSCKMDCryptoOperation *mdCryptoOperation,
NSSCKFWCryptoOperation *fwCryptoOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
const NSSItem *inputBuffer,
CK_RV *pError
);
/*
* This routine is called by the Framework to finish a
* search operation. Note that the Framework may finish
* a search before it has completed. This routine is
* optional; if unimplemented, it merely won't be called.
* The respective final call with fail with CKR_FUNCTION_FAILED
* Final should not free the mdCryptoOperation.
*/
CK_RV(PR_CALLBACK *Final)(
NSSCKMDCryptoOperation *mdCryptoOperation,
NSSCKFWCryptoOperation *fwCryptoOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSItem *outputBuffer
);
/*
* This routine is called by the Framework to complete the
* next step in an encryption/decryption operation.
* This routine is optional; if unimplemented, the respective
* update call with fail with CKR_FUNCTION_FAILED.
* Update should not be implemented for signing/verification/digest
* mechanisms.
*/
CK_RV(PR_CALLBACK *Update)(
NSSCKMDCryptoOperation *mdCryptoOperation,
NSSCKFWCryptoOperation *fwCryptoOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
const NSSItem *inputBuffer,
NSSItem *outputBuffer
);
/*
* This routine is called by the Framework to complete the
* next step in a signing/verification/digest operation.
* This routine is optional; if unimplemented, the respective
* update call with fail with CKR_FUNCTION_FAILED
* Update should not be implemented for encryption/decryption
* mechanisms.
*/
CK_RV(PR_CALLBACK *DigestUpdate)(
NSSCKMDCryptoOperation *mdCryptoOperation,
NSSCKFWCryptoOperation *fwCryptoOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
const NSSItem *inputBuffer
);
/*
* This routine is called by the Framework to complete a
* single step operation. This routine is optional; if unimplemented,
* the framework will use the Update and Final functions to complete
* the operation.
*/
CK_RV(PR_CALLBACK *UpdateFinal)(
NSSCKMDCryptoOperation *mdCryptoOperation,
NSSCKFWCryptoOperation *fwCryptoOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
const NSSItem *inputBuffer,
NSSItem *outputBuffer
);
/*
* This routine is called by the Framework to complete next
* step in a combined operation. The Decrypt/Encrypt mechanism
* should define and drive the combo step.
* This routine is optional; if unimplemented,
* the framework will use the appropriate Update functions to complete
* the operation.
*/
CK_RV(PR_CALLBACK *UpdateCombo)(
NSSCKMDCryptoOperation *mdCryptoOperation,
NSSCKFWCryptoOperation *fwCryptoOperation,
NSSCKMDCryptoOperation *mdPeerCryptoOperation,
NSSCKFWCryptoOperation *fwPeerCryptoOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
const NSSItem *inputBuffer,
NSSItem *outputBuffer
);
/*
* Hash a key directly into the digest
*/
CK_RV(PR_CALLBACK *DigestKey)(
NSSCKMDCryptoOperation *mdCryptoOperation,
NSSCKFWCryptoOperation *fwCryptoOperation,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdKey,
NSSCKFWObject *fwKey
);
/*
* This object may be extended in future versions of the
* NSS Cryptoki Framework. To allow for some flexibility
* in the area of binary compatibility, this field should
* be NULL.
*/
void *null;
};
/*
* NSSCKMDMechanism
*
*/
struct NSSCKMDMechanismStr {
/*
* The Module may use this pointer for its own purposes.
*/
void *etc;
/*
* This also frees the fwMechanism if appropriate.
* If it is not supplied, the Framework will assume that the Token
* Manages a static list of mechanisms and the function will not be called.
*/
void (PR_CALLBACK *Destroy)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the minimum key size allowed for
* this mechanism. This routine is optional; if unimplemented,
* zero will be assumed. This routine may return zero on
* error; if the error is CKR_OK, zero will be accepted as
* a valid response.
*/
CK_ULONG (PR_CALLBACK *GetMinKeySize)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine returns the maximum key size allowed for
* this mechanism. This routine is optional; if unimplemented,
* zero will be assumed. This routine may return zero on
* error; if the error is CKR_OK, zero will be accepted as
* a valid response.
*/
CK_ULONG (PR_CALLBACK *GetMaxKeySize)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine is called to determine if the mechanism is
* implemented in hardware or software. It returns CK_TRUE
* if it is done in hardware.
*/
CK_BBOOL (PR_CALLBACK *GetInHardware)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* The crypto routines themselves. Most crypto operations may
* be performed in two ways, streaming and single-part. The
* streaming operations involve the use of (typically) three
* calls-- an Init method to set up the operation, an Update
* method to feed data to the operation, and a Final method to
* obtain the final result. Single-part operations involve
* one method, to perform the crypto operation all at once.
*
* The NSS Cryptoki Framework can implement the single-part
* operations in terms of the streaming operations on behalf
* of the Module. There are a few variances.
*
* Only the Init Functions are defined by the mechanism. Each
* init function will return a NSSCKFWCryptoOperation which
* can supply update, final, the single part updateFinal, and
* the combo updateCombo functions.
*
* For simplicity, the routines are listed in summary here:
*
* EncryptInit,
* DecryptInit,
* DigestInit,
* SignInit,
* SignRecoverInit;
* VerifyInit,
* VerifyRecoverInit;
*
* The key-management routines are
*
* GenerateKey
* GenerateKeyPair
* WrapKey
* UnwrapKey
* DeriveKey
*
* All of these routines based on the Cryptoki API;
* see PKCS#11 for further information.
*/
/*
*/
NSSCKMDCryptoOperation * (PR_CALLBACK *EncryptInit)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdKey,
NSSCKFWObject *fwKey,
CK_RV *pError
);
/*
*/
NSSCKMDCryptoOperation * (PR_CALLBACK *DecryptInit)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdKey,
NSSCKFWObject *fwKey,
CK_RV *pError
);
/*
*/
NSSCKMDCryptoOperation * (PR_CALLBACK *DigestInit)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
*/
NSSCKMDCryptoOperation * (PR_CALLBACK *SignInit)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdKey,
NSSCKFWObject *fwKey,
CK_RV *pError
);
/*
*/
NSSCKMDCryptoOperation * (PR_CALLBACK *VerifyInit)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdKey,
NSSCKFWObject *fwKey,
CK_RV *pError
);
/*
*/
NSSCKMDCryptoOperation * (PR_CALLBACK *SignRecoverInit)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdKey,
NSSCKFWObject *fwKey,
CK_RV *pError
);
/*
*/
NSSCKMDCryptoOperation * (PR_CALLBACK *VerifyRecoverInit)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdKey,
NSSCKFWObject *fwKey,
CK_RV *pError
);
/*
* Key management operations.
*/
/*
* This routine generates a key. This routine may return NULL
* upon error.
*/
NSSCKMDObject *(PR_CALLBACK *GenerateKey)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError
);
/*
* This routine generates a key pair.
*/
CK_RV (PR_CALLBACK *GenerateKeyPair)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_PTR pPublicKeyTemplate,
CK_ULONG ulPublicKeyAttributeCount,
CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
CK_ULONG ulPrivateKeyAttributeCount,
NSSCKMDObject **pPublicKey,
NSSCKMDObject **pPrivateKey
);
/*
* This routine wraps a key.
*/
CK_ULONG (PR_CALLBACK *GetWrapKeyLength)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdWrappingKey,
NSSCKFWObject *fwWrappingKey,
NSSCKMDObject *mdWrappedKey,
NSSCKFWObject *fwWrappedKey,
CK_RV *pError
);
/*
* This routine wraps a key.
*/
CK_RV (PR_CALLBACK *WrapKey)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdWrappingKey,
NSSCKFWObject *fwWrappingKey,
NSSCKMDObject *mdKeyObject,
NSSCKFWObject *fwKeyObject,
NSSItem *wrappedKey
);
/*
* This routine unwraps a key. This routine may return NULL
* upon error.
*/
NSSCKMDObject *(PR_CALLBACK *UnwrapKey)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdWrappingKey,
NSSCKFWObject *fwWrappingKey,
NSSItem *wrappedKey,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError
);
/*
* This routine derives a key. This routine may return NULL
* upon error.
*/
NSSCKMDObject *(PR_CALLBACK *DeriveKey)(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM_PTR pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdBaseKey,
NSSCKFWObject *fwBaseKey,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError
);
/*
* This object may be extended in future versions of the
* NSS Cryptoki Framework. To allow for some flexibility
* in the area of binary compatibility, this field should
* be NULL.
*/
void *null;
};
/*
* NSSCKMDObject
*
* This is the basic handle for any object used by a PKCS#11 Module.
* Modules must implement it if they support their own objects, and
* the Framework supports it for Modules that do not handle session
* objects. This type contains a pointer for use by the implementor,
* to store any object-specific data, and it contains an EPV for a
* set of routines used to access the object.
*/
struct NSSCKMDObjectStr {
/*
* The implementation my use this pointer for its own purposes.
*/
void *etc;
/*
* This routine is called by the Framework when it is letting
* go of an object handle. It can be used by the Module to
* free any resources tied up by an object "in use." It is
* optional.
*/
void (PR_CALLBACK *Finalize)(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine is used to completely destroy an object.
* It is optional. The parameter fwObject might be NULL
* if the framework runs out of memory at the wrong moment.
*/
CK_RV (PR_CALLBACK *Destroy)(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This helper routine is used by the Framework, and is especially
* useful when it is managing session objects on behalf of the
* Module. This routine is optional; if unimplemented, the
* Framework will actually look up the CKA_TOKEN attribute. In the
* event of an error, just make something up-- the Framework will
* find out soon enough anyway.
*/
CK_BBOOL (PR_CALLBACK *IsTokenObject)(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance
);
/*
* This routine returns the number of attributes of which this
* object consists. It is mandatory. It can return zero on
* error.
*/
CK_ULONG (PR_CALLBACK *GetAttributeCount)(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This routine stuffs the attribute types into the provided array.
* The array size (as obtained from GetAttributeCount) is passed in
* as a check; return CKR_BUFFER_TOO_SMALL if the count is wrong
* (either too big or too small).
*/
CK_RV (PR_CALLBACK *GetAttributeTypes)(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_TYPE_PTR typeArray,
CK_ULONG ulCount
);
/*
* This routine returns the size (in bytes) of the specified
* attribute. It can return zero on error.
*/
CK_ULONG (PR_CALLBACK *GetAttributeSize)(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_TYPE attribute,
CK_RV *pError
);
/*
* This routine returns an NSSCKFWItem structure.
* The item pointer points to an NSSItem containing the attribute value.
* The needsFreeing bit tells the framework whether to call the
* FreeAttribute function . Upon error, an NSSCKFWItem structure
* with a NULL NSSItem item pointer will be returned
*/
NSSCKFWItem (PR_CALLBACK *GetAttribute)(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_TYPE attribute,
CK_RV *pError
);
/*
* This routine returns CKR_OK if the attribute could be freed.
*/
CK_RV (PR_CALLBACK *FreeAttribute)(
NSSCKFWItem * item
);
/*
* This routine changes the specified attribute. If unimplemented,
* the object will be considered read-only.
*/
CK_RV (PR_CALLBACK *SetAttribute)(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_TYPE attribute,
NSSItem *value
);
/*
* This routine returns the storage requirements of this object,
* in bytes. Cryptoki doesn't strictly define the definition,
* but it should relate to the values returned by the "Get Memory"
* routines of the NSSCKMDToken. This routine is optional; if
* unimplemented, the Framework will consider this information
* sensitive. This routine may return zero on error. If the
* specified error is CKR_OK, zero will be accepted as a valid
* response.
*/
CK_ULONG (PR_CALLBACK *GetObjectSize)(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError
);
/*
* This object may be extended in future versions of the
* NSS Cryptoki Framework. To allow for some flexibility
* in the area of binary compatibility, this field should
* be NULL.
*/
void *null;
};
#endif /* NSSCKMDT_H */