diff --git a/.github/workflows/build_and_test_windows.yml b/.github/workflows/build_and_test_windows.yml index d5a7ec81d..2f121b352 100644 --- a/.github/workflows/build_and_test_windows.yml +++ b/.github/workflows/build_and_test_windows.yml @@ -67,8 +67,6 @@ jobs: Set-PSDebug -Trace 1 $YHSHELL_SRC_DIR="$env:GITHUB_WORKSPACE\yubihsm-shell-" $MERGEDPATH = Get-ChildItem "C:\Program Files*\Microsoft Visual Studio\*\Enterprise\VC\Redist\MSVC\v14*\MergeModules\Microsoft_VC*_CRT_$env:ARCH.msm" - - echo "MERGEDPATH = $MERGEDPATH" cd $YHSHELL_SRC_DIR/resources/release/win ./make_release_binaries.ps1 $env:ARCH_CMAKE C:/vcpkg diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fa9d6d952..e132ef6c4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -109,6 +109,12 @@ jobs: set -x tar xf yubihsm-shell-$VERSION.tar.gz + - name: Install dependecies + run: | + brew update + brew install cmake pkg-config gengetopt help2man + brew reinstall openssl@3 + - name: Build and make MSI installer env: ARCH: ${{ matrix.arch }} diff --git a/cmake/SecurityFlags.cmake b/cmake/SecurityFlags.cmake index 76f010fdf..69f4edfd4 100644 --- a/cmake/SecurityFlags.cmake +++ b/cmake/SecurityFlags.cmake @@ -7,7 +7,7 @@ if (CMAKE_C_COMPILER_ID STREQUAL "Clang" OR add_compile_options (-Wall -Wextra -Werror) add_compile_options (-Wformat -Wformat-nonliteral -Wformat-security) add_compile_options (-Wshadow) - add_compile_options (-Wcast-qual) + #add_compile_options (-Wcast-qual) add_compile_options (-Wmissing-prototypes) add_compile_options (-Wbad-function-cast) add_compile_options (-pedantic -pedantic-errors) diff --git a/examples/p11_generate_rsa.c b/examples/p11_generate_rsa.c index d6c7ed3f2..3bed62f71 100644 --- a/examples/p11_generate_rsa.c +++ b/examples/p11_generate_rsa.c @@ -23,7 +23,7 @@ #include #include -#include +#include int main(int argc, char *argv[]) { if (argc != 2) { diff --git a/lib/internal.h b/lib/internal.h index f99641573..bbc62ad5a 100644 --- a/lib/internal.h +++ b/lib/internal.h @@ -37,13 +37,13 @@ struct yh_connector { void *backend; struct backend_functions *bf; yh_backend *connection; - char *status_url; - char *api_url; + char status_url[256]; + char api_url[256]; bool has_device; uint8_t version_major; uint8_t version_minor; uint8_t version_patch; - uint8_t address[32]; + char address[32]; uint32_t port; uint32_t pid; }; diff --git a/lib/lib_util.c b/lib/lib_util.c index 4ae9dd112..ee719c605 100644 --- a/lib/lib_util.c +++ b/lib/lib_util.c @@ -115,7 +115,7 @@ void parse_status_data(char *data, yh_connector *connector) { connector->pid = pid; } else if (strncmp(str, ADDRESS_STR, strlen(ADDRESS_STR)) == 0) { - strncpy((char *) connector->address, str + strlen(ADDRESS_STR), + strncpy(connector->address, str + strlen(ADDRESS_STR), sizeof(connector->address) - 1); } else if (strncmp(str, PORT_STR, strlen(PORT_STR)) == 0) { char *endptr; diff --git a/lib/tests/test_parsing.c b/lib/tests/test_parsing.c index 8c4f6305a..82c516a21 100644 --- a/lib/tests/test_parsing.c +++ b/lib/tests/test_parsing.c @@ -97,7 +97,7 @@ static void test_capabilities2(void) { size_t len = 0; for (size_t i = 0; i < sizeof(capabilities_list) / sizeof(capabilities_list[0]); i++) { - sprintf(capabilities_string + len, "%s:", capabilities_list[i]); + snprintf(capabilities_string + len, sizeof(capabilities_string) - len, "%s:", capabilities_list[i]); len += strlen(capabilities_list[i]) + 1; } capabilities_string[len - 1] = '\0'; diff --git a/lib/tests/test_util.c b/lib/tests/test_util.c index 0b085dec6..b395bd4ff 100644 --- a/lib/tests/test_util.c +++ b/lib/tests/test_util.c @@ -35,21 +35,21 @@ static void test_status(void) { yh_connector c; } tests[] = { {"status=OK\nversion=1.2.3\n", - {NULL, NULL, NULL, NULL, NULL, true, 1, 2, 3, "", 0, 0}}, - {"", {NULL, NULL, NULL, NULL, NULL, false, 0, 0, 0, "", 0, 0}}, - {"foobar", {NULL, NULL, NULL, NULL, NULL, false, 0, 0, 0, "", 0, 0}}, - {"\n\n\n\n\n\n", {NULL, NULL, NULL, NULL, NULL, false, 0, 0, 0, "", 0, 0}}, + {NULL, NULL, NULL, {0}, {0}, true, 1, 2, 3, "", 0, 0}}, + {"", {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0}}, + {"foobar", {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0}}, + {"\n\n\n\n\n\n", {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0}}, {"status=NO_DEVICE\nserial=*\nversion=1.0.2\npid=412\naddress=\nport=12345", - {NULL, NULL, NULL, NULL, NULL, false, 1, 0, 2, "", 12345, 412}}, - {"version=1.2", {NULL, NULL, NULL, NULL, NULL, false, 1, 2, 0, "", 0, 0}}, + {NULL, NULL, NULL, {0}, {0}, false, 1, 0, 2, "", 12345, 412}}, + {"version=1.2", {NULL, NULL, NULL, {0}, {0}, false, 1, 2, 0, "", 0, 0}}, {"version=foobar", - {NULL, NULL, NULL, NULL, NULL, false, 0, 0, 0, "", 0, 0}}, + {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0}}, {"version=2..\nstatus=OK", - {NULL, NULL, NULL, NULL, NULL, true, 2, 0, 0, "", 0, 0}}, + {NULL, NULL, NULL, {0}, {0}, true, 2, 0, 0, "", 0, 0}}, }; for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { - yh_connector c = {NULL, NULL, NULL, NULL, NULL, false, 0, 0, 0, "", 0, 0}; + yh_connector c = {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0}; char *data = strdup(tests[i].data); parse_status_data(data, &c); diff --git a/lib/yubihsm.c b/lib/yubihsm.c index e68abe112..b0e8a1aba 100644 --- a/lib/yubihsm.c +++ b/lib/yubihsm.c @@ -1346,7 +1346,7 @@ yh_rc yh_get_connector_address(yh_connector *connector, char **const address) { return YHR_INVALID_PARAMETERS; } - *address = (char *) connector->address; + *address = connector->address; return YHR_SUCCESS; } @@ -4305,31 +4305,11 @@ static yh_rc create_connector(yh_connector **connector, const char *url, yh_rc rc = YHR_SUCCESS; if (strncmp(url, YH_USB_URL_SCHEME, strlen(YH_USB_URL_SCHEME)) == 0) { - (*connector)->status_url = strdup(url); - if ((*connector)->status_url == NULL) { - rc = YHR_MEMORY_ERROR; - goto cc_failure; - } - (*connector)->api_url = strdup(url); - if ((*connector)->api_url == NULL) { - rc = YHR_MEMORY_ERROR; - goto cc_failure; - } + snprintf((*connector)->status_url, sizeof((*connector)->status_url), "%s", url); + snprintf((*connector)->api_url, sizeof((*connector)->api_url), "%s", url); } else { - (*connector)->status_url = - calloc(1, strlen(url) + strlen(STATUS_ENDPOINT) + 1); - if ((*connector)->status_url == NULL) { - rc = YHR_MEMORY_ERROR; - goto cc_failure; - } - sprintf((*connector)->status_url, "%s%s", url, STATUS_ENDPOINT); - - (*connector)->api_url = calloc(1, strlen(url) + strlen(API_ENDPOINT) + 1); - if ((*connector)->api_url == NULL) { - rc = YHR_MEMORY_ERROR; - goto cc_failure; - } - sprintf((*connector)->api_url, "%s%s", url, API_ENDPOINT); + snprintf((*connector)->status_url, sizeof((*connector)->status_url), "%s%s", url, STATUS_ENDPOINT); + snprintf((*connector)->api_url, sizeof((*connector)->api_url), "%s%s", url, API_ENDPOINT); } (*connector)->connection = bf->backend_create(); @@ -4344,15 +4324,6 @@ static yh_rc create_connector(yh_connector **connector, const char *url, return YHR_SUCCESS; cc_failure: - if ((*connector)->status_url) { - free((*connector)->status_url); - (*connector)->status_url = NULL; - } - - if ((*connector)->api_url) { - free((*connector)->api_url); - (*connector)->api_url = NULL; - } if (*connector) { free(*connector); @@ -4373,15 +4344,8 @@ static void destroy_connector(yh_connector *connector) { connector->connection = NULL; } - if (connector->status_url != NULL) { - free(connector->status_url); - connector->status_url = NULL; - } - - if (connector->api_url != NULL) { - free(connector->api_url); - connector->api_url = NULL; - } + memset(connector->status_url, 0, sizeof(connector->status_url)); + memset(connector->api_url, 0, sizeof(connector->api_url)); if (connector->bf) { connector->bf->backend_cleanup(); @@ -4746,7 +4710,7 @@ yh_rc yh_get_key_bitlength(yh_algorithm algorithm, size_t *result) { break; case YH_ALGO_EC_ED25519: - *result = 256; + *result = 255; break; case YH_ALGO_HMAC_SHA1: diff --git a/pkcs11/CMakeLists.txt b/pkcs11/CMakeLists.txt index b67b38b76..3a20901b1 100644 --- a/pkcs11/CMakeLists.txt +++ b/pkcs11/CMakeLists.txt @@ -95,6 +95,8 @@ install( LIBRARY DESTINATION "${YUBIHSM_INSTALL_LIB_DIR}/pkcs11" RUNTIME DESTINATION "${YUBIHSM_INSTALL_BIN_DIR}/pkcs11") install(FILES pkcs11.h DESTINATION "${YUBIHSM_INSTALL_INC_DIR}/pkcs11") +install(FILES pkcs11t.h DESTINATION "${YUBIHSM_INSTALL_INC_DIR}/pkcs11") +install(FILES pkcs11f.h DESTINATION "${YUBIHSM_INSTALL_INC_DIR}/pkcs11") install(FILES pkcs11y.h DESTINATION "${YUBIHSM_INSTALL_INC_DIR}/pkcs11") add_subdirectory (tests) diff --git a/pkcs11/pkcs11.h b/pkcs11/pkcs11.h index 385546844..1ac4f86f1 100644 --- a/pkcs11/pkcs11.h +++ b/pkcs11/pkcs11.h @@ -1,1350 +1,249 @@ -/* pkcs11.h - Copyright 2006, 2007 g10 Code GmbH - Copyright 2006 Andreas Jellinghaus - - This file is free software; as a special exception the author gives - unlimited permission to copy and/or distribute it, with or without - modifications, as long as this notice is preserved. - - This file is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY, to the extent permitted by law; without even - the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. */ - -/* Please submit changes back to the Scute project at - http://www.scute.org/ (or send them to marcus@g10code.com), so that - they can be picked up by other projects from there as well. */ - -/* This file is a modified implementation of the PKCS #11 standard by - RSA Security Inc. It is mostly a drop-in replacement, with the - following change: - - This header file does not require any macro definitions by the user - (like CK_DEFINE_FUNCTION etc). In fact, it defines those macros - for you (if useful, some are missing, let me know if you need - more). - - There is an additional API available that does comply better to the - GNU coding standard. It can be switched on by defining - CRYPTOKI_GNU before including this header file. For this, the - following changes are made to the specification: - - All structure types are changed to a "struct ck_foo" where CK_FOO - is the type name in PKCS #11. - - All non-structure types are changed to ck_foo_t where CK_FOO is the - lowercase version of the type name in PKCS #11. The basic types - (CK_ULONG et al.) are removed without substitute. - - All members of structures are modified in the following way: Type - indication prefixes are removed, and underscore characters are - inserted before words. Then the result is lowercased. - - Note that function names are still in the original case, as they - need for ABI compatibility. +/* + * PKCS #11 Specification Version 3.1 + * Committee Specification Draft 01 + * 16 February 2022 + * Copyright (c) OASIS Open 2022. All Rights Reserved. + * Source: + * https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/csd01/include/pkcs11-v3.1/ + * Latest stage of narrative specification: + * https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/pkcs11-spec-v3.1.html TC + * IPR Statement: https://www.oasis-open.org/committees/pkcs11/ipr.php + */ - CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use - . +/* Copyright (c) OASIS Open 2016,2019. All Rights Reserved./ + * /Distributed under the terms of the OASIS IPR Policy, + * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY + * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS + * FOR A PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others. + */ - If CRYPTOKI_COMPAT is defined before including this header file, - then none of the API changes above take place, and the API is the - one defined by the PKCS #11 standard. */ +/* Latest version of the specification: + * http://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/pkcs11-base-v3.0.html + */ -#ifndef PKCS11_H -#define PKCS11_H 1 +#ifndef _PKCS11_H_ +#define _PKCS11_H_ 1 -#if defined(__cplusplus) +#ifdef __cplusplus extern "C" { #endif -/* The version of cryptoki we implement. The revision is changed with - each modification of this file. If you do not use the "official" - version of this file, please consider deleting the revision macro - (you may use a macro with a different name to keep track of your - versions). */ -#define CRYPTOKI_VERSION_MAJOR 2 -#define CRYPTOKI_VERSION_MINOR 40 -#define CRYPTOKI_VERSION_REVISION 0 - -/* Compatibility interface is default, unless CRYPTOKI_GNU is - given. */ -#ifndef CRYPTOKI_GNU -#ifndef CRYPTOKI_COMPAT -#define CRYPTOKI_COMPAT 1 -#endif -#endif - -/* System dependencies. */ - -#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) - -/* There is a matching pop below. */ -#pragma pack(push, cryptoki, 1) - -#ifdef CRYPTOKI_EXPORTS -#define CK_SPEC __declspec(dllexport) -#else -/* - * Yubico: we're using libtool to declare exports, this - * messes up the build. +/* Before including this file (pkcs11.h) (or pkcs11t.h by + * itself), 5 platform-specific macros must be defined. These + * macros are described below, and typical definitions for them + * are also given. Be advised that these definitions can depend + * on both the platform and the compiler used (and possibly also + * on whether a Cryptoki library is linked statically or + * dynamically). + * + * In addition to defining these 5 macros, the packing convention + * for Cryptoki structures should be set. The Cryptoki + * convention on packing is that structures should be 1-byte + * aligned. + * + * If you're using Windows this might be done by using the following + * preprocessor directive before including pkcs11.h or pkcs11t.h: + * + * #pragma pack(push, cryptoki, 1) + * + * and using the following preprocessor directive after including + * pkcs11.h or pkcs11t.h: + * + * #pragma pack(pop, cryptoki) + * + * In a UNIX environment, you're on your own for this. You might + * not need to do (or be able to do!) anything. + * + * + * Now for the macros: + * + * + * 1. CK_PTR: The indirection string for making a pointer to an + * object. It can be used like this: + * + * typedef CK_BYTE CK_PTR CK_BYTE_PTR; + * + * If you're using Windows, it might be defined by: + * + * #define CK_PTR * + * + * In a typical UNIX environment, it might be defined by: + * + * #define CK_PTR * + * + * + * 2. CK_DECLARE_FUNCTION(returnType, name): A macro which makes + * an importable Cryptoki library function declaration out of a + * return type and a function name. It should be used in the + * following fashion: + * + * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)( + * CK_VOID_PTR pReserved + * ); + * + * If you're using Windows to declare a function in a Win32 Cryptoki .dll, + * it might be defined by: + * + * #define CK_DECLARE_FUNCTION(returnType, name) \ + * returnType __declspec(dllimport) name + * + * In a UNIX environment, it might be defined by: + * + * #define CK_DECLARE_FUNCTION(returnType, name) \ + * returnType name + * + * + * 3. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro + * which makes a Cryptoki API function pointer declaration or + * function pointer type declaration out of a return type and a + * function name. It should be used in the following fashion: + * + * // Define funcPtr to be a pointer to a Cryptoki API function + * // taking arguments args and returning CK_RV. + * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args); + * + * or + * + * // Define funcPtrType to be the type of a pointer to a + * // Cryptoki API function taking arguments args and returning + * // CK_RV, and then define funcPtr to be a variable of type + * // funcPtrType. + * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); + * funcPtrType funcPtr; + * + * If you're using Windows to access + * functions in a Win32 Cryptoki .dll, in might be defined by: + * + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ + * returnType __declspec(dllimport) (* name) * - * #define CK_SPEC __declspec(dllimport) + * In a UNIX environment, it might be defined by: + * + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ + * returnType (* name) + * + * + * 4. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes + * a function pointer type for an application callback out of + * a return type for the callback and a name for the callback. + * It should be used in the following fashion: + * + * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args); + * + * to declare a function pointer, myCallback, to a callback + * which takes arguments args and returns a CK_RV. It can also + * be used like this: + * + * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); + * myCallbackType myCallback; + * + * If you're using Windows, it might be defined by: + * + * #define CK_CALLBACK_FUNCTION(returnType, name) \ + * returnType (* name) + * + * In a UNIX environment, it might be defined by: + * + * #define CK_CALLBACK_FUNCTION(returnType, name) \ + * returnType (* name) + * + * + * 5. NULL_PTR: This macro is the value of a NULL pointer. + * + * In any ANSI/ISO C environment (and in many others as well), + * this should best be defined by + * + * #ifndef NULL_PTR + * #define NULL_PTR 0 + * #endif */ -#define CK_SPEC -#endif - -#else - -#ifdef CRYPTOKI_EXPORTS -#define CK_SPEC __attribute__((visibility("default"))) -#else -#define CK_SPEC -#endif - -#endif - -#ifdef CRYPTOKI_COMPAT -/* If we are in compatibility mode, switch all exposed names to the - PKCS #11 variant. There are corresponding #undefs below. */ - -#define ck_flags_t CK_FLAGS -#define ck_version _CK_VERSION - -#define ck_info _CK_INFO -#define cryptoki_version cryptokiVersion -#define manufacturer_id manufacturerID -#define library_description libraryDescription -#define library_version libraryVersion - -#define ck_notification_t CK_NOTIFICATION -#define ck_slot_id_t CK_SLOT_ID - -#define ck_slot_info _CK_SLOT_INFO -#define slot_description slotDescription -#define hardware_version hardwareVersion -#define firmware_version firmwareVersion - -#define ck_token_info _CK_TOKEN_INFO -#define serial_number serialNumber -#define max_session_count ulMaxSessionCount -#define session_count ulSessionCount -#define max_rw_session_count ulMaxRwSessionCount -#define rw_session_count ulRwSessionCount -#define max_pin_len ulMaxPinLen -#define min_pin_len ulMinPinLen -#define total_public_memory ulTotalPublicMemory -#define free_public_memory ulFreePublicMemory -#define total_private_memory ulTotalPrivateMemory -#define free_private_memory ulFreePrivateMemory -#define utc_time utcTime -#define ck_session_handle_t CK_SESSION_HANDLE -#define ck_user_type_t CK_USER_TYPE -#define ck_state_t CK_STATE - -#define ck_session_info _CK_SESSION_INFO -#define slot_id slotID -#define device_error ulDeviceError - -#define ck_object_handle_t CK_OBJECT_HANDLE -#define ck_object_class_t CK_OBJECT_CLASS -#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE -#define ck_key_type_t CK_KEY_TYPE -#define ck_certificate_type_t CK_CERTIFICATE_TYPE -#define ck_attribute_type_t CK_ATTRIBUTE_TYPE - -#define ck_attribute _CK_ATTRIBUTE -#define value pValue -#define value_len ulValueLen - -#define ck_date _CK_DATE - -#define ck_mechanism_type_t CK_MECHANISM_TYPE - -#define ck_mechanism _CK_MECHANISM -#define parameter pParameter -#define parameter_len ulParameterLen - -#define ck_mechanism_info _CK_MECHANISM_INFO -#define min_key_size ulMinKeySize -#define max_key_size ulMaxKeySize - -#define ck_rv_t CK_RV -#define ck_notify_t CK_NOTIFY - -#define ck_function_list _CK_FUNCTION_LIST - -#define ck_createmutex_t CK_CREATEMUTEX -#define ck_destroymutex_t CK_DESTROYMUTEX -#define ck_lockmutex_t CK_LOCKMUTEX -#define ck_unlockmutex_t CK_UNLOCKMUTEX - -#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS -#define create_mutex CreateMutex -#define destroy_mutex DestroyMutex -#define lock_mutex LockMutex -#define unlock_mutex UnlockMutex -#define reserved pReserved - -#endif /* CRYPTOKI_COMPAT */ - -typedef unsigned long ck_flags_t; - -struct ck_version { - unsigned char major; - unsigned char minor; -}; - -struct ck_info { - struct ck_version cryptoki_version; - unsigned char manufacturer_id[32]; - ck_flags_t flags; - unsigned char library_description[32]; - struct ck_version library_version; -}; - -typedef unsigned long ck_notification_t; - -#define CKN_SURRENDER (0UL) - -typedef unsigned long ck_slot_id_t; - -struct ck_slot_info { - unsigned char slot_description[64]; - unsigned char manufacturer_id[32]; - ck_flags_t flags; - struct ck_version hardware_version; - struct ck_version firmware_version; -}; - -#define CKF_TOKEN_PRESENT (1UL << 0) -#define CKF_REMOVABLE_DEVICE (1UL << 1) -#define CKF_HW_SLOT (1UL << 2) -#define CKF_ARRAY_ATTRIBUTE (1UL << 30) - -struct ck_token_info { - unsigned char label[32]; - unsigned char manufacturer_id[32]; - unsigned char model[16]; - unsigned char serial_number[16]; - ck_flags_t flags; - unsigned long max_session_count; - unsigned long session_count; - unsigned long max_rw_session_count; - unsigned long rw_session_count; - unsigned long max_pin_len; - unsigned long min_pin_len; - unsigned long total_public_memory; - unsigned long free_public_memory; - unsigned long total_private_memory; - unsigned long free_private_memory; - struct ck_version hardware_version; - struct ck_version firmware_version; - unsigned char utc_time[16]; -}; - -#define CKF_RNG (1UL << 0) -#define CKF_WRITE_PROTECTED (1UL << 1) -#define CKF_LOGIN_REQUIRED (1UL << 2) -#define CKF_USER_PIN_INITIALIZED (1UL << 3) -#define CKF_RESTORE_KEY_NOT_NEEDED (1UL << 5) -#define CKF_CLOCK_ON_TOKEN (1UL << 6) -#define CKF_PROTECTED_AUTHENTICATION_PATH (1UL << 8) -#define CKF_DUAL_CRYPTO_OPERATIONS (1UL << 9) -#define CKF_TOKEN_INITIALIZED (1UL << 10) -#define CKF_SECONDARY_AUTHENTICATION (1UL << 11) -#define CKF_USER_PIN_COUNT_LOW (1UL << 16) -#define CKF_USER_PIN_FINAL_TRY (1UL << 17) -#define CKF_USER_PIN_LOCKED (1UL << 18) -#define CKF_USER_PIN_TO_BE_CHANGED (1UL << 19) -#define CKF_SO_PIN_COUNT_LOW (1UL << 20) -#define CKF_SO_PIN_FINAL_TRY (1UL << 21) -#define CKF_SO_PIN_LOCKED (1UL << 22) -#define CKF_SO_PIN_TO_BE_CHANGED (1UL << 23) - -#define CK_UNAVAILABLE_INFORMATION ((unsigned long) -1) -#define CK_EFFECTIVELY_INFINITE (0UL) - -typedef unsigned long ck_session_handle_t; - -#define CK_INVALID_HANDLE (0UL) - -typedef unsigned long ck_user_type_t; - -#define CKU_SO (0UL) -#define CKU_USER (1UL) -#define CKU_CONTEXT_SPECIFIC (2UL) - -typedef unsigned long ck_state_t; - -#define CKS_RO_PUBLIC_SESSION (0UL) -#define CKS_RO_USER_FUNCTIONS (1UL) -#define CKS_RW_PUBLIC_SESSION (2UL) -#define CKS_RW_USER_FUNCTIONS (3UL) -#define CKS_RW_SO_FUNCTIONS (4UL) - -struct ck_session_info { - ck_slot_id_t slot_id; - ck_state_t state; - ck_flags_t flags; - unsigned long device_error; -}; - -#define CKF_RW_SESSION (1UL << 1) -#define CKF_SERIAL_SESSION (1UL << 2) - -typedef unsigned long ck_object_handle_t; - -typedef unsigned long ck_object_class_t; - -#define CKO_DATA (0UL) -#define CKO_CERTIFICATE (1UL) -#define CKO_PUBLIC_KEY (2UL) -#define CKO_PRIVATE_KEY (3UL) -#define CKO_SECRET_KEY (4UL) -#define CKO_HW_FEATURE (5UL) -#define CKO_DOMAIN_PARAMETERS (6UL) -#define CKO_MECHANISM (7UL) -#define CKO_VENDOR_DEFINED (1UL << 31) - -typedef unsigned long ck_hw_feature_type_t; - -#define CKH_MONOTONIC_COUNTER (1UL) -#define CKH_CLOCK (2UL) -#define CKH_USER_INTERFACE (3UL) -#define CKH_VENDOR_DEFINED (1UL << 31) - -typedef unsigned long ck_key_type_t; +/* All the various Cryptoki types and #define'd values are in the + * file pkcs11t.h. + */ +#include "pkcs11t.h" -#define CKK_RSA (0UL) -#define CKK_DSA (1UL) -#define CKK_DH (2UL) -#define CKK_ECDSA (3UL) -#define CKK_EC (3UL) -#define CKK_X9_42_DH (4UL) -#define CKK_KEA (5UL) -#define CKK_GENERIC_SECRET (0x10UL) -#define CKK_RC2 (0x11UL) -#define CKK_RC4 (0x12UL) -#define CKK_DES (0x13UL) -#define CKK_DES2 (0x14UL) -#define CKK_DES3 (0x15UL) -#define CKK_CAST (0x16UL) -#define CKK_CAST3 (0x17UL) -#define CKK_CAST128 (0x18UL) -#define CKK_RC5 (0x19UL) -#define CKK_IDEA (0x1aUL) -#define CKK_SKIPJACK (0x1bUL) -#define CKK_BATON (0x1cUL) -#define CKK_JUNIPER (0x1dUL) -#define CKK_CDMF (0x1eUL) -#define CKK_AES (0x1fUL) -#define CKK_BLOWFISH (0x20UL) -#define CKK_TWOFISH (0x21UL) -#define CKK_SHA_1_HMAC (0x28UL) -#define CKK_SHA256_HMAC (0x2bUL) -#define CKK_SHA384_HMAC (0x2cUL) -#define CKK_SHA512_HMAC (0x2dUL) -#define CKK_SHA224_HMAC (0x2eUL) -#define CKK_GOSTR3410 (0x30UL) -#define CKK_GOSTR3411 (0x31UL) -#define CKK_GOST28147 (0x32UL) -#define CKK_VENDOR_DEFINED (1UL << 31) +#define __PASTE(x, y) x##y -typedef unsigned long ck_certificate_type_t; +/* ============================================================== + * Define the "extern" form of all the entry points. + * ============================================================== + */ -#define CKC_X_509 (0UL) -#define CKC_X_509_ATTR_CERT (1UL) -#define CKC_WTLS (2UL) -#define CKC_VENDOR_DEFINED (1UL << 31) +#define CK_NEED_ARG_LIST 1 +#define CK_PKCS11_FUNCTION_INFO(name) extern CK_DECLARE_FUNCTION(CK_RV, name) -typedef unsigned long ck_attribute_type_t; +/* pkcs11f.h has all the information about the Cryptoki + * function prototypes. + */ +#include "pkcs11f.h" -#define CKA_CLASS (0UL) -#define CKA_TOKEN (1UL) -#define CKA_PRIVATE (2UL) -#define CKA_LABEL (3UL) -#define CKA_APPLICATION (0x10UL) -#define CKA_VALUE (0x11UL) -#define CKA_OBJECT_ID (0x12UL) -#define CKA_CERTIFICATE_TYPE (0x80UL) -#define CKA_ISSUER (0x81UL) -#define CKA_SERIAL_NUMBER (0x82UL) -#define CKA_AC_ISSUER (0x83UL) -#define CKA_OWNER (0x84UL) -#define CKA_ATTR_TYPES (0x85UL) -#define CKA_TRUSTED (0x86UL) -#define CKA_CERTIFICATE_CATEGORY (0x87UL) -#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88UL) -#define CKA_URL (0x89UL) -#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8aUL) -#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8bUL) -#define CKA_CHECK_VALUE (0x90UL) -#define CKA_KEY_TYPE (0x100UL) -#define CKA_SUBJECT (0x101UL) -#define CKA_ID (0x102UL) -#define CKA_SENSITIVE (0x103UL) -#define CKA_ENCRYPT (0x104UL) -#define CKA_DECRYPT (0x105UL) -#define CKA_WRAP (0x106UL) -#define CKA_UNWRAP (0x107UL) -#define CKA_SIGN (0x108UL) -#define CKA_SIGN_RECOVER (0x109UL) -#define CKA_VERIFY (0x10aUL) -#define CKA_VERIFY_RECOVER (0x10bUL) -#define CKA_DERIVE (0x10cUL) -#define CKA_START_DATE (0x110UL) -#define CKA_END_DATE (0x111UL) -#define CKA_MODULUS (0x120UL) -#define CKA_MODULUS_BITS (0x121UL) -#define CKA_PUBLIC_EXPONENT (0x122UL) -#define CKA_PRIVATE_EXPONENT (0x123UL) -#define CKA_PRIME_1 (0x124UL) -#define CKA_PRIME_2 (0x125UL) -#define CKA_EXPONENT_1 (0x126UL) -#define CKA_EXPONENT_2 (0x127UL) -#define CKA_COEFFICIENT (0x128UL) -#define CKA_PUBLIC_KEY_INFO (0x129UL) -#define CKA_PRIME (0x130UL) -#define CKA_SUBPRIME (0x131UL) -#define CKA_BASE (0x132UL) -#define CKA_PRIME_BITS (0x133UL) -#define CKA_SUB_PRIME_BITS (0x134UL) -#define CKA_VALUE_BITS (0x160UL) -#define CKA_VALUE_LEN (0x161UL) -#define CKA_EXTRACTABLE (0x162UL) -#define CKA_LOCAL (0x163UL) -#define CKA_NEVER_EXTRACTABLE (0x164UL) -#define CKA_ALWAYS_SENSITIVE (0x165UL) -#define CKA_KEY_GEN_MECHANISM (0x166UL) -#define CKA_MODIFIABLE (0x170UL) -#define CKA_COPYABLE (0x171UL) -#define CKA_DESTROYABLE (0x172UL) -#define CKA_ECDSA_PARAMS (0x180UL) -#define CKA_EC_PARAMS (0x180UL) -#define CKA_EC_POINT (0x181UL) -#define CKA_SECONDARY_AUTH (0x200UL) -#define CKA_AUTH_PIN_FLAGS (0x201UL) -#define CKA_ALWAYS_AUTHENTICATE (0x202UL) -#define CKA_WRAP_WITH_TRUSTED (0x210UL) -#define CKA_GOSTR3410_PARAMS (0x250UL) -#define CKA_GOSTR3411_PARAMS (0x251UL) -#define CKA_GOST28147_PARAMS (0x252UL) -#define CKA_HW_FEATURE_TYPE (0x300UL) -#define CKA_RESET_ON_INIT (0x301UL) -#define CKA_HAS_RESET (0x302UL) -#define CKA_PIXEL_X (0x400UL) -#define CKA_PIXEL_Y (0x401UL) -#define CKA_RESOLUTION (0x402UL) -#define CKA_CHAR_ROWS (0x403UL) -#define CKA_CHAR_COLUMNS (0x404UL) -#define CKA_COLOR (0x405UL) -#define CKA_BITS_PER_PIXEL (0x406UL) -#define CKA_CHAR_SETS (0x480UL) -#define CKA_ENCODING_METHODS (0x481UL) -#define CKA_MIME_TYPES (0x482UL) -#define CKA_MECHANISM_TYPE (0x500UL) -#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501UL) -#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502UL) -#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503UL) -#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211UL) -#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212UL) -#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600UL) -#define CKA_VENDOR_DEFINED (1UL << 31) +#undef CK_NEED_ARG_LIST +#undef CK_PKCS11_FUNCTION_INFO -struct ck_attribute { - ck_attribute_type_t type; - void *value; - unsigned long value_len; -}; +/* ============================================================== + * Define the typedef form of all the entry points. That is, for + * each Cryptoki function C_XXX, define a type CK_C_XXX which is + * a pointer to that kind of function. + * ============================================================== + */ -struct ck_date { - unsigned char year[4]; - unsigned char month[2]; - unsigned char day[2]; -}; +#define CK_NEED_ARG_LIST 1 +#define CK_PKCS11_FUNCTION_INFO(name) \ + typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_, name)) -typedef unsigned long ck_mechanism_type_t; +/* pkcs11f.h has all the information about the Cryptoki + * function prototypes. + */ +#include "pkcs11f.h" + +#undef CK_NEED_ARG_LIST +#undef CK_PKCS11_FUNCTION_INFO + +/* ============================================================== + * Define structed vector of entry points. A CK_FUNCTION_LIST + * contains a CK_VERSION indicating a library's Cryptoki version + * and then a whole slew of function pointers to the routines in + * the library. This type was declared, but not defined, in + * pkcs11t.h. + * ============================================================== + */ -#define CKM_RSA_PKCS_KEY_PAIR_GEN (0UL) -#define CKM_RSA_PKCS (1UL) -#define CKM_RSA_9796 (2UL) -#define CKM_RSA_X_509 (3UL) -#define CKM_MD2_RSA_PKCS (4UL) -#define CKM_MD5_RSA_PKCS (5UL) -#define CKM_SHA1_RSA_PKCS (6UL) -#define CKM_RIPEMD128_RSA_PKCS (7UL) -#define CKM_RIPEMD160_RSA_PKCS (8UL) -#define CKM_RSA_PKCS_OAEP (9UL) -#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xaUL) -#define CKM_RSA_X9_31 (0xbUL) -#define CKM_SHA1_RSA_X9_31 (0xcUL) -#define CKM_RSA_PKCS_PSS (0xdUL) -#define CKM_SHA1_RSA_PKCS_PSS (0xeUL) -#define CKM_DSA_KEY_PAIR_GEN (0x10UL) -#define CKM_DSA (0x11UL) -#define CKM_DSA_SHA1 (0x12UL) -#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20UL) -#define CKM_DH_PKCS_DERIVE (0x21UL) -#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30UL) -#define CKM_X9_42_DH_DERIVE (0x31UL) -#define CKM_X9_42_DH_HYBRID_DERIVE (0x32UL) -#define CKM_X9_42_MQV_DERIVE (0x33UL) -#define CKM_SHA256_RSA_PKCS (0x40UL) -#define CKM_SHA384_RSA_PKCS (0x41UL) -#define CKM_SHA512_RSA_PKCS (0x42UL) -#define CKM_SHA256_RSA_PKCS_PSS (0x43UL) -#define CKM_SHA384_RSA_PKCS_PSS (0x44UL) -#define CKM_SHA512_RSA_PKCS_PSS (0x45UL) -#define CKM_RC2_KEY_GEN (0x100UL) -#define CKM_RC2_ECB (0x101UL) -#define CKM_RC2_CBC (0x102UL) -#define CKM_RC2_MAC (0x103UL) -#define CKM_RC2_MAC_GENERAL (0x104UL) -#define CKM_RC2_CBC_PAD (0x105UL) -#define CKM_RC4_KEY_GEN (0x110UL) -#define CKM_RC4 (0x111UL) -#define CKM_DES_KEY_GEN (0x120UL) -#define CKM_DES_ECB (0x121UL) -#define CKM_DES_CBC (0x122UL) -#define CKM_DES_MAC (0x123UL) -#define CKM_DES_MAC_GENERAL (0x124UL) -#define CKM_DES_CBC_PAD (0x125UL) -#define CKM_DES2_KEY_GEN (0x130UL) -#define CKM_DES3_KEY_GEN (0x131UL) -#define CKM_DES3_ECB (0x132UL) -#define CKM_DES3_CBC (0x133UL) -#define CKM_DES3_MAC (0x134UL) -#define CKM_DES3_MAC_GENERAL (0x135UL) -#define CKM_DES3_CBC_PAD (0x136UL) -#define CKM_CDMF_KEY_GEN (0x140UL) -#define CKM_CDMF_ECB (0x141UL) -#define CKM_CDMF_CBC (0x142UL) -#define CKM_CDMF_MAC (0x143UL) -#define CKM_CDMF_MAC_GENERAL (0x144UL) -#define CKM_CDMF_CBC_PAD (0x145UL) -#define CKM_MD2 (0x200UL) -#define CKM_MD2_HMAC (0x201UL) -#define CKM_MD2_HMAC_GENERAL (0x202UL) -#define CKM_MD5 (0x210UL) -#define CKM_MD5_HMAC (0x211UL) -#define CKM_MD5_HMAC_GENERAL (0x212UL) -#define CKM_SHA_1 (0x220UL) -#define CKM_SHA_1_HMAC (0x221UL) -#define CKM_SHA_1_HMAC_GENERAL (0x222UL) -#define CKM_RIPEMD128 (0x230UL) -#define CKM_RIPEMD128_HMAC (0x231UL) -#define CKM_RIPEMD128_HMAC_GENERAL (0x232UL) -#define CKM_RIPEMD160 (0x240UL) -#define CKM_RIPEMD160_HMAC (0x241UL) -#define CKM_RIPEMD160_HMAC_GENERAL (0x242UL) -#define CKM_SHA256 (0x250UL) -#define CKM_SHA256_HMAC (0x251UL) -#define CKM_SHA256_HMAC_GENERAL (0x252UL) -#define CKM_SHA384 (0x260UL) -#define CKM_SHA384_HMAC (0x261UL) -#define CKM_SHA384_HMAC_GENERAL (0x262UL) -#define CKM_SHA512 (0x270UL) -#define CKM_SHA512_HMAC (0x271UL) -#define CKM_SHA512_HMAC_GENERAL (0x272UL) -#define CKM_CAST_KEY_GEN (0x300UL) -#define CKM_CAST_ECB (0x301UL) -#define CKM_CAST_CBC (0x302UL) -#define CKM_CAST_MAC (0x303UL) -#define CKM_CAST_MAC_GENERAL (0x304UL) -#define CKM_CAST_CBC_PAD (0x305UL) -#define CKM_CAST3_KEY_GEN (0x310UL) -#define CKM_CAST3_ECB (0x311UL) -#define CKM_CAST3_CBC (0x312UL) -#define CKM_CAST3_MAC (0x313UL) -#define CKM_CAST3_MAC_GENERAL (0x314UL) -#define CKM_CAST3_CBC_PAD (0x315UL) -#define CKM_CAST5_KEY_GEN (0x320UL) -#define CKM_CAST128_KEY_GEN (0x320UL) -#define CKM_CAST5_ECB (0x321UL) -#define CKM_CAST128_ECB (0x321UL) -#define CKM_CAST5_CBC (0x322UL) -#define CKM_CAST128_CBC (0x322UL) -#define CKM_CAST5_MAC (0x323UL) -#define CKM_CAST128_MAC (0x323UL) -#define CKM_CAST5_MAC_GENERAL (0x324UL) -#define CKM_CAST128_MAC_GENERAL (0x324UL) -#define CKM_CAST5_CBC_PAD (0x325UL) -#define CKM_CAST128_CBC_PAD (0x325UL) -#define CKM_RC5_KEY_GEN (0x330UL) -#define CKM_RC5_ECB (0x331UL) -#define CKM_RC5_CBC (0x332UL) -#define CKM_RC5_MAC (0x333UL) -#define CKM_RC5_MAC_GENERAL (0x334UL) -#define CKM_RC5_CBC_PAD (0x335UL) -#define CKM_IDEA_KEY_GEN (0x340UL) -#define CKM_IDEA_ECB (0x341UL) -#define CKM_IDEA_CBC (0x342UL) -#define CKM_IDEA_MAC (0x343UL) -#define CKM_IDEA_MAC_GENERAL (0x344UL) -#define CKM_IDEA_CBC_PAD (0x345UL) -#define CKM_GENERIC_SECRET_KEY_GEN (0x350UL) -#define CKM_CONCATENATE_BASE_AND_KEY (0x360UL) -#define CKM_CONCATENATE_BASE_AND_DATA (0x362UL) -#define CKM_CONCATENATE_DATA_AND_BASE (0x363UL) -#define CKM_XOR_BASE_AND_DATA (0x364UL) -#define CKM_EXTRACT_KEY_FROM_KEY (0x365UL) -#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370UL) -#define CKM_SSL3_MASTER_KEY_DERIVE (0x371UL) -#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372UL) -#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373UL) -#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374UL) -#define CKM_TLS_MASTER_KEY_DERIVE (0x375UL) -#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376UL) -#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377UL) -#define CKM_SSL3_MD5_MAC (0x380UL) -#define CKM_SSL3_SHA1_MAC (0x381UL) -#define CKM_MD5_KEY_DERIVATION (0x390UL) -#define CKM_MD2_KEY_DERIVATION (0x391UL) -#define CKM_SHA1_KEY_DERIVATION (0x392UL) -#define CKM_PBE_MD2_DES_CBC (0x3a0UL) -#define CKM_PBE_MD5_DES_CBC (0x3a1UL) -#define CKM_PBE_MD5_CAST_CBC (0x3a2UL) -#define CKM_PBE_MD5_CAST3_CBC (0x3a3UL) -#define CKM_PBE_MD5_CAST5_CBC (0x3a4UL) -#define CKM_PBE_MD5_CAST128_CBC (0x3a4UL) -#define CKM_PBE_SHA1_CAST5_CBC (0x3a5UL) -#define CKM_PBE_SHA1_CAST128_CBC (0x3a5UL) -#define CKM_PBE_SHA1_RC4_128 (0x3a6UL) -#define CKM_PBE_SHA1_RC4_40 (0x3a7UL) -#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8UL) -#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9UL) -#define CKM_PBE_SHA1_RC2_128_CBC (0x3aaUL) -#define CKM_PBE_SHA1_RC2_40_CBC (0x3abUL) -#define CKM_PKCS5_PBKD2 (0x3b0UL) -#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0UL) -#define CKM_KEY_WRAP_LYNKS (0x400UL) -#define CKM_KEY_WRAP_SET_OAEP (0x401UL) -#define CKM_SKIPJACK_KEY_GEN (0x1000UL) -#define CKM_SKIPJACK_ECB64 (0x1001UL) -#define CKM_SKIPJACK_CBC64 (0x1002UL) -#define CKM_SKIPJACK_OFB64 (0x1003UL) -#define CKM_SKIPJACK_CFB64 (0x1004UL) -#define CKM_SKIPJACK_CFB32 (0x1005UL) -#define CKM_SKIPJACK_CFB16 (0x1006UL) -#define CKM_SKIPJACK_CFB8 (0x1007UL) -#define CKM_SKIPJACK_WRAP (0x1008UL) -#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009UL) -#define CKM_SKIPJACK_RELAYX (0x100aUL) -#define CKM_KEA_KEY_PAIR_GEN (0x1010UL) -#define CKM_KEA_KEY_DERIVE (0x1011UL) -#define CKM_FORTEZZA_TIMESTAMP (0x1020UL) -#define CKM_BATON_KEY_GEN (0x1030UL) -#define CKM_BATON_ECB128 (0x1031UL) -#define CKM_BATON_ECB96 (0x1032UL) -#define CKM_BATON_CBC128 (0x1033UL) -#define CKM_BATON_COUNTER (0x1034UL) -#define CKM_BATON_SHUFFLE (0x1035UL) -#define CKM_BATON_WRAP (0x1036UL) -#define CKM_ECDSA_KEY_PAIR_GEN (0x1040UL) -#define CKM_EC_KEY_PAIR_GEN (0x1040UL) -#define CKM_ECDSA (0x1041UL) -#define CKM_ECDSA_SHA1 (0x1042UL) -#define CKM_ECDSA_SHA224 (0x1043UL) -#define CKM_ECDSA_SHA256 (0x1044UL) -#define CKM_ECDSA_SHA384 (0x1045UL) -#define CKM_ECDSA_SHA512 (0x1046UL) -#define CKM_ECDH1_DERIVE (0x1050UL) -#define CKM_ECDH1_COFACTOR_DERIVE (0x1051UL) -#define CKM_ECMQV_DERIVE (0x1052UL) -#define CKM_JUNIPER_KEY_GEN (0x1060UL) -#define CKM_JUNIPER_ECB128 (0x1061UL) -#define CKM_JUNIPER_CBC128 (0x1062UL) -#define CKM_JUNIPER_COUNTER (0x1063UL) -#define CKM_JUNIPER_SHUFFLE (0x1064UL) -#define CKM_JUNIPER_WRAP (0x1065UL) -#define CKM_FASTHASH (0x1070UL) -#define CKM_AES_KEY_GEN (0x1080UL) -#define CKM_AES_ECB (0x1081UL) -#define CKM_AES_CBC (0x1082UL) -#define CKM_AES_MAC (0x1083UL) -#define CKM_AES_MAC_GENERAL (0x1084UL) -#define CKM_AES_CBC_PAD (0x1085UL) -#define CKM_AES_CTR (0x1086UL) -#define CKM_AES_GCM (0x1087UL) -#define CKM_AES_CCM (0x1088UL) -#define CKM_AES_CTS (0x1089UL) -#define CKM_BLOWFISH_KEY_GEN (0x1090UL) -#define CKM_BLOWFISH_CBC (0x1091UL) -#define CKM_TWOFISH_KEY_GEN (0x1092UL) -#define CKM_TWOFISH_CBC (0x1093UL) -#define CKM_GOSTR3410_KEY_PAIR_GEN (0x1200UL) -#define CKM_GOSTR3410 (0x1201UL) -#define CKM_GOSTR3410_WITH_GOSTR3411 (0x1202UL) -#define CKM_GOSTR3410_KEY_WRAP (0x1203UL) -#define CKM_GOSTR3410_DERIVE (0x1204UL) -#define CKM_GOSTR3411 (0x1210UL) -#define CKM_GOSTR3411_HMAC (0x1211UL) -#define CKM_GOST28147_KEY_GEN (0x1220UL) -#define CKM_GOST28147_ECB (0x1221UL) -#define CKM_GOST28147 (0x1222UL) -#define CKM_GOST28147_MAC (0x1223UL) -#define CKM_GOST28147_KEY_WRAP (0x1224UL) +#define CK_PKCS11_FUNCTION_INFO(name) __PASTE(CK_, name) name; -#define CKM_DSA_PARAMETER_GEN (0x2000UL) -#define CKM_DH_PKCS_PARAMETER_GEN (0x2001UL) -#define CKM_X9_42_DH_PARAMETER_GEN (0x2002UL) -#define CKM_VENDOR_DEFINED (1UL << 31) +/* Create the 3.0 Function list */ +struct CK_FUNCTION_LIST_3_0 { -struct ck_mechanism { - ck_mechanism_type_t mechanism; - void *parameter; - unsigned long parameter_len; -}; + CK_VERSION version; /* Cryptoki version */ -struct ck_mechanism_info { - unsigned long min_key_size; - unsigned long max_key_size; - ck_flags_t flags; +/* Pile all the function pointers into the CK_FUNCTION_LIST. */ +/* pkcs11f.h has all the information about the Cryptoki + * function prototypes. + */ +#include "pkcs11f.h" }; -#define CKF_HW (1UL << 0) -#define CKF_ENCRYPT (1UL << 8) -#define CKF_DECRYPT (1UL << 9) -#define CKF_DIGEST (1UL << 10) -#define CKF_SIGN (1UL << 11) -#define CKF_SIGN_RECOVER (1UL << 12) -#define CKF_VERIFY (1UL << 13) -#define CKF_VERIFY_RECOVER (1UL << 14) -#define CKF_GENERATE (1UL << 15) -#define CKF_GENERATE_KEY_PAIR (1UL << 16) -#define CKF_WRAP (1UL << 17) -#define CKF_UNWRAP (1UL << 18) -#define CKF_DERIVE (1UL << 19) -#define CKF_EXTENSION (1UL << 31) - -#define CKF_EC_F_P (1UL << 20) -#define CKF_EC_F_2M (1UL << 21) -#define CKF_EC_ECPARAMETERS (1UL << 22) -#define CKF_EC_NAMEDCURVE (1UL << 23) -#define CKF_EC_UNCOMPRESS (1UL << 24) -#define CKF_EC_COMPRESS (1UL << 25) - -/* Flags for C_WaitForSlotEvent. */ -#define CKF_DONT_BLOCK (1UL) - -/* Flags for Key derivation */ -#define CKD_NULL (1UL << 0) - -typedef struct CK_ECDH1_DERIVE_PARAMS { - unsigned long kdf; - unsigned long ulSharedDataLen; - unsigned char *pSharedData; - unsigned long ulPublicDataLen; - unsigned char *pPublicData; -} CK_ECDH1_DERIVE_PARAMS; - -typedef unsigned long CK_RSA_PKCS_MGF_TYPE; - -#define CKG_MGF1_SHA1 0x00000001UL -#define CKG_MGF1_SHA224 0x00000005UL -#define CKG_MGF1_SHA256 0x00000002UL -#define CKG_MGF1_SHA384 0x00000003UL -#define CKG_MGF1_SHA512 0x00000004UL - -typedef unsigned long CK_RSA_PKCS_OAEP_SOURCE_TYPE; - -#define CKZ_DATA_SPECIFIED (1UL << 0) - -typedef struct CK_RSA_PKCS_OAEP_PARAMS { - CK_MECHANISM_TYPE hashAlg; - CK_RSA_PKCS_MGF_TYPE mgf; - CK_RSA_PKCS_OAEP_SOURCE_TYPE source; - void *pSourceData; - unsigned long ulSourceDataLen; -} CK_RSA_PKCS_OAEP_PARAMS; - -typedef struct CK_RSA_PKCS_PSS_PARAMS { - CK_MECHANISM_TYPE hashAlg; - CK_RSA_PKCS_MGF_TYPE mgf; - unsigned long sLen; -} CK_RSA_PKCS_PSS_PARAMS; - -typedef unsigned long ck_rv_t; - -typedef ck_rv_t (*ck_notify_t)(ck_session_handle_t session, - ck_notification_t event, void *application); - -/* Forward reference. */ -struct ck_function_list; - -#define _CK_DECLARE_FUNCTION(name, args) \ - typedef ck_rv_t(*CK_##name) args; \ - ck_rv_t CK_SPEC name args - -_CK_DECLARE_FUNCTION(C_Initialize, (void *init_args)); -_CK_DECLARE_FUNCTION(C_Finalize, (void *reserved)); -_CK_DECLARE_FUNCTION(C_GetInfo, (struct ck_info * info)); -_CK_DECLARE_FUNCTION(C_GetFunctionList, - (struct ck_function_list * *function_list)); - -_CK_DECLARE_FUNCTION(C_GetSlotList, - (unsigned char token_present, ck_slot_id_t *slot_list, - unsigned long *count)); -_CK_DECLARE_FUNCTION(C_GetSlotInfo, - (ck_slot_id_t slot_id, struct ck_slot_info *info)); -_CK_DECLARE_FUNCTION(C_GetTokenInfo, - (ck_slot_id_t slot_id, struct ck_token_info *info)); -_CK_DECLARE_FUNCTION(C_WaitForSlotEvent, - (ck_flags_t flags, ck_slot_id_t *slot, void *reserved)); -_CK_DECLARE_FUNCTION(C_GetMechanismList, - (ck_slot_id_t slot_id, ck_mechanism_type_t *mechanism_list, - unsigned long *count)); -_CK_DECLARE_FUNCTION(C_GetMechanismInfo, - (ck_slot_id_t slot_id, ck_mechanism_type_t type, - struct ck_mechanism_info *info)); -_CK_DECLARE_FUNCTION(C_InitToken, - (ck_slot_id_t slot_id, unsigned char *pin, - unsigned long pin_len, unsigned char *label)); -_CK_DECLARE_FUNCTION(C_InitPIN, (ck_session_handle_t session, - unsigned char *pin, unsigned long pin_len)); -_CK_DECLARE_FUNCTION(C_SetPIN, (ck_session_handle_t session, - unsigned char *old_pin, unsigned long old_len, - unsigned char *new_pin, unsigned long new_len)); - -_CK_DECLARE_FUNCTION(C_OpenSession, - (ck_slot_id_t slot_id, ck_flags_t flags, void *application, - ck_notify_t notify, ck_session_handle_t *session)); -_CK_DECLARE_FUNCTION(C_CloseSession, (ck_session_handle_t session)); -_CK_DECLARE_FUNCTION(C_CloseAllSessions, (ck_slot_id_t slot_id)); -_CK_DECLARE_FUNCTION(C_GetSessionInfo, (ck_session_handle_t session, - struct ck_session_info *info)); -_CK_DECLARE_FUNCTION(C_GetOperationState, (ck_session_handle_t session, - unsigned char *operation_state, - unsigned long *operation_state_len)); -_CK_DECLARE_FUNCTION(C_SetOperationState, - (ck_session_handle_t session, - unsigned char *operation_state, - unsigned long operation_state_len, - ck_object_handle_t encryption_key, - ck_object_handle_t authentiation_key)); -_CK_DECLARE_FUNCTION(C_Login, - (ck_session_handle_t session, ck_user_type_t user_type, - unsigned char *pin, unsigned long pin_len)); -_CK_DECLARE_FUNCTION(C_Logout, (ck_session_handle_t session)); - -_CK_DECLARE_FUNCTION(C_CreateObject, - (ck_session_handle_t session, struct ck_attribute *templ, - unsigned long count, ck_object_handle_t *object)); -_CK_DECLARE_FUNCTION(C_CopyObject, - (ck_session_handle_t session, ck_object_handle_t object, - struct ck_attribute *templ, unsigned long count, - ck_object_handle_t *new_object)); -_CK_DECLARE_FUNCTION(C_DestroyObject, - (ck_session_handle_t session, ck_object_handle_t object)); -_CK_DECLARE_FUNCTION(C_GetObjectSize, - (ck_session_handle_t session, ck_object_handle_t object, - unsigned long *size)); -_CK_DECLARE_FUNCTION(C_GetAttributeValue, - (ck_session_handle_t session, ck_object_handle_t object, - struct ck_attribute *templ, unsigned long count)); -_CK_DECLARE_FUNCTION(C_SetAttributeValue, - (ck_session_handle_t session, ck_object_handle_t object, - struct ck_attribute *templ, unsigned long count)); -_CK_DECLARE_FUNCTION(C_FindObjectsInit, - (ck_session_handle_t session, struct ck_attribute *templ, - unsigned long count)); -_CK_DECLARE_FUNCTION(C_FindObjects, - (ck_session_handle_t session, ck_object_handle_t *object, - unsigned long max_object_count, - unsigned long *object_count)); -_CK_DECLARE_FUNCTION(C_FindObjectsFinal, (ck_session_handle_t session)); - -_CK_DECLARE_FUNCTION(C_EncryptInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_Encrypt, - (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *encrypted_data, - unsigned long *encrypted_data_len)); -_CK_DECLARE_FUNCTION(C_EncryptUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len, unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); -_CK_DECLARE_FUNCTION(C_EncryptFinal, (ck_session_handle_t session, - unsigned char *last_encrypted_part, - unsigned long *last_encrypted_part_len)); - -_CK_DECLARE_FUNCTION(C_DecryptInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_Decrypt, (ck_session_handle_t session, - unsigned char *encrypted_data, - unsigned long encrypted_data_len, - unsigned char *data, unsigned long *data_len)); -_CK_DECLARE_FUNCTION(C_DecryptUpdate, - (ck_session_handle_t session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, unsigned char *part, - unsigned long *part_len)); -_CK_DECLARE_FUNCTION(C_DecryptFinal, - (ck_session_handle_t session, unsigned char *last_part, - unsigned long *last_part_len)); - -_CK_DECLARE_FUNCTION(C_DigestInit, (ck_session_handle_t session, - struct ck_mechanism *mechanism)); -_CK_DECLARE_FUNCTION(C_Digest, - (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *digest, - unsigned long *digest_len)); -_CK_DECLARE_FUNCTION(C_DigestUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len)); -_CK_DECLARE_FUNCTION(C_DigestKey, - (ck_session_handle_t session, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_DigestFinal, - (ck_session_handle_t session, unsigned char *digest, - unsigned long *digest_len)); - -_CK_DECLARE_FUNCTION(C_SignInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_Sign, (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long *signature_len)); -_CK_DECLARE_FUNCTION(C_SignUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len)); -_CK_DECLARE_FUNCTION(C_SignFinal, - (ck_session_handle_t session, unsigned char *signature, - unsigned long *signature_len)); -_CK_DECLARE_FUNCTION(C_SignRecoverInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_SignRecover, - (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long *signature_len)); - -_CK_DECLARE_FUNCTION(C_VerifyInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_Verify, - (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long signature_len)); -_CK_DECLARE_FUNCTION(C_VerifyUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len)); -_CK_DECLARE_FUNCTION(C_VerifyFinal, - (ck_session_handle_t session, unsigned char *signature, - unsigned long signature_len)); -_CK_DECLARE_FUNCTION(C_VerifyRecoverInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_VerifyRecover, - (ck_session_handle_t session, unsigned char *signature, - unsigned long signature_len, unsigned char *data, - unsigned long *data_len)); - -_CK_DECLARE_FUNCTION(C_DigestEncryptUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len, unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); -_CK_DECLARE_FUNCTION(C_DecryptDigestUpdate, - (ck_session_handle_t session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, unsigned char *part, - unsigned long *part_len)); -_CK_DECLARE_FUNCTION(C_SignEncryptUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len, unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); -_CK_DECLARE_FUNCTION(C_DecryptVerifyUpdate, - (ck_session_handle_t session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, unsigned char *part, - unsigned long *part_len)); +#define CK_PKCS11_2_0_ONLY 1 -_CK_DECLARE_FUNCTION(C_GenerateKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - struct ck_attribute *templ, unsigned long count, - ck_object_handle_t *key)); -_CK_DECLARE_FUNCTION(C_GenerateKeyPair, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - struct ck_attribute *public_key_template, - unsigned long public_key_attribute_count, - struct ck_attribute *private_key_template, - unsigned long private_key_attribute_count, - ck_object_handle_t *public_key, - ck_object_handle_t *private_key)); -_CK_DECLARE_FUNCTION( - C_WrapKey, (ck_session_handle_t session, struct ck_mechanism *mechanism, - ck_object_handle_t wrapping_key, ck_object_handle_t key, - unsigned char *wrapped_key, unsigned long *wrapped_key_len)); -_CK_DECLARE_FUNCTION( - C_UnwrapKey, (ck_session_handle_t session, struct ck_mechanism *mechanism, - ck_object_handle_t unwrapping_key, unsigned char *wrapped_key, - unsigned long wrapped_key_len, struct ck_attribute *templ, - unsigned long attribute_count, ck_object_handle_t *key)); -_CK_DECLARE_FUNCTION(C_DeriveKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t base_key, struct ck_attribute *templ, - unsigned long attribute_count, ck_object_handle_t *key)); +/* Continue to define the old CK_FUNCTION_LIST */ +struct CK_FUNCTION_LIST { -_CK_DECLARE_FUNCTION(C_SeedRandom, - (ck_session_handle_t session, unsigned char *seed, - unsigned long seed_len)); -_CK_DECLARE_FUNCTION(C_GenerateRandom, - (ck_session_handle_t session, unsigned char *random_data, - unsigned long random_len)); + CK_VERSION version; /* Cryptoki version */ -_CK_DECLARE_FUNCTION(C_GetFunctionStatus, (ck_session_handle_t session)); -_CK_DECLARE_FUNCTION(C_CancelFunction, (ck_session_handle_t session)); - -struct ck_function_list { - struct ck_version version; - CK_C_Initialize C_Initialize; - CK_C_Finalize C_Finalize; - CK_C_GetInfo C_GetInfo; - CK_C_GetFunctionList C_GetFunctionList; - CK_C_GetSlotList C_GetSlotList; - CK_C_GetSlotInfo C_GetSlotInfo; - CK_C_GetTokenInfo C_GetTokenInfo; - CK_C_GetMechanismList C_GetMechanismList; - CK_C_GetMechanismInfo C_GetMechanismInfo; - CK_C_InitToken C_InitToken; - CK_C_InitPIN C_InitPIN; - CK_C_SetPIN C_SetPIN; - CK_C_OpenSession C_OpenSession; - CK_C_CloseSession C_CloseSession; - CK_C_CloseAllSessions C_CloseAllSessions; - CK_C_GetSessionInfo C_GetSessionInfo; - CK_C_GetOperationState C_GetOperationState; - CK_C_SetOperationState C_SetOperationState; - CK_C_Login C_Login; - CK_C_Logout C_Logout; - CK_C_CreateObject C_CreateObject; - CK_C_CopyObject C_CopyObject; - CK_C_DestroyObject C_DestroyObject; - CK_C_GetObjectSize C_GetObjectSize; - CK_C_GetAttributeValue C_GetAttributeValue; - CK_C_SetAttributeValue C_SetAttributeValue; - CK_C_FindObjectsInit C_FindObjectsInit; - CK_C_FindObjects C_FindObjects; - CK_C_FindObjectsFinal C_FindObjectsFinal; - CK_C_EncryptInit C_EncryptInit; - CK_C_Encrypt C_Encrypt; - CK_C_EncryptUpdate C_EncryptUpdate; - CK_C_EncryptFinal C_EncryptFinal; - CK_C_DecryptInit C_DecryptInit; - CK_C_Decrypt C_Decrypt; - CK_C_DecryptUpdate C_DecryptUpdate; - CK_C_DecryptFinal C_DecryptFinal; - CK_C_DigestInit C_DigestInit; - CK_C_Digest C_Digest; - CK_C_DigestUpdate C_DigestUpdate; - CK_C_DigestKey C_DigestKey; - CK_C_DigestFinal C_DigestFinal; - CK_C_SignInit C_SignInit; - CK_C_Sign C_Sign; - CK_C_SignUpdate C_SignUpdate; - CK_C_SignFinal C_SignFinal; - CK_C_SignRecoverInit C_SignRecoverInit; - CK_C_SignRecover C_SignRecover; - CK_C_VerifyInit C_VerifyInit; - CK_C_Verify C_Verify; - CK_C_VerifyUpdate C_VerifyUpdate; - CK_C_VerifyFinal C_VerifyFinal; - CK_C_VerifyRecoverInit C_VerifyRecoverInit; - CK_C_VerifyRecover C_VerifyRecover; - CK_C_DigestEncryptUpdate C_DigestEncryptUpdate; - CK_C_DecryptDigestUpdate C_DecryptDigestUpdate; - CK_C_SignEncryptUpdate C_SignEncryptUpdate; - CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate; - CK_C_GenerateKey C_GenerateKey; - CK_C_GenerateKeyPair C_GenerateKeyPair; - CK_C_WrapKey C_WrapKey; - CK_C_UnwrapKey C_UnwrapKey; - CK_C_DeriveKey C_DeriveKey; - CK_C_SeedRandom C_SeedRandom; - CK_C_GenerateRandom C_GenerateRandom; - CK_C_GetFunctionStatus C_GetFunctionStatus; - CK_C_CancelFunction C_CancelFunction; - CK_C_WaitForSlotEvent C_WaitForSlotEvent; -}; - -typedef ck_rv_t (*ck_createmutex_t)(void **mutex); -typedef ck_rv_t (*ck_destroymutex_t)(void *mutex); -typedef ck_rv_t (*ck_lockmutex_t)(void *mutex); -typedef ck_rv_t (*ck_unlockmutex_t)(void *mutex); - -struct ck_c_initialize_args { - ck_createmutex_t create_mutex; - ck_destroymutex_t destroy_mutex; - ck_lockmutex_t lock_mutex; - ck_unlockmutex_t unlock_mutex; - ck_flags_t flags; - void *reserved; +/* Pile all the function pointers into the CK_FUNCTION_LIST. */ +/* pkcs11f.h has all the information about the Cryptoki + * function prototypes. + */ +#include "pkcs11f.h" }; -#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1UL << 0) -#define CKF_OS_LOCKING_OK (1UL << 1) - -#define CKR_OK (0UL) -#define CKR_CANCEL (1UL) -#define CKR_HOST_MEMORY (2UL) -#define CKR_SLOT_ID_INVALID (3UL) -#define CKR_GENERAL_ERROR (5UL) -#define CKR_FUNCTION_FAILED (6UL) -#define CKR_ARGUMENTS_BAD (7UL) -#define CKR_NO_EVENT (8UL) -#define CKR_NEED_TO_CREATE_THREADS (9UL) -#define CKR_CANT_LOCK (0xaUL) -#define CKR_ATTRIBUTE_READ_ONLY (0x10UL) -#define CKR_ATTRIBUTE_SENSITIVE (0x11UL) -#define CKR_ATTRIBUTE_TYPE_INVALID (0x12UL) -#define CKR_ATTRIBUTE_VALUE_INVALID (0x13UL) -#define CKR_DATA_INVALID (0x20UL) -#define CKR_DATA_LEN_RANGE (0x21UL) -#define CKR_DEVICE_ERROR (0x30UL) -#define CKR_DEVICE_MEMORY (0x31UL) -#define CKR_DEVICE_REMOVED (0x32UL) -#define CKR_ENCRYPTED_DATA_INVALID (0x40UL) -#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41UL) -#define CKR_FUNCTION_CANCELED (0x50UL) -#define CKR_FUNCTION_NOT_PARALLEL (0x51UL) -#define CKR_FUNCTION_NOT_SUPPORTED (0x54UL) -#define CKR_KEY_HANDLE_INVALID (0x60UL) -#define CKR_KEY_SIZE_RANGE (0x62UL) -#define CKR_KEY_TYPE_INCONSISTENT (0x63UL) -#define CKR_KEY_NOT_NEEDED (0x64UL) -#define CKR_KEY_CHANGED (0x65UL) -#define CKR_KEY_NEEDED (0x66UL) -#define CKR_KEY_INDIGESTIBLE (0x67UL) -#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68UL) -#define CKR_KEY_NOT_WRAPPABLE (0x69UL) -#define CKR_KEY_UNEXTRACTABLE (0x6aUL) -#define CKR_MECHANISM_INVALID (0x70UL) -#define CKR_MECHANISM_PARAM_INVALID (0x71UL) -#define CKR_OBJECT_HANDLE_INVALID (0x82UL) -#define CKR_OPERATION_ACTIVE (0x90UL) -#define CKR_OPERATION_NOT_INITIALIZED (0x91UL) -#define CKR_PIN_INCORRECT (0xa0UL) -#define CKR_PIN_INVALID (0xa1UL) -#define CKR_PIN_LEN_RANGE (0xa2UL) -#define CKR_PIN_EXPIRED (0xa3UL) -#define CKR_PIN_LOCKED (0xa4UL) -#define CKR_SESSION_CLOSED (0xb0UL) -#define CKR_SESSION_COUNT (0xb1UL) -#define CKR_SESSION_HANDLE_INVALID (0xb3UL) -#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4UL) -#define CKR_SESSION_READ_ONLY (0xb5UL) -#define CKR_SESSION_EXISTS (0xb6UL) -#define CKR_SESSION_READ_ONLY_EXISTS (0xb7UL) -#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8UL) -#define CKR_SIGNATURE_INVALID (0xc0UL) -#define CKR_SIGNATURE_LEN_RANGE (0xc1UL) -#define CKR_TEMPLATE_INCOMPLETE (0xd0UL) -#define CKR_TEMPLATE_INCONSISTENT (0xd1UL) -#define CKR_TOKEN_NOT_PRESENT (0xe0UL) -#define CKR_TOKEN_NOT_RECOGNIZED (0xe1UL) -#define CKR_TOKEN_WRITE_PROTECTED (0xe2UL) -#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0UL) -#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1UL) -#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2UL) -#define CKR_USER_ALREADY_LOGGED_IN (0x100UL) -#define CKR_USER_NOT_LOGGED_IN (0x101UL) -#define CKR_USER_PIN_NOT_INITIALIZED (0x102UL) -#define CKR_USER_TYPE_INVALID (0x103UL) -#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104UL) -#define CKR_USER_TOO_MANY_TYPES (0x105UL) -#define CKR_WRAPPED_KEY_INVALID (0x110UL) -#define CKR_WRAPPED_KEY_LEN_RANGE (0x112UL) -#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113UL) -#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114UL) -#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115UL) -#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120UL) -#define CKR_RANDOM_NO_RNG (0x121UL) -#define CKR_DOMAIN_PARAMS_INVALID (0x130UL) -#define CKR_CURVE_NOT_SUPPORTED (0x140UL) -#define CKR_BUFFER_TOO_SMALL (0x150UL) -#define CKR_SAVED_STATE_INVALID (0x160UL) -#define CKR_INFORMATION_SENSITIVE (0x170UL) -#define CKR_STATE_UNSAVEABLE (0x180UL) -#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190UL) -#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191UL) -#define CKR_MUTEX_BAD (0x1a0UL) -#define CKR_MUTEX_NOT_LOCKED (0x1a1UL) -#define CKR_FUNCTION_REJECTED (0x200UL) -#define CKR_VENDOR_DEFINED (1UL << 31) - -/* Compatibility layer. */ - -#ifdef CRYPTOKI_COMPAT - -#undef CK_DEFINE_FUNCTION -#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name - -/* For NULL. */ -#include - -typedef unsigned char CK_BYTE; -typedef unsigned char CK_CHAR; -typedef unsigned char CK_UTF8CHAR; -typedef unsigned char CK_BBOOL; -typedef unsigned long int CK_ULONG; -typedef long int CK_LONG; -typedef CK_BYTE *CK_BYTE_PTR; -typedef CK_CHAR *CK_CHAR_PTR; -typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR; -typedef CK_ULONG *CK_ULONG_PTR; -typedef void *CK_VOID_PTR; -typedef void **CK_VOID_PTR_PTR; -#define CK_FALSE 0 -#define CK_TRUE 1 -#ifndef CK_DISABLE_TRUE_FALSE -#ifndef FALSE -#define FALSE 0 -#endif -#ifndef TRUE -#define TRUE 1 -#endif -#endif - -typedef struct ck_version CK_VERSION; -typedef struct ck_version *CK_VERSION_PTR; - -typedef struct ck_info CK_INFO; -typedef struct ck_info *CK_INFO_PTR; - -typedef ck_slot_id_t *CK_SLOT_ID_PTR; - -typedef struct ck_slot_info CK_SLOT_INFO; -typedef struct ck_slot_info *CK_SLOT_INFO_PTR; - -typedef struct ck_token_info CK_TOKEN_INFO; -typedef struct ck_token_info *CK_TOKEN_INFO_PTR; - -typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR; - -typedef struct ck_session_info CK_SESSION_INFO; -typedef struct ck_session_info *CK_SESSION_INFO_PTR; - -typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR; - -typedef ck_object_class_t *CK_OBJECT_CLASS_PTR; - -typedef struct ck_attribute CK_ATTRIBUTE; -typedef struct ck_attribute *CK_ATTRIBUTE_PTR; - -typedef struct ck_date CK_DATE; -typedef struct ck_date *CK_DATE_PTR; +#undef CK_PKCS11_FUNCTION_INFO +#undef CK_PKCS11_2_0_ONLY -typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR; - -typedef struct ck_mechanism CK_MECHANISM; -typedef struct ck_mechanism *CK_MECHANISM_PTR; - -typedef struct ck_mechanism_info CK_MECHANISM_INFO; -typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR; - -typedef struct ck_function_list CK_FUNCTION_LIST; -typedef struct ck_function_list *CK_FUNCTION_LIST_PTR; -typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR; - -typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS; -typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR; - -#define NULL_PTR NULL - -/* Delete the helper macros defined at the top of the file. */ -#undef ck_flags_t -#undef ck_version - -#undef ck_info -#undef cryptoki_version -#undef manufacturer_id -#undef library_description -#undef library_version - -#undef ck_notification_t -#undef ck_slot_id_t - -#undef ck_slot_info -#undef slot_description -#undef hardware_version -#undef firmware_version - -#undef ck_token_info -#undef serial_number -#undef max_session_count -#undef session_count -#undef max_rw_session_count -#undef rw_session_count -#undef max_pin_len -#undef min_pin_len -#undef total_public_memory -#undef free_public_memory -#undef total_private_memory -#undef free_private_memory -#undef utc_time - -#undef ck_session_handle_t -#undef ck_user_type_t -#undef ck_state_t - -#undef ck_session_info -#undef slot_id -#undef device_error - -#undef ck_object_handle_t -#undef ck_object_class_t -#undef ck_hw_feature_type_t -#undef ck_key_type_t -#undef ck_certificate_type_t -#undef ck_attribute_type_t - -#undef ck_attribute -#undef value -#undef value_len - -#undef ck_date - -#undef ck_mechanism_type_t - -#undef ck_mechanism -#undef parameter -#undef parameter_len - -#undef ck_mechanism_info -#undef min_key_size -#undef max_key_size - -#undef ck_rv_t -#undef ck_notify_t - -#undef ck_function_list - -#undef ck_createmutex_t -#undef ck_destroymutex_t -#undef ck_lockmutex_t -#undef ck_unlockmutex_t - -#undef ck_c_initialize_args -#undef create_mutex -#undef destroy_mutex -#undef lock_mutex -#undef unlock_mutex -#undef reserved - -#endif /* CRYPTOKI_COMPAT */ - -/* System dependencies. */ -#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) -#pragma pack(pop, cryptoki) -#endif +#undef __PASTE -#if defined(__cplusplus) +#ifdef __cplusplus } #endif -#endif /* PKCS11_H */ +#endif /* _PKCS11_H_ */ diff --git a/pkcs11/pkcs11f.h b/pkcs11/pkcs11f.h new file mode 100644 index 000000000..0d6a1cda7 --- /dev/null +++ b/pkcs11/pkcs11f.h @@ -0,0 +1,1038 @@ +/* + * PKCS #11 Specification Version 3.1 + * Committee Specification Draft 01 + * 16 February 2022 + * Copyright (c) OASIS Open 2022. All Rights Reserved. + * Source: + * https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/csd01/include/pkcs11-v3.1/ + * Latest stage of narrative specification: + * https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/pkcs11-spec-v3.1.html TC + * IPR Statement: https://www.oasis-open.org/committees/pkcs11/ipr.php + */ + +/* Copyright (c) OASIS Open 2016, 2019. All Rights Reserved./ + * /Distributed under the terms of the OASIS IPR Policy, + * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY + * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS + * FOR A PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others. + */ + +/* Latest version of the specification: + * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html + */ + +/* This header file contains pretty much everything about all the + * Cryptoki function prototypes. Because this information is + * used for more than just declaring function prototypes, the + * order of the functions appearing herein is important, and + * should not be altered. + */ + +/* General-purpose */ + +/* C_Initialize initializes the Cryptoki library. */ +CK_PKCS11_FUNCTION_INFO(C_Initialize) +#ifdef CK_NEED_ARG_LIST +(CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets + * cast to CK_C_INITIALIZE_ARGS_PTR + * and dereferenced + */ +); +#endif + +/* C_Finalize indicates that an application is done with the + * Cryptoki library. + */ +CK_PKCS11_FUNCTION_INFO(C_Finalize) +#ifdef CK_NEED_ARG_LIST +(CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */ +); +#endif + +/* C_GetInfo returns general information about Cryptoki. */ +CK_PKCS11_FUNCTION_INFO(C_GetInfo) +#ifdef CK_NEED_ARG_LIST +(CK_INFO_PTR pInfo /* location that receives information */ +); +#endif + +/* C_GetFunctionList returns the function list. */ +CK_PKCS11_FUNCTION_INFO(C_GetFunctionList) +#ifdef CK_NEED_ARG_LIST +(CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to + * function list + */ +); +#endif + +/* Slot and token management */ + +/* C_GetSlotList obtains a list of slots in the system. */ +CK_PKCS11_FUNCTION_INFO(C_GetSlotList) +#ifdef CK_NEED_ARG_LIST +(CK_BBOOL tokenPresent, /* only slots with tokens */ + CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */ + CK_ULONG_PTR pulCount /* receives number of slots */ +); +#endif + +/* C_GetSlotInfo obtains information about a particular slot in + * the system. + */ +CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo) +#ifdef CK_NEED_ARG_LIST +(CK_SLOT_ID slotID, /* the ID of the slot */ + CK_SLOT_INFO_PTR pInfo /* receives the slot information */ +); +#endif + +/* C_GetTokenInfo obtains information about a particular token + * in the system. + */ +CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo) +#ifdef CK_NEED_ARG_LIST +(CK_SLOT_ID slotID, /* ID of the token's slot */ + CK_TOKEN_INFO_PTR pInfo /* receives the token information */ +); +#endif + +/* C_GetMechanismList obtains a list of mechanism types + * supported by a token. + */ +CK_PKCS11_FUNCTION_INFO(C_GetMechanismList) +#ifdef CK_NEED_ARG_LIST +(CK_SLOT_ID slotID, /* ID of token's slot */ + CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */ + CK_ULONG_PTR pulCount /* gets # of mechs. */ +); +#endif + +/* C_GetMechanismInfo obtains information about a particular + * mechanism possibly supported by a token. + */ +CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo) +#ifdef CK_NEED_ARG_LIST +(CK_SLOT_ID slotID, /* ID of the token's slot */ + CK_MECHANISM_TYPE type, /* type of mechanism */ + CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */ +); +#endif + +/* C_InitToken initializes a token. */ +CK_PKCS11_FUNCTION_INFO(C_InitToken) +#ifdef CK_NEED_ARG_LIST +(CK_SLOT_ID slotID, /* ID of the token's slot */ + CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */ + CK_ULONG ulPinLen, /* length in bytes of the PIN */ + CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */ +); +#endif + +/* C_InitPIN initializes the normal user's PIN. */ +CK_PKCS11_FUNCTION_INFO(C_InitPIN) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */ + CK_ULONG ulPinLen /* length in bytes of the PIN */ +); +#endif + +/* C_SetPIN modifies the PIN of the user who is logged in. */ +CK_PKCS11_FUNCTION_INFO(C_SetPIN) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_UTF8CHAR_PTR pOldPin, /* the old PIN */ + CK_ULONG ulOldLen, /* length of the old PIN */ + CK_UTF8CHAR_PTR pNewPin, /* the new PIN */ + CK_ULONG ulNewLen /* length of the new PIN */ +); +#endif + +/* Session management */ + +/* C_OpenSession opens a session between an application and a + * token. + */ +CK_PKCS11_FUNCTION_INFO(C_OpenSession) +#ifdef CK_NEED_ARG_LIST +(CK_SLOT_ID slotID, /* the slot's ID */ + CK_FLAGS flags, /* from CK_SESSION_INFO */ + CK_VOID_PTR pApplication, /* passed to callback */ + CK_NOTIFY Notify, /* callback function */ + CK_SESSION_HANDLE_PTR phSession /* gets session handle */ +); +#endif + +/* C_CloseSession closes a session between an application and a + * token. + */ +CK_PKCS11_FUNCTION_INFO(C_CloseSession) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +/* C_CloseAllSessions closes all sessions with a token. */ +CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions) +#ifdef CK_NEED_ARG_LIST +(CK_SLOT_ID slotID /* the token's slot */ +); +#endif + +/* C_GetSessionInfo obtains information about the session. */ +CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_SESSION_INFO_PTR pInfo /* receives session info */ +); +#endif + +/* C_GetOperationState obtains the state of the cryptographic operation + * in a session. + */ +CK_PKCS11_FUNCTION_INFO(C_GetOperationState) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pOperationState, /* gets state */ + CK_ULONG_PTR pulOperationStateLen /* gets state length */ +); +#endif + +/* C_SetOperationState restores the state of the cryptographic + * operation in a session. + */ +CK_PKCS11_FUNCTION_INFO(C_SetOperationState) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pOperationState, /* holds state */ + CK_ULONG ulOperationStateLen, /* holds state length */ + CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */ + CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */ +); +#endif + +/* C_Login logs a user into a token. */ +CK_PKCS11_FUNCTION_INFO(C_Login) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_USER_TYPE userType, /* the user type */ + CK_UTF8CHAR_PTR pPin, /* the user's PIN */ + CK_ULONG ulPinLen /* the length of the PIN */ +); +#endif + +/* C_Logout logs a user out from a token. */ +CK_PKCS11_FUNCTION_INFO(C_Logout) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +/* Object management */ + +/* C_CreateObject creates a new object. */ +CK_PKCS11_FUNCTION_INFO(C_CreateObject) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* the object's template */ + CK_ULONG ulCount, /* attributes in template */ + CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */ +); +#endif + +/* C_CopyObject copies an object, creating a new object for the + * copy. + */ +CK_PKCS11_FUNCTION_INFO(C_CopyObject) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject, /* the object's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* template for new object */ + CK_ULONG ulCount, /* attributes in template */ + CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */ +); +#endif + +/* C_DestroyObject destroys an object. */ +CK_PKCS11_FUNCTION_INFO(C_DestroyObject) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject /* the object's handle */ +); +#endif + +/* C_GetObjectSize gets the size of an object in bytes. */ +CK_PKCS11_FUNCTION_INFO(C_GetObjectSize) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject, /* the object's handle */ + CK_ULONG_PTR pulSize /* receives size of object */ +); +#endif + +/* C_GetAttributeValue obtains the value of one or more object + * attributes. + */ +CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject, /* the object's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */ + CK_ULONG ulCount /* attributes in template */ +); +#endif + +/* C_SetAttributeValue modifies the value of one or more object + * attributes. + */ +CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject, /* the object's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */ + CK_ULONG ulCount /* attributes in template */ +); +#endif + +/* C_FindObjectsInit initializes a search for token and session + * objects that match a template. + */ +CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */ + CK_ULONG ulCount /* attrs in search template */ +); +#endif + +/* C_FindObjects continues a search for token and session + * objects that match a template, obtaining additional object + * handles. + */ +CK_PKCS11_FUNCTION_INFO(C_FindObjects) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */ + CK_ULONG ulMaxObjectCount, /* max handles to get */ + CK_ULONG_PTR pulObjectCount /* actual # returned */ +); +#endif + +/* C_FindObjectsFinal finishes a search for token and session + * objects. + */ +CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +/* Encryption and decryption */ + +/* C_EncryptInit initializes an encryption operation. */ +CK_PKCS11_FUNCTION_INFO(C_EncryptInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of encryption key */ +); +#endif + +/* C_Encrypt encrypts single-part data. */ +CK_PKCS11_FUNCTION_INFO(C_Encrypt) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pData, /* the plaintext data */ + CK_ULONG ulDataLen, /* bytes of plaintext */ + CK_BYTE_PTR pEncryptedData, /* gets ciphertext */ + CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */ +); +#endif + +/* C_EncryptUpdate continues a multiple-part encryption + * operation. + */ +CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pPart, /* the plaintext data */ + CK_ULONG ulPartLen, /* plaintext data len */ + CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ + CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */ +); +#endif + +/* C_EncryptFinal finishes a multiple-part encryption + * operation. + */ +CK_PKCS11_FUNCTION_INFO(C_EncryptFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session handle */ + CK_BYTE_PTR pLastEncryptedPart, /* last c-text */ + CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */ +); +#endif + +/* C_DecryptInit initializes a decryption operation. */ +CK_PKCS11_FUNCTION_INFO(C_DecryptInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of decryption key */ +); +#endif + +/* C_Decrypt decrypts encrypted data in a single part. */ +CK_PKCS11_FUNCTION_INFO(C_Decrypt) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pEncryptedData, /* ciphertext */ + CK_ULONG ulEncryptedDataLen, /* ciphertext length */ + CK_BYTE_PTR pData, /* gets plaintext */ + CK_ULONG_PTR pulDataLen /* gets p-text size */ +); +#endif + +/* C_DecryptUpdate continues a multiple-part decryption + * operation. + */ +CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pEncryptedPart, /* encrypted data */ + CK_ULONG ulEncryptedPartLen, /* input length */ + CK_BYTE_PTR pPart, /* gets plaintext */ + CK_ULONG_PTR pulPartLen /* p-text size */ +); +#endif + +/* C_DecryptFinal finishes a multiple-part decryption + * operation. + */ +CK_PKCS11_FUNCTION_INFO(C_DecryptFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pLastPart, /* gets plaintext */ + CK_ULONG_PTR pulLastPartLen /* p-text size */ +); +#endif + +/* Message digesting */ + +/* C_DigestInit initializes a message-digesting operation. */ +CK_PKCS11_FUNCTION_INFO(C_DigestInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism /* the digesting mechanism */ +); +#endif + +/* C_Digest digests data in a single part. */ +CK_PKCS11_FUNCTION_INFO(C_Digest) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pData, /* data to be digested */ + CK_ULONG ulDataLen, /* bytes of data to digest */ + CK_BYTE_PTR pDigest, /* gets the message digest */ + CK_ULONG_PTR pulDigestLen /* gets digest length */ +); +#endif + +/* C_DigestUpdate continues a multiple-part message-digesting + * operation. + */ +CK_PKCS11_FUNCTION_INFO(C_DigestUpdate) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pPart, /* data to be digested */ + CK_ULONG ulPartLen /* bytes of data to be digested */ +); +#endif + +/* C_DigestKey continues a multi-part message-digesting + * operation, by digesting the value of a secret key as part of + * the data already digested. + */ +CK_PKCS11_FUNCTION_INFO(C_DigestKey) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hKey /* secret key to digest */ +); +#endif + +/* C_DigestFinal finishes a multiple-part message-digesting + * operation. + */ +CK_PKCS11_FUNCTION_INFO(C_DigestFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pDigest, /* gets the message digest */ + CK_ULONG_PTR pulDigestLen /* gets byte count of digest */ +); +#endif + +/* Signing and MACing */ + +/* C_SignInit initializes a signature (private key encryption) + * operation, where the signature is (will be) an appendix to + * the data, and plaintext cannot be recovered from the + * signature. + */ +CK_PKCS11_FUNCTION_INFO(C_SignInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ + CK_OBJECT_HANDLE hKey /* handle of signature key */ +); +#endif + +/* C_Sign signs (encrypts with private key) data in a single + * part, where the signature is (will be) an appendix to the + * data, and plaintext cannot be recovered from the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_Sign) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pData, /* the data to sign */ + CK_ULONG ulDataLen, /* count of bytes to sign */ + CK_BYTE_PTR pSignature, /* gets the signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + +/* C_SignUpdate continues a multiple-part signature operation, + * where the signature is (will be) an appendix to the data, + * and plaintext cannot be recovered from the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_SignUpdate) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pPart, /* the data to sign */ + CK_ULONG ulPartLen /* count of bytes to sign */ +); +#endif + +/* C_SignFinal finishes a multiple-part signature operation, + * returning the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_SignFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pSignature, /* gets the signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + +/* C_SignRecoverInit initializes a signature operation, where + * the data can be recovered from the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ + CK_OBJECT_HANDLE hKey /* handle of the signature key */ +); +#endif + +/* C_SignRecover signs data in a single operation, where the + * data can be recovered from the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_SignRecover) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pData, /* the data to sign */ + CK_ULONG ulDataLen, /* count of bytes to sign */ + CK_BYTE_PTR pSignature, /* gets the signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + +/* Verifying signatures and MACs */ + +/* C_VerifyInit initializes a verification operation, where the + * signature is an appendix to the data, and plaintext cannot + * cannot be recovered from the signature (e.g. DSA). + */ +CK_PKCS11_FUNCTION_INFO(C_VerifyInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ + CK_OBJECT_HANDLE hKey /* verification key */ +); +#endif + +/* C_Verify verifies a signature in a single-part operation, + * where the signature is an appendix to the data, and plaintext + * cannot be recovered from the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_Verify) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pData, /* signed data */ + CK_ULONG ulDataLen, /* length of signed data */ + CK_BYTE_PTR pSignature, /* signature */ + CK_ULONG ulSignatureLen /* signature length*/ +); +#endif + +/* C_VerifyUpdate continues a multiple-part verification + * operation, where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pPart, /* signed data */ + CK_ULONG ulPartLen /* length of signed data */ +); +#endif + +/* C_VerifyFinal finishes a multiple-part verification + * operation, checking the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_VerifyFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pSignature, /* signature to verify */ + CK_ULONG ulSignatureLen /* signature length */ +); +#endif + +/* C_VerifyRecoverInit initializes a signature verification + * operation, where the data is recovered from the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ + CK_OBJECT_HANDLE hKey /* verification key */ +); +#endif + +/* C_VerifyRecover verifies a signature in a single-part + * operation, where the data is recovered from the signature. + */ +CK_PKCS11_FUNCTION_INFO(C_VerifyRecover) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pSignature, /* signature to verify */ + CK_ULONG ulSignatureLen, /* signature length */ + CK_BYTE_PTR pData, /* gets signed data */ + CK_ULONG_PTR pulDataLen /* gets signed data len */ +); +#endif + +/* Dual-function cryptographic operations */ + +/* C_DigestEncryptUpdate continues a multiple-part digesting + * and encryption operation. + */ +CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pPart, /* the plaintext data */ + CK_ULONG ulPartLen, /* plaintext length */ + CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ + CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ +); +#endif + +/* C_DecryptDigestUpdate continues a multiple-part decryption and + * digesting operation. + */ +CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pEncryptedPart, /* ciphertext */ + CK_ULONG ulEncryptedPartLen, /* ciphertext length */ + CK_BYTE_PTR pPart, /* gets plaintext */ + CK_ULONG_PTR pulPartLen /* gets plaintext len */ +); +#endif + +/* C_SignEncryptUpdate continues a multiple-part signing and + * encryption operation. + */ +CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pPart, /* the plaintext data */ + CK_ULONG ulPartLen, /* plaintext length */ + CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ + CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ +); +#endif + +/* C_DecryptVerifyUpdate continues a multiple-part decryption and + * verify operation. + */ +CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pEncryptedPart, /* ciphertext */ + CK_ULONG ulEncryptedPartLen, /* ciphertext length */ + CK_BYTE_PTR pPart, /* gets plaintext */ + CK_ULONG_PTR pulPartLen /* gets p-text length */ +); +#endif + +/* Key management */ + +/* C_GenerateKey generates a secret key, creating a new key + * object. + */ +CK_PKCS11_FUNCTION_INFO(C_GenerateKey) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* key generation mech. */ + CK_ATTRIBUTE_PTR pTemplate, /* template for new key */ + CK_ULONG ulCount, /* # of attrs in template */ + CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */ +); +#endif + +/* C_GenerateKeyPair generates a public-key/private-key pair, + * creating new key objects. + */ +CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session handle */ + CK_MECHANISM_PTR pMechanism, /* key-gen mech. */ + CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template for pub. key */ + CK_ULONG ulPublicKeyAttributeCount, /* # pub. attrs. */ + CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template for priv. key */ + CK_ULONG ulPrivateKeyAttributeCount, /* # priv. attrs. */ + CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. key handle */ + CK_OBJECT_HANDLE_PTR phPrivateKey /* gets priv. key handle */ +); +#endif + +/* C_WrapKey wraps (i.e., encrypts) a key. */ +CK_PKCS11_FUNCTION_INFO(C_WrapKey) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */ + CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */ + CK_OBJECT_HANDLE hKey, /* key to be wrapped */ + CK_BYTE_PTR pWrappedKey, /* gets wrapped key */ + CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */ +); +#endif + +/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new + * key object. + */ +CK_PKCS11_FUNCTION_INFO(C_UnwrapKey) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */ + CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */ + CK_BYTE_PTR pWrappedKey, /* the wrapped key */ + CK_ULONG ulWrappedKeyLen, /* wrapped key len */ + CK_ATTRIBUTE_PTR pTemplate, /* new key template */ + CK_ULONG ulAttributeCount, /* template length */ + CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ +); +#endif + +/* C_DeriveKey derives a key from a base key, creating a new key + * object. + */ +CK_PKCS11_FUNCTION_INFO(C_DeriveKey) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* session's handle */ + CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */ + CK_OBJECT_HANDLE hBaseKey, /* base key */ + CK_ATTRIBUTE_PTR pTemplate, /* new key template */ + CK_ULONG ulAttributeCount, /* template length */ + CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ +); +#endif + +/* Random number generation */ + +/* C_SeedRandom mixes additional seed material into the token's + * random number generator. + */ +CK_PKCS11_FUNCTION_INFO(C_SeedRandom) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pSeed, /* the seed material */ + CK_ULONG ulSeedLen /* length of seed material */ +); +#endif + +/* C_GenerateRandom generates random data. */ +CK_PKCS11_FUNCTION_INFO(C_GenerateRandom) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR RandomData, /* receives the random data */ + CK_ULONG ulRandomLen /* # of bytes to generate */ +); +#endif + +/* Parallel function management */ + +/* C_GetFunctionStatus is a legacy function; it obtains an + * updated status of a function running in parallel with an + * application. + */ +CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +/* C_CancelFunction is a legacy function; it cancels a function + * running in parallel. + */ +CK_PKCS11_FUNCTION_INFO(C_CancelFunction) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +/* C_WaitForSlotEvent waits for a slot event (token insertion, + * removal, etc.) to occur. + */ +CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent) +#ifdef CK_NEED_ARG_LIST +(CK_FLAGS flags, /* blocking/nonblocking flag */ + CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */ + CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */ +); +#endif + +#ifndef CK_PKCS11_2_0_ONLY +/* C_GetInterfaceList returns all the interfaces supported by the module*/ +CK_PKCS11_FUNCTION_INFO(C_GetInterfaceList) +#ifdef CK_NEED_ARG_LIST +(CK_INTERFACE_PTR pInterfacesList, /* returned interfaces */ + CK_ULONG_PTR pulCount /* number of interfaces returned */ +); +#endif + +/* C_GetInterface returns a specific interface from the module. */ +CK_PKCS11_FUNCTION_INFO(C_GetInterface) +#ifdef CK_NEED_ARG_LIST +(CK_UTF8CHAR_PTR pInterfaceName, /* name of the interface */ + CK_VERSION_PTR pVersion, /* version of the interface */ + CK_INTERFACE_PTR_PTR ppInterface, /* returned interface */ + CK_FLAGS flags /* flags controlling the semantics + * of the interface */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_LoginUser) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_USER_TYPE userType, /* the user type */ + CK_UTF8CHAR_PTR pPin, /* the user's PIN */ + CK_ULONG ulPinLen, /* the length of the PIN */ + CK_UTF8CHAR_PTR pUsername, /* the user's name */ + CK_ULONG ulUsernameLen /*the length of the user's name */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_SessionCancel) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_FLAGS flags /* flags control which sessions are cancelled */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageEncryptInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of encryption key */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_EncryptMessage) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen, /* AEAD Associated data length */ + CK_BYTE_PTR pPlaintext, /* plain text */ + CK_ULONG ulPlaintextLen, /* plain text length */ + CK_BYTE_PTR pCiphertext, /* gets cipher text */ + CK_ULONG_PTR pulCiphertextLen /* gets cipher text length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_EncryptMessageBegin) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen /* AEAD Associated data length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_EncryptMessageNext) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pPlaintextPart, /* plain text */ + CK_ULONG ulPlaintextPartLen, /* plain text length */ + CK_BYTE_PTR pCiphertextPart, /* gets cipher text */ + CK_ULONG_PTR pulCiphertextPartLen, /* gets cipher text length */ + CK_FLAGS flags /* multi mode flag */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageEncryptFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageDecryptInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of decryption key */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_DecryptMessage) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen, /* AEAD Associated data length */ + CK_BYTE_PTR pCiphertext, /* cipher text */ + CK_ULONG ulCiphertextLen, /* cipher text length */ + CK_BYTE_PTR pPlaintext, /* gets plain text */ + CK_ULONG_PTR pulPlaintextLen /* gets plain text length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_DecryptMessageBegin) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen /* AEAD Associated data length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_DecryptMessageNext) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pCiphertextPart, /* cipher text */ + CK_ULONG ulCiphertextPartLen, /* cipher text length */ + CK_BYTE_PTR pPlaintextPart, /* gets plain text */ + CK_ULONG_PTR pulPlaintextPartLen, /* gets plain text length */ + CK_FLAGS flags /* multi mode flag */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageDecryptFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageSignInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signing mechanism */ + CK_OBJECT_HANDLE hKey /* handle of signing key */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_SignMessage) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* gets signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_SignMessageBegin) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen /* length of message specific parameter */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_SignMessageNext) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* gets signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageSignFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageVerifyInit) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signing mechanism */ + CK_OBJECT_HANDLE hKey /* handle of signing key */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_VerifyMessage) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* signature */ + CK_ULONG ulSignatureLen /* signature length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_VerifyMessageBegin) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen /* length of message specific parameter */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_VerifyMessageNext) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* signature */ + CK_ULONG ulSignatureLen /* signature length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageVerifyFinal) +#ifdef CK_NEED_ARG_LIST +(CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +#endif /* CK_PKCS11_2_0_ONLY */ diff --git a/pkcs11/pkcs11t.h b/pkcs11/pkcs11t.h new file mode 100644 index 000000000..5bccec0dd --- /dev/null +++ b/pkcs11/pkcs11t.h @@ -0,0 +1,2484 @@ +/* + * PKCS #11 Specification Version 3.1 + * Committee Specification Draft 01 + * 16 February 2022 + * Copyright (c) OASIS Open 2022. All Rights Reserved. + * Source: + * https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/csd01/include/pkcs11-v3.1/ + * Latest stage of narrative specification: + * https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/pkcs11-spec-v3.1.html TC + * IPR Statement: https://www.oasis-open.org/committees/pkcs11/ipr.php + */ + +/* Copyright (c) OASIS Open 2016, 2019. All Rights Reserved./ + * /Distributed under the terms of the OASIS IPR Policy, + * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY + * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS + * FOR A PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others. + */ + +/* Latest version of the specification: + * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html + */ + +/* See top of pkcs11.h for information about the macros that + * must be defined and the structure-packing conventions that + * must be set before including this file. + */ + +#ifndef _PKCS11T_H_ +#define _PKCS11T_H_ 1 + +#define CRYPTOKI_VERSION_MAJOR 3 +#define CRYPTOKI_VERSION_MINOR 1 +#define CRYPTOKI_VERSION_AMENDMENT 0 + +#define CK_TRUE 1 +#define CK_FALSE 0 + +#ifndef CK_DISABLE_TRUE_FALSE +#ifndef FALSE +#define FALSE CK_FALSE +#endif +#ifndef TRUE +#define TRUE CK_TRUE +#endif +#endif + +/* an unsigned 8-bit value */ +typedef unsigned char CK_BYTE; + +/* an unsigned 8-bit character */ +typedef CK_BYTE CK_CHAR; + +/* an 8-bit UTF-8 character */ +typedef CK_BYTE CK_UTF8CHAR; + +/* a BYTE-sized Boolean flag */ +typedef CK_BYTE CK_BBOOL; + +/* an unsigned value, at least 32 bits long */ +typedef unsigned long int CK_ULONG; + +/* a signed value, the same size as a CK_ULONG */ +typedef long int CK_LONG; + +/* at least 32 bits; each bit is a Boolean flag */ +typedef CK_ULONG CK_FLAGS; + +/* some special values for certain CK_ULONG variables */ +#define CK_UNAVAILABLE_INFORMATION (~0UL) +#define CK_EFFECTIVELY_INFINITE 0UL + +typedef CK_BYTE CK_PTR CK_BYTE_PTR; +typedef CK_CHAR CK_PTR CK_CHAR_PTR; +typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR; +typedef CK_ULONG CK_PTR CK_ULONG_PTR; +typedef void CK_PTR CK_VOID_PTR; + +/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */ +typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR; + +/* The following value is always invalid if used as a session + * handle or object handle + */ +#define CK_INVALID_HANDLE 0UL + +typedef struct CK_VERSION { + CK_BYTE major; /* integer portion of version number */ + CK_BYTE minor; /* 1/100ths portion of version number */ +} CK_VERSION; + +typedef CK_VERSION CK_PTR CK_VERSION_PTR; + +typedef struct CK_INFO { + CK_VERSION cryptokiVersion; /* Cryptoki interface ver */ + CK_UTF8CHAR manufacturerID[32]; /* blank padded */ + CK_FLAGS flags; /* must be zero */ + CK_UTF8CHAR libraryDescription[32]; /* blank padded */ + CK_VERSION libraryVersion; /* version of library */ +} CK_INFO; + +typedef CK_INFO CK_PTR CK_INFO_PTR; + +/* CK_NOTIFICATION enumerates the types of notifications that + * Cryptoki provides to an application + */ +typedef CK_ULONG CK_NOTIFICATION; +#define CKN_SURRENDER 0UL +#define CKN_OTP_CHANGED 1UL + +typedef CK_ULONG CK_SLOT_ID; + +typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR; + +/* CK_SLOT_INFO provides information about a slot */ +typedef struct CK_SLOT_INFO { + CK_UTF8CHAR slotDescription[64]; /* blank padded */ + CK_UTF8CHAR manufacturerID[32]; /* blank padded */ + CK_FLAGS flags; + + CK_VERSION hardwareVersion; /* version of hardware */ + CK_VERSION firmwareVersion; /* version of firmware */ +} CK_SLOT_INFO; + +/* flags: bit flags that provide capabilities of the slot + * Bit Flag Mask Meaning + */ +#define CKF_TOKEN_PRESENT 0x00000001UL /* a token is there */ +#define CKF_REMOVABLE_DEVICE 0x00000002UL /* removable devices*/ +#define CKF_HW_SLOT 0x00000004UL /* hardware slot */ + +typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR; + +/* CK_TOKEN_INFO provides information about a token */ +typedef struct CK_TOKEN_INFO { + CK_UTF8CHAR label[32]; /* blank padded */ + CK_UTF8CHAR manufacturerID[32]; /* blank padded */ + CK_UTF8CHAR model[16]; /* blank padded */ + CK_CHAR serialNumber[16]; /* blank padded */ + CK_FLAGS flags; /* see below */ + + CK_ULONG ulMaxSessionCount; /* max open sessions */ + CK_ULONG ulSessionCount; /* sess. now open */ + CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */ + CK_ULONG ulRwSessionCount; /* R/W sess. now open */ + CK_ULONG ulMaxPinLen; /* in bytes */ + CK_ULONG ulMinPinLen; /* in bytes */ + CK_ULONG ulTotalPublicMemory; /* in bytes */ + CK_ULONG ulFreePublicMemory; /* in bytes */ + CK_ULONG ulTotalPrivateMemory; /* in bytes */ + CK_ULONG ulFreePrivateMemory; /* in bytes */ + CK_VERSION hardwareVersion; /* version of hardware */ + CK_VERSION firmwareVersion; /* version of firmware */ + CK_CHAR utcTime[16]; /* time */ +} CK_TOKEN_INFO; + +/* The flags parameter is defined as follows: + * Bit Flag Mask Meaning + */ +#define CKF_RNG 0x00000001UL /* has random # generator */ +#define CKF_WRITE_PROTECTED 0x00000002UL /* token is write-protected */ +#define CKF_LOGIN_REQUIRED 0x00000004UL /* user must login */ +#define CKF_USER_PIN_INITIALIZED 0x00000008UL /* normal user's PIN is set */ + +/* CKF_RESTORE_KEY_NOT_NEEDED. If it is set, + * that means that *every* time the state of cryptographic + * operations of a session is successfully saved, all keys + * needed to continue those operations are stored in the state + */ +#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020UL + +/* CKF_CLOCK_ON_TOKEN. If it is set, that means + * that the token has some sort of clock. The time on that + * clock is returned in the token info structure + */ +#define CKF_CLOCK_ON_TOKEN 0x00000040UL + +/* CKF_PROTECTED_AUTHENTICATION_PATH. If it is + * set, that means that there is some way for the user to login + * without sending a PIN through the Cryptoki library itself + */ +#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100UL + +/* CKF_DUAL_CRYPTO_OPERATIONS. If it is true, + * that means that a single session with the token can perform + * dual simultaneous cryptographic operations (digest and + * encrypt; decrypt and digest; sign and encrypt; and decrypt + * and sign) + */ +#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200UL + +/* CKF_TOKEN_INITIALIZED. If it is true, the + * token has been initialized using C_InitializeToken or an + * equivalent mechanism outside the scope of PKCS #11. + * Calling C_InitializeToken when this flag is set will cause + * the token to be reinitialized. + */ +#define CKF_TOKEN_INITIALIZED 0x00000400UL + +/* CKF_SECONDARY_AUTHENTICATION. If it is + * true, the token supports secondary authentication for + * private key objects. + */ +#define CKF_SECONDARY_AUTHENTICATION 0x00000800UL + +/* CKF_USER_PIN_COUNT_LOW. If it is true, an + * incorrect user login PIN has been entered at least once + * since the last successful authentication. + */ +#define CKF_USER_PIN_COUNT_LOW 0x00010000UL + +/* CKF_USER_PIN_FINAL_TRY. If it is true, + * supplying an incorrect user PIN will it to become locked. + */ +#define CKF_USER_PIN_FINAL_TRY 0x00020000UL + +/* CKF_USER_PIN_LOCKED. If it is true, the + * user PIN has been locked. User login to the token is not + * possible. + */ +#define CKF_USER_PIN_LOCKED 0x00040000UL + +/* CKF_USER_PIN_TO_BE_CHANGED. If it is true, + * the user PIN value is the default value set by token + * initialization or manufacturing, or the PIN has been + * expired by the card. + */ +#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000UL + +/* CKF_SO_PIN_COUNT_LOW. If it is true, an + * incorrect SO login PIN has been entered at least once since + * the last successful authentication. + */ +#define CKF_SO_PIN_COUNT_LOW 0x00100000UL + +/* CKF_SO_PIN_FINAL_TRY. If it is true, + * supplying an incorrect SO PIN will it to become locked. + */ +#define CKF_SO_PIN_FINAL_TRY 0x00200000UL + +/* CKF_SO_PIN_LOCKED. If it is true, the SO + * PIN has been locked. SO login to the token is not possible. + */ +#define CKF_SO_PIN_LOCKED 0x00400000UL + +/* CKF_SO_PIN_TO_BE_CHANGED. If it is true, + * the SO PIN value is the default value set by token + * initialization or manufacturing, or the PIN has been + * expired by the card. + */ +#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000UL + +#define CKF_ERROR_STATE 0x01000000UL + +typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR; + +/* CK_SESSION_HANDLE is a Cryptoki-assigned value that + * identifies a session + */ +typedef CK_ULONG CK_SESSION_HANDLE; + +typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; + +/* CK_USER_TYPE enumerates the types of Cryptoki users */ +typedef CK_ULONG CK_USER_TYPE; +/* Security Officer */ +#define CKU_SO 0UL +/* Normal user */ +#define CKU_USER 1UL +/* Context specific */ +#define CKU_CONTEXT_SPECIFIC 2UL + +/* CK_STATE enumerates the session states */ +typedef CK_ULONG CK_STATE; +#define CKS_RO_PUBLIC_SESSION 0UL +#define CKS_RO_USER_FUNCTIONS 1UL +#define CKS_RW_PUBLIC_SESSION 2UL +#define CKS_RW_USER_FUNCTIONS 3UL +#define CKS_RW_SO_FUNCTIONS 4UL + +/* CK_SESSION_INFO provides information about a session */ +typedef struct CK_SESSION_INFO { + CK_SLOT_ID slotID; + CK_STATE state; + CK_FLAGS flags; /* see below */ + CK_ULONG ulDeviceError; /* device-dependent error code */ +} CK_SESSION_INFO; + +/* The flags are defined in the following table: + * Bit Flag Mask Meaning + */ +#define CKF_RW_SESSION 0x00000002UL /* session is r/w */ +#define CKF_SERIAL_SESSION 0x00000004UL /* no parallel */ + +typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR; + +/* CK_OBJECT_HANDLE is a token-specific identifier for an + * object + */ +typedef CK_ULONG CK_OBJECT_HANDLE; + +typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR; + +/* CK_OBJECT_CLASS is a value that identifies the classes (or + * types) of objects that Cryptoki recognizes. It is defined + * as follows: + */ +typedef CK_ULONG CK_OBJECT_CLASS; + +/* The following classes of objects are defined: */ +#define CKO_DATA 0x00000000UL +#define CKO_CERTIFICATE 0x00000001UL +#define CKO_PUBLIC_KEY 0x00000002UL +#define CKO_PRIVATE_KEY 0x00000003UL +#define CKO_SECRET_KEY 0x00000004UL +#define CKO_HW_FEATURE 0x00000005UL +#define CKO_DOMAIN_PARAMETERS 0x00000006UL +#define CKO_MECHANISM 0x00000007UL +#define CKO_OTP_KEY 0x00000008UL +#define CKO_PROFILE 0x00000009UL + +#define CKO_VENDOR_DEFINED 0x80000000UL + +typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; + +/* Profile ID's */ +#define CKP_INVALID_ID 0x00000000UL +#define CKP_BASELINE_PROVIDER 0x00000001UL +#define CKP_EXTENDED_PROVIDER 0x00000002UL +#define CKP_AUTHENTICATION_TOKEN 0x00000003UL +#define CKP_PUBLIC_CERTIFICATES_TOKEN 0x00000004UL +#define CKP_COMPLETE_PROVIDER 0x00000005UL +#define CKP_HKDF_TLS_TOKEN 0x00000006UL +#define CKP_VENDOR_DEFINED 0x80000000UL + +/* CK_HW_FEATURE_TYPE is a value that identifies the hardware feature type + * of an object with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. + */ +typedef CK_ULONG CK_HW_FEATURE_TYPE; + +/* The following hardware feature types are defined */ +#define CKH_MONOTONIC_COUNTER 0x00000001UL +#define CKH_CLOCK 0x00000002UL +#define CKH_USER_INTERFACE 0x00000003UL +#define CKH_VENDOR_DEFINED 0x80000000UL + +/* CK_KEY_TYPE is a value that identifies a key type */ +typedef CK_ULONG CK_KEY_TYPE; + +/* the following key types are defined: */ +#define CKK_RSA 0x00000000UL +#define CKK_DSA 0x00000001UL +#define CKK_DH 0x00000002UL +#define CKK_ECDSA 0x00000003UL /* Deprecated */ +#define CKK_EC 0x00000003UL +#define CKK_X9_42_DH 0x00000004UL +#define CKK_KEA 0x00000005UL +#define CKK_GENERIC_SECRET 0x00000010UL +#define CKK_RC2 0x00000011UL +#define CKK_RC4 0x00000012UL +#define CKK_DES 0x00000013UL +#define CKK_DES2 0x00000014UL +#define CKK_DES3 0x00000015UL +#define CKK_CAST 0x00000016UL +#define CKK_CAST3 0x00000017UL +#define CKK_CAST5 0x00000018UL /* Deprecated */ +#define CKK_CAST128 0x00000018UL +#define CKK_RC5 0x00000019UL +#define CKK_IDEA 0x0000001AUL +#define CKK_SKIPJACK 0x0000001BUL +#define CKK_BATON 0x0000001CUL +#define CKK_JUNIPER 0x0000001DUL +#define CKK_CDMF 0x0000001EUL +#define CKK_AES 0x0000001FUL +#define CKK_BLOWFISH 0x00000020UL +#define CKK_TWOFISH 0x00000021UL +#define CKK_SECURID 0x00000022UL +#define CKK_HOTP 0x00000023UL +#define CKK_ACTI 0x00000024UL +#define CKK_CAMELLIA 0x00000025UL +#define CKK_ARIA 0x00000026UL + +/* the following definitions were added in the 2.30 header file, + * but never defined in the spec. */ +#define CKK_MD5_HMAC 0x00000027UL +#define CKK_SHA_1_HMAC 0x00000028UL +#define CKK_RIPEMD128_HMAC 0x00000029UL +#define CKK_RIPEMD160_HMAC 0x0000002AUL +#define CKK_SHA256_HMAC 0x0000002BUL +#define CKK_SHA384_HMAC 0x0000002CUL +#define CKK_SHA512_HMAC 0x0000002DUL +#define CKK_SHA224_HMAC 0x0000002EUL + +#define CKK_SEED 0x0000002FUL +#define CKK_GOSTR3410 0x00000030UL +#define CKK_GOSTR3411 0x00000031UL +#define CKK_GOST28147 0x00000032UL +#define CKK_CHACHA20 0x00000033UL +#define CKK_POLY1305 0x00000034UL +#define CKK_AES_XTS 0x00000035UL +#define CKK_SHA3_224_HMAC 0x00000036UL +#define CKK_SHA3_256_HMAC 0x00000037UL +#define CKK_SHA3_384_HMAC 0x00000038UL +#define CKK_SHA3_512_HMAC 0x00000039UL +#define CKK_BLAKE2B_160_HMAC 0x0000003aUL +#define CKK_BLAKE2B_256_HMAC 0x0000003bUL +#define CKK_BLAKE2B_384_HMAC 0x0000003cUL +#define CKK_BLAKE2B_512_HMAC 0x0000003dUL +#define CKK_SALSA20 0x0000003eUL +#define CKK_X2RATCHET 0x0000003fUL +#define CKK_EC_EDWARDS 0x00000040UL +#define CKK_EC_MONTGOMERY 0x00000041UL +#define CKK_HKDF 0x00000042UL + +#define CKK_SHA512_224_HMAC 0x00000043UL +#define CKK_SHA512_256_HMAC 0x00000044UL +#define CKK_SHA512_T_HMAC 0x00000045UL +#define CKK_HSS 0x00000046UL + +#define CKK_VENDOR_DEFINED 0x80000000UL + +/* CK_CERTIFICATE_TYPE is a value that identifies a certificate + * type + */ +typedef CK_ULONG CK_CERTIFICATE_TYPE; + +#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED 0UL +#define CK_CERTIFICATE_CATEGORY_TOKEN_USER 1UL +#define CK_CERTIFICATE_CATEGORY_AUTHORITY 2UL +#define CK_CERTIFICATE_CATEGORY_OTHER_ENTITY 3UL + +#define CK_SECURITY_DOMAIN_UNSPECIFIED 0UL +#define CK_SECURITY_DOMAIN_MANUFACTURER 1UL +#define CK_SECURITY_DOMAIN_OPERATOR 2UL +#define CK_SECURITY_DOMAIN_THIRD_PARTY 3UL + +/* The following certificate types are defined: */ +#define CKC_X_509 0x00000000UL +#define CKC_X_509_ATTR_CERT 0x00000001UL +#define CKC_WTLS 0x00000002UL +#define CKC_VENDOR_DEFINED 0x80000000UL + +/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute + * type + */ +typedef CK_ULONG CK_ATTRIBUTE_TYPE; + +/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which + * consists of an array of values. + */ +#define CKF_ARRAY_ATTRIBUTE 0x40000000UL + +/* The following OTP-related defines relate to the CKA_OTP_FORMAT attribute */ +#define CK_OTP_FORMAT_DECIMAL 0UL +#define CK_OTP_FORMAT_HEXADECIMAL 1UL +#define CK_OTP_FORMAT_ALPHANUMERIC 2UL +#define CK_OTP_FORMAT_BINARY 3UL + +/* The following OTP-related defines relate to the CKA_OTP_..._REQUIREMENT + * attributes + */ +#define CK_OTP_PARAM_IGNORED 0UL +#define CK_OTP_PARAM_OPTIONAL 1UL +#define CK_OTP_PARAM_MANDATORY 2UL + +/* The following attribute types are defined: */ +#define CKA_CLASS 0x00000000UL +#define CKA_TOKEN 0x00000001UL +#define CKA_PRIVATE 0x00000002UL +#define CKA_LABEL 0x00000003UL +#define CKA_UNIQUE_ID 0x00000004UL +#define CKA_APPLICATION 0x00000010UL +#define CKA_VALUE 0x00000011UL +#define CKA_OBJECT_ID 0x00000012UL +#define CKA_CERTIFICATE_TYPE 0x00000080UL +#define CKA_ISSUER 0x00000081UL +#define CKA_SERIAL_NUMBER 0x00000082UL +#define CKA_AC_ISSUER 0x00000083UL +#define CKA_OWNER 0x00000084UL +#define CKA_ATTR_TYPES 0x00000085UL +#define CKA_TRUSTED 0x00000086UL +#define CKA_CERTIFICATE_CATEGORY 0x00000087UL +#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088UL +#define CKA_URL 0x00000089UL +#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008aUL +#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008bUL +#define CKA_NAME_HASH_ALGORITHM 0x0000008cUL +#define CKA_CHECK_VALUE 0x00000090UL + +#define CKA_KEY_TYPE 0x00000100UL +#define CKA_SUBJECT 0x00000101UL +#define CKA_ID 0x00000102UL +#define CKA_SENSITIVE 0x00000103UL +#define CKA_ENCRYPT 0x00000104UL +#define CKA_DECRYPT 0x00000105UL +#define CKA_WRAP 0x00000106UL +#define CKA_UNWRAP 0x00000107UL +#define CKA_SIGN 0x00000108UL +#define CKA_SIGN_RECOVER 0x00000109UL +#define CKA_VERIFY 0x0000010aUL +#define CKA_VERIFY_RECOVER 0x0000010bUL +#define CKA_DERIVE 0x0000010cUL +#define CKA_START_DATE 0x00000110UL +#define CKA_END_DATE 0x00000111UL +#define CKA_MODULUS 0x00000120UL +#define CKA_MODULUS_BITS 0x00000121UL +#define CKA_PUBLIC_EXPONENT 0x00000122UL +#define CKA_PRIVATE_EXPONENT 0x00000123UL +#define CKA_PRIME_1 0x00000124UL +#define CKA_PRIME_2 0x00000125UL +#define CKA_EXPONENT_1 0x00000126UL +#define CKA_EXPONENT_2 0x00000127UL +#define CKA_COEFFICIENT 0x00000128UL +#define CKA_PUBLIC_KEY_INFO 0x00000129UL +#define CKA_PRIME 0x00000130UL +#define CKA_SUBPRIME 0x00000131UL +#define CKA_BASE 0x00000132UL + +#define CKA_PRIME_BITS 0x00000133UL +#define CKA_SUBPRIME_BITS 0x00000134UL +#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS + +#define CKA_VALUE_BITS 0x00000160UL +#define CKA_VALUE_LEN 0x00000161UL +#define CKA_EXTRACTABLE 0x00000162UL +#define CKA_LOCAL 0x00000163UL +#define CKA_NEVER_EXTRACTABLE 0x00000164UL +#define CKA_ALWAYS_SENSITIVE 0x00000165UL +#define CKA_KEY_GEN_MECHANISM 0x00000166UL + +#define CKA_MODIFIABLE 0x00000170UL +#define CKA_COPYABLE 0x00000171UL + +#define CKA_DESTROYABLE 0x00000172UL + +#define CKA_ECDSA_PARAMS 0x00000180UL /* Deprecated */ +#define CKA_EC_PARAMS 0x00000180UL + +#define CKA_EC_POINT 0x00000181UL + +#define CKA_SECONDARY_AUTH 0x00000200UL /* Deprecated */ +#define CKA_AUTH_PIN_FLAGS 0x00000201UL /* Deprecated */ + +#define CKA_ALWAYS_AUTHENTICATE 0x00000202UL + +#define CKA_WRAP_WITH_TRUSTED 0x00000210UL +#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x00000211UL) +#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x00000212UL) +#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x00000213UL) + +#define CKA_OTP_FORMAT 0x00000220UL +#define CKA_OTP_LENGTH 0x00000221UL +#define CKA_OTP_TIME_INTERVAL 0x00000222UL +#define CKA_OTP_USER_FRIENDLY_MODE 0x00000223UL +#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224UL +#define CKA_OTP_TIME_REQUIREMENT 0x00000225UL +#define CKA_OTP_COUNTER_REQUIREMENT 0x00000226UL +#define CKA_OTP_PIN_REQUIREMENT 0x00000227UL +#define CKA_OTP_COUNTER 0x0000022eUL +#define CKA_OTP_TIME 0x0000022fUL +#define CKA_OTP_USER_IDENTIFIER 0x0000022aUL +#define CKA_OTP_SERVICE_IDENTIFIER 0x0000022bUL +#define CKA_OTP_SERVICE_LOGO 0x0000022cUL +#define CKA_OTP_SERVICE_LOGO_TYPE 0x0000022dUL + +#define CKA_GOSTR3410_PARAMS 0x00000250UL +#define CKA_GOSTR3411_PARAMS 0x00000251UL +#define CKA_GOST28147_PARAMS 0x00000252UL + +#define CKA_HW_FEATURE_TYPE 0x00000300UL +#define CKA_RESET_ON_INIT 0x00000301UL +#define CKA_HAS_RESET 0x00000302UL + +#define CKA_PIXEL_X 0x00000400UL +#define CKA_PIXEL_Y 0x00000401UL +#define CKA_RESOLUTION 0x00000402UL +#define CKA_CHAR_ROWS 0x00000403UL +#define CKA_CHAR_COLUMNS 0x00000404UL +#define CKA_COLOR 0x00000405UL +#define CKA_BITS_PER_PIXEL 0x00000406UL +#define CKA_CHAR_SETS 0x00000480UL +#define CKA_ENCODING_METHODS 0x00000481UL +#define CKA_MIME_TYPES 0x00000482UL +#define CKA_MECHANISM_TYPE 0x00000500UL +#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501UL +#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502UL +#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503UL +#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x00000600UL) +#define CKA_PROFILE_ID 0x00000601UL + +#define CKA_X2RATCHET_BAG 0x00000602UL +#define CKA_X2RATCHET_BAGSIZE 0x00000603UL +#define CKA_X2RATCHET_BOBS1STMSG 0x00000604UL +#define CKA_X2RATCHET_CKR 0x00000605UL +#define CKA_X2RATCHET_CKS 0x00000606UL +#define CKA_X2RATCHET_DHP 0x00000607UL +#define CKA_X2RATCHET_DHR 0x00000608UL +#define CKA_X2RATCHET_DHS 0x00000609UL +#define CKA_X2RATCHET_HKR 0x0000060aUL +#define CKA_X2RATCHET_HKS 0x0000060bUL +#define CKA_X2RATCHET_ISALICE 0x0000060cUL +#define CKA_X2RATCHET_NHKR 0x0000060dUL +#define CKA_X2RATCHET_NHKS 0x0000060eUL +#define CKA_X2RATCHET_NR 0x0000060fUL +#define CKA_X2RATCHET_NS 0x00000610UL +#define CKA_X2RATCHET_PNS 0x00000611UL +#define CKA_X2RATCHET_RK 0x00000612UL +/* HSS */ +#define CKA_HSS_LEVELS 0x00000617UL +#define CKA_HSS_LMS_TYPE 0x00000618UL +#define CKA_HSS_LMOTS_TYPE 0x00000619UL +#define CKA_HSS_LMS_TYPES 0x0000061aUL +#define CKA_HSS_LMOTS_TYPES 0x0000061bUL +#define CKA_HSS_KEYS_REMAINING 0x0000061cUL + +#define CKA_VENDOR_DEFINED 0x80000000UL + +/* CK_ATTRIBUTE is a structure that includes the type, length + * and value of an attribute + */ +typedef struct CK_ATTRIBUTE { + CK_ATTRIBUTE_TYPE type; + CK_VOID_PTR pValue; + CK_ULONG ulValueLen; /* in bytes */ +} CK_ATTRIBUTE; + +typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR; + +/* CK_DATE is a structure that defines a date */ +typedef struct CK_DATE { + CK_CHAR year[4]; /* the year ("1900" - "9999") */ + CK_CHAR month[2]; /* the month ("01" - "12") */ + CK_CHAR day[2]; /* the day ("01" - "31") */ +} CK_DATE; + +/* CK_MECHANISM_TYPE is a value that identifies a mechanism + * type + */ +typedef CK_ULONG CK_MECHANISM_TYPE; + +/* the following mechanism types are defined: */ +#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000UL +#define CKM_RSA_PKCS 0x00000001UL +#define CKM_RSA_9796 0x00000002UL +#define CKM_RSA_X_509 0x00000003UL + +#define CKM_MD2_RSA_PKCS 0x00000004UL +#define CKM_MD5_RSA_PKCS 0x00000005UL +#define CKM_SHA1_RSA_PKCS 0x00000006UL + +#define CKM_RIPEMD128_RSA_PKCS 0x00000007UL +#define CKM_RIPEMD160_RSA_PKCS 0x00000008UL +#define CKM_RSA_PKCS_OAEP 0x00000009UL + +#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000aUL +#define CKM_RSA_X9_31 0x0000000bUL +#define CKM_SHA1_RSA_X9_31 0x0000000cUL +#define CKM_RSA_PKCS_PSS 0x0000000dUL +#define CKM_SHA1_RSA_PKCS_PSS 0x0000000eUL + +#define CKM_DSA_KEY_PAIR_GEN 0x00000010UL +#define CKM_DSA 0x00000011UL +#define CKM_DSA_SHA1 0x00000012UL +#define CKM_DSA_SHA224 0x00000013UL +#define CKM_DSA_SHA256 0x00000014UL +#define CKM_DSA_SHA384 0x00000015UL +#define CKM_DSA_SHA512 0x00000016UL +#define CKM_DSA_SHA3_224 0x00000018UL +#define CKM_DSA_SHA3_256 0x00000019UL +#define CKM_DSA_SHA3_384 0x0000001aUL +#define CKM_DSA_SHA3_512 0x0000001bUL + +#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020UL +#define CKM_DH_PKCS_DERIVE 0x00000021UL + +#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030UL +#define CKM_X9_42_DH_DERIVE 0x00000031UL +#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032UL +#define CKM_X9_42_MQV_DERIVE 0x00000033UL + +#define CKM_SHA256_RSA_PKCS 0x00000040UL +#define CKM_SHA384_RSA_PKCS 0x00000041UL +#define CKM_SHA512_RSA_PKCS 0x00000042UL +#define CKM_SHA256_RSA_PKCS_PSS 0x00000043UL +#define CKM_SHA384_RSA_PKCS_PSS 0x00000044UL +#define CKM_SHA512_RSA_PKCS_PSS 0x00000045UL + +#define CKM_SHA224_RSA_PKCS 0x00000046UL +#define CKM_SHA224_RSA_PKCS_PSS 0x00000047UL + +#define CKM_SHA512_224 0x00000048UL +#define CKM_SHA512_224_HMAC 0x00000049UL +#define CKM_SHA512_224_HMAC_GENERAL 0x0000004aUL +#define CKM_SHA512_224_KEY_DERIVATION 0x0000004bUL +#define CKM_SHA512_256 0x0000004cUL +#define CKM_SHA512_256_HMAC 0x0000004dUL +#define CKM_SHA512_256_HMAC_GENERAL 0x0000004eUL +#define CKM_SHA512_256_KEY_DERIVATION 0x0000004fUL + +#define CKM_SHA512_T 0x00000050UL +#define CKM_SHA512_T_HMAC 0x00000051UL +#define CKM_SHA512_T_HMAC_GENERAL 0x00000052UL +#define CKM_SHA512_T_KEY_DERIVATION 0x00000053UL + +#define CKM_SHA3_256_RSA_PKCS 0x00000060UL +#define CKM_SHA3_384_RSA_PKCS 0x00000061UL +#define CKM_SHA3_512_RSA_PKCS 0x00000062UL +#define CKM_SHA3_256_RSA_PKCS_PSS 0x00000063UL +#define CKM_SHA3_384_RSA_PKCS_PSS 0x00000064UL +#define CKM_SHA3_512_RSA_PKCS_PSS 0x00000065UL +#define CKM_SHA3_224_RSA_PKCS 0x00000066UL +#define CKM_SHA3_224_RSA_PKCS_PSS 0x00000067UL + +#define CKM_RC2_KEY_GEN 0x00000100UL +#define CKM_RC2_ECB 0x00000101UL +#define CKM_RC2_CBC 0x00000102UL +#define CKM_RC2_MAC 0x00000103UL + +#define CKM_RC2_MAC_GENERAL 0x00000104UL +#define CKM_RC2_CBC_PAD 0x00000105UL + +#define CKM_RC4_KEY_GEN 0x00000110UL +#define CKM_RC4 0x00000111UL +#define CKM_DES_KEY_GEN 0x00000120UL +#define CKM_DES_ECB 0x00000121UL +#define CKM_DES_CBC 0x00000122UL +#define CKM_DES_MAC 0x00000123UL + +#define CKM_DES_MAC_GENERAL 0x00000124UL +#define CKM_DES_CBC_PAD 0x00000125UL + +#define CKM_DES2_KEY_GEN 0x00000130UL +#define CKM_DES3_KEY_GEN 0x00000131UL +#define CKM_DES3_ECB 0x00000132UL +#define CKM_DES3_CBC 0x00000133UL +#define CKM_DES3_MAC 0x00000134UL + +#define CKM_DES3_MAC_GENERAL 0x00000135UL +#define CKM_DES3_CBC_PAD 0x00000136UL +#define CKM_DES3_CMAC_GENERAL 0x00000137UL +#define CKM_DES3_CMAC 0x00000138UL +#define CKM_CDMF_KEY_GEN 0x00000140UL +#define CKM_CDMF_ECB 0x00000141UL +#define CKM_CDMF_CBC 0x00000142UL +#define CKM_CDMF_MAC 0x00000143UL +#define CKM_CDMF_MAC_GENERAL 0x00000144UL +#define CKM_CDMF_CBC_PAD 0x00000145UL + +#define CKM_DES_OFB64 0x00000150UL +#define CKM_DES_OFB8 0x00000151UL +#define CKM_DES_CFB64 0x00000152UL +#define CKM_DES_CFB8 0x00000153UL + +#define CKM_MD2 0x00000200UL + +#define CKM_MD2_HMAC 0x00000201UL +#define CKM_MD2_HMAC_GENERAL 0x00000202UL + +#define CKM_MD5 0x00000210UL + +#define CKM_MD5_HMAC 0x00000211UL +#define CKM_MD5_HMAC_GENERAL 0x00000212UL + +#define CKM_SHA_1 0x00000220UL + +#define CKM_SHA_1_HMAC 0x00000221UL +#define CKM_SHA_1_HMAC_GENERAL 0x00000222UL + +#define CKM_RIPEMD128 0x00000230UL +#define CKM_RIPEMD128_HMAC 0x00000231UL +#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232UL +#define CKM_RIPEMD160 0x00000240UL +#define CKM_RIPEMD160_HMAC 0x00000241UL +#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242UL + +#define CKM_SHA256 0x00000250UL +#define CKM_SHA256_HMAC 0x00000251UL +#define CKM_SHA256_HMAC_GENERAL 0x00000252UL +#define CKM_SHA224 0x00000255UL +#define CKM_SHA224_HMAC 0x00000256UL +#define CKM_SHA224_HMAC_GENERAL 0x00000257UL +#define CKM_SHA384 0x00000260UL +#define CKM_SHA384_HMAC 0x00000261UL +#define CKM_SHA384_HMAC_GENERAL 0x00000262UL +#define CKM_SHA512 0x00000270UL +#define CKM_SHA512_HMAC 0x00000271UL +#define CKM_SHA512_HMAC_GENERAL 0x00000272UL +#define CKM_SECURID_KEY_GEN 0x00000280UL +#define CKM_SECURID 0x00000282UL +#define CKM_HOTP_KEY_GEN 0x00000290UL +#define CKM_HOTP 0x00000291UL +#define CKM_ACTI 0x000002a0UL +#define CKM_ACTI_KEY_GEN 0x000002a1UL + +#define CKM_SHA3_256 0x000002b0UL +#define CKM_SHA3_256_HMAC 0x000002b1UL +#define CKM_SHA3_256_HMAC_GENERAL 0x000002b2UL +#define CKM_SHA3_256_KEY_GEN 0x000002b3UL +#define CKM_SHA3_224 0x000002b5UL +#define CKM_SHA3_224_HMAC 0x000002b6UL +#define CKM_SHA3_224_HMAC_GENERAL 0x000002b7UL +#define CKM_SHA3_224_KEY_GEN 0x000002b8UL +#define CKM_SHA3_384 0x000002c0UL +#define CKM_SHA3_384_HMAC 0x000002c1UL +#define CKM_SHA3_384_HMAC_GENERAL 0x000002c2UL +#define CKM_SHA3_384_KEY_GEN 0x000002c3UL +#define CKM_SHA3_512 0x000002d0UL +#define CKM_SHA3_512_HMAC 0x000002d1UL +#define CKM_SHA3_512_HMAC_GENERAL 0x000002d2UL +#define CKM_SHA3_512_KEY_GEN 0x000002d3UL + +#define CKM_CAST_KEY_GEN 0x00000300UL +#define CKM_CAST_ECB 0x00000301UL +#define CKM_CAST_CBC 0x00000302UL +#define CKM_CAST_MAC 0x00000303UL +#define CKM_CAST_MAC_GENERAL 0x00000304UL +#define CKM_CAST_CBC_PAD 0x00000305UL +#define CKM_CAST3_KEY_GEN 0x00000310UL +#define CKM_CAST3_ECB 0x00000311UL +#define CKM_CAST3_CBC 0x00000312UL +#define CKM_CAST3_MAC 0x00000313UL +#define CKM_CAST3_MAC_GENERAL 0x00000314UL +#define CKM_CAST3_CBC_PAD 0x00000315UL +/* Note that CAST128 and CAST5 are the same algorithm */ +#define CKM_CAST5_KEY_GEN 0x00000320UL +#define CKM_CAST128_KEY_GEN 0x00000320UL +#define CKM_CAST5_ECB 0x00000321UL +#define CKM_CAST128_ECB 0x00000321UL +#define CKM_CAST5_CBC 0x00000322UL /* Deprecated */ +#define CKM_CAST128_CBC 0x00000322UL +#define CKM_CAST5_MAC 0x00000323UL /* Deprecated */ +#define CKM_CAST128_MAC 0x00000323UL +#define CKM_CAST5_MAC_GENERAL 0x00000324UL /* Deprecated */ +#define CKM_CAST128_MAC_GENERAL 0x00000324UL +#define CKM_CAST5_CBC_PAD 0x00000325UL /* Deprecated */ +#define CKM_CAST128_CBC_PAD 0x00000325UL +#define CKM_RC5_KEY_GEN 0x00000330UL +#define CKM_RC5_ECB 0x00000331UL +#define CKM_RC5_CBC 0x00000332UL +#define CKM_RC5_MAC 0x00000333UL +#define CKM_RC5_MAC_GENERAL 0x00000334UL +#define CKM_RC5_CBC_PAD 0x00000335UL +#define CKM_IDEA_KEY_GEN 0x00000340UL +#define CKM_IDEA_ECB 0x00000341UL +#define CKM_IDEA_CBC 0x00000342UL +#define CKM_IDEA_MAC 0x00000343UL +#define CKM_IDEA_MAC_GENERAL 0x00000344UL +#define CKM_IDEA_CBC_PAD 0x00000345UL +#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350UL +#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360UL +#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362UL +#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363UL +#define CKM_XOR_BASE_AND_DATA 0x00000364UL +#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365UL +#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370UL +#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371UL +#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372UL + +#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373UL +#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374UL +#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375UL +#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376UL +#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377UL + +#define CKM_TLS_PRF 0x00000378UL + +#define CKM_SSL3_MD5_MAC 0x00000380UL +#define CKM_SSL3_SHA1_MAC 0x00000381UL +#define CKM_MD5_KEY_DERIVATION 0x00000390UL +#define CKM_MD2_KEY_DERIVATION 0x00000391UL +#define CKM_SHA1_KEY_DERIVATION 0x00000392UL + +#define CKM_SHA256_KEY_DERIVATION 0x00000393UL +#define CKM_SHA384_KEY_DERIVATION 0x00000394UL +#define CKM_SHA512_KEY_DERIVATION 0x00000395UL +#define CKM_SHA224_KEY_DERIVATION 0x00000396UL +#define CKM_SHA3_256_KEY_DERIVATION 0x00000397UL +#define CKM_SHA3_224_KEY_DERIVATION 0x00000398UL +#define CKM_SHA3_384_KEY_DERIVATION 0x00000399UL +#define CKM_SHA3_512_KEY_DERIVATION 0x0000039aUL +#define CKM_SHAKE_128_KEY_DERIVATION 0x0000039bUL +#define CKM_SHAKE_256_KEY_DERIVATION 0x0000039cUL +#define CKM_SHA3_256_KEY_DERIVE CKM_SHA3_256_KEY_DERIVATION +#define CKM_SHA3_224_KEY_DERIVE CKM_SHA3_224_KEY_DERIVATION +#define CKM_SHA3_384_KEY_DERIVE CKM_SHA3_384_KEY_DERIVATION +#define CKM_SHA3_512_KEY_DERIVE CKM_SHA3_512_KEY_DERIVATION +#define CKM_SHAKE_128_KEY_DERIVE CKM_SHAKE_128_KEY_DERIVATION +#define CKM_SHAKE_256_KEY_DERIVE CKM_SHAKE_256_KEY_DERIVATION + +#define CKM_PBE_MD2_DES_CBC 0x000003a0UL +#define CKM_PBE_MD5_DES_CBC 0x000003a1UL +#define CKM_PBE_MD5_CAST_CBC 0x000003a2UL +#define CKM_PBE_MD5_CAST3_CBC 0x000003a3UL +#define CKM_PBE_MD5_CAST5_CBC 0x000003a4UL /* Deprecated */ +#define CKM_PBE_MD5_CAST128_CBC 0x000003a4UL +#define CKM_PBE_SHA1_CAST5_CBC 0x000003a5UL /* Deprecated */ +#define CKM_PBE_SHA1_CAST128_CBC 0x000003a5UL +#define CKM_PBE_SHA1_RC4_128 0x000003a6UL +#define CKM_PBE_SHA1_RC4_40 0x000003a7UL +#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003a8UL +#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003a9UL +#define CKM_PBE_SHA1_RC2_128_CBC 0x000003aaUL +#define CKM_PBE_SHA1_RC2_40_CBC 0x000003abUL + +#define CKM_PKCS5_PBKD2 0x000003b0UL + +#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003c0UL + +#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003d0UL +#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003d1UL +#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003d2UL +#define CKM_WTLS_PRF 0x000003d3UL +#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003d4UL +#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003d5UL + +#define CKM_TLS10_MAC_SERVER 0x000003d6UL +#define CKM_TLS10_MAC_CLIENT 0x000003d7UL +#define CKM_TLS12_MAC 0x000003d8UL +#define CKM_TLS12_KDF 0x000003d9UL +#define CKM_TLS12_MASTER_KEY_DERIVE 0x000003e0UL +#define CKM_TLS12_KEY_AND_MAC_DERIVE 0x000003e1UL +#define CKM_TLS12_MASTER_KEY_DERIVE_DH 0x000003e2UL +#define CKM_TLS12_KEY_SAFE_DERIVE 0x000003e3UL +#define CKM_TLS_MAC 0x000003e4UL +#define CKM_TLS_KDF 0x000003e5UL + +#define CKM_KEY_WRAP_LYNKS 0x00000400UL +#define CKM_KEY_WRAP_SET_OAEP 0x00000401UL + +#define CKM_CMS_SIG 0x00000500UL +#define CKM_KIP_DERIVE 0x00000510UL +#define CKM_KIP_WRAP 0x00000511UL +#define CKM_KIP_MAC 0x00000512UL + +#define CKM_CAMELLIA_KEY_GEN 0x00000550UL +#define CKM_CAMELLIA_ECB 0x00000551UL +#define CKM_CAMELLIA_CBC 0x00000552UL +#define CKM_CAMELLIA_MAC 0x00000553UL +#define CKM_CAMELLIA_MAC_GENERAL 0x00000554UL +#define CKM_CAMELLIA_CBC_PAD 0x00000555UL +#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556UL +#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557UL +#define CKM_CAMELLIA_CTR 0x00000558UL + +#define CKM_ARIA_KEY_GEN 0x00000560UL +#define CKM_ARIA_ECB 0x00000561UL +#define CKM_ARIA_CBC 0x00000562UL +#define CKM_ARIA_MAC 0x00000563UL +#define CKM_ARIA_MAC_GENERAL 0x00000564UL +#define CKM_ARIA_CBC_PAD 0x00000565UL +#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566UL +#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567UL + +#define CKM_SEED_KEY_GEN 0x00000650UL +#define CKM_SEED_ECB 0x00000651UL +#define CKM_SEED_CBC 0x00000652UL +#define CKM_SEED_MAC 0x00000653UL +#define CKM_SEED_MAC_GENERAL 0x00000654UL +#define CKM_SEED_CBC_PAD 0x00000655UL +#define CKM_SEED_ECB_ENCRYPT_DATA 0x00000656UL +#define CKM_SEED_CBC_ENCRYPT_DATA 0x00000657UL + +#define CKM_SKIPJACK_KEY_GEN 0x00001000UL +#define CKM_SKIPJACK_ECB64 0x00001001UL +#define CKM_SKIPJACK_CBC64 0x00001002UL +#define CKM_SKIPJACK_OFB64 0x00001003UL +#define CKM_SKIPJACK_CFB64 0x00001004UL +#define CKM_SKIPJACK_CFB32 0x00001005UL +#define CKM_SKIPJACK_CFB16 0x00001006UL +#define CKM_SKIPJACK_CFB8 0x00001007UL +#define CKM_SKIPJACK_WRAP 0x00001008UL +#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009UL +#define CKM_SKIPJACK_RELAYX 0x0000100aUL +#define CKM_KEA_KEY_PAIR_GEN 0x00001010UL +#define CKM_KEA_KEY_DERIVE 0x00001011UL +#define CKM_KEA_DERIVE 0x00001012UL +#define CKM_FORTEZZA_TIMESTAMP 0x00001020UL +#define CKM_BATON_KEY_GEN 0x00001030UL +#define CKM_BATON_ECB128 0x00001031UL +#define CKM_BATON_ECB96 0x00001032UL +#define CKM_BATON_CBC128 0x00001033UL +#define CKM_BATON_COUNTER 0x00001034UL +#define CKM_BATON_SHUFFLE 0x00001035UL +#define CKM_BATON_WRAP 0x00001036UL + +#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040UL /* Deprecated */ +#define CKM_EC_KEY_PAIR_GEN 0x00001040UL + +#define CKM_ECDSA 0x00001041UL +#define CKM_ECDSA_SHA1 0x00001042UL +#define CKM_ECDSA_SHA224 0x00001043UL +#define CKM_ECDSA_SHA256 0x00001044UL +#define CKM_ECDSA_SHA384 0x00001045UL +#define CKM_ECDSA_SHA512 0x00001046UL +#define CKM_EC_KEY_PAIR_GEN_W_EXTRA_BITS 0x0000140bUL + +#define CKM_ECDH1_DERIVE 0x00001050UL +#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051UL +#define CKM_ECMQV_DERIVE 0x00001052UL + +#define CKM_ECDH_AES_KEY_WRAP 0x00001053UL +#define CKM_RSA_AES_KEY_WRAP 0x00001054UL + +#define CKM_JUNIPER_KEY_GEN 0x00001060UL +#define CKM_JUNIPER_ECB128 0x00001061UL +#define CKM_JUNIPER_CBC128 0x00001062UL +#define CKM_JUNIPER_COUNTER 0x00001063UL +#define CKM_JUNIPER_SHUFFLE 0x00001064UL +#define CKM_JUNIPER_WRAP 0x00001065UL +#define CKM_FASTHASH 0x00001070UL + +#define CKM_AES_XTS 0x00001071UL +#define CKM_AES_XTS_KEY_GEN 0x00001072UL +#define CKM_AES_KEY_GEN 0x00001080UL +#define CKM_AES_ECB 0x00001081UL +#define CKM_AES_CBC 0x00001082UL +#define CKM_AES_MAC 0x00001083UL +#define CKM_AES_MAC_GENERAL 0x00001084UL +#define CKM_AES_CBC_PAD 0x00001085UL +#define CKM_AES_CTR 0x00001086UL +#define CKM_AES_GCM 0x00001087UL +#define CKM_AES_CCM 0x00001088UL +#define CKM_AES_CTS 0x00001089UL +#define CKM_AES_CMAC 0x0000108aUL +#define CKM_AES_CMAC_GENERAL 0x0000108bUL + +#define CKM_AES_XCBC_MAC 0x0000108cUL +#define CKM_AES_XCBC_MAC_96 0x0000108dUL +#define CKM_AES_GMAC 0x0000108eUL + +#define CKM_BLOWFISH_KEY_GEN 0x00001090UL +#define CKM_BLOWFISH_CBC 0x00001091UL +#define CKM_TWOFISH_KEY_GEN 0x00001092UL +#define CKM_TWOFISH_CBC 0x00001093UL +#define CKM_BLOWFISH_CBC_PAD 0x00001094UL +#define CKM_TWOFISH_CBC_PAD 0x00001095UL + +#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100UL +#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101UL +#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102UL +#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103UL +#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104UL +#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105UL + +#define CKM_GOSTR3410_KEY_PAIR_GEN 0x00001200UL +#define CKM_GOSTR3410 0x00001201UL +#define CKM_GOSTR3410_WITH_GOSTR3411 0x00001202UL +#define CKM_GOSTR3410_KEY_WRAP 0x00001203UL +#define CKM_GOSTR3410_DERIVE 0x00001204UL +#define CKM_GOSTR3411 0x00001210UL +#define CKM_GOSTR3411_HMAC 0x00001211UL +#define CKM_GOST28147_KEY_GEN 0x00001220UL +#define CKM_GOST28147_ECB 0x00001221UL +#define CKM_GOST28147 0x00001222UL +#define CKM_GOST28147_MAC 0x00001223UL +#define CKM_GOST28147_KEY_WRAP 0x00001224UL +#define CKM_CHACHA20_KEY_GEN 0x00001225UL +#define CKM_CHACHA20 0x00001226UL +#define CKM_POLY1305_KEY_GEN 0x00001227UL +#define CKM_POLY1305 0x00001228UL +#define CKM_DSA_PARAMETER_GEN 0x00002000UL +#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001UL +#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002UL +#define CKM_DSA_PROBABILISTIC_PARAMETER_GEN 0x00002003UL +#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN CKM_DSA_PROBABILISTIC_PARAMETER_GEN +#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN 0x00002004UL +#define CKM_DSA_FIPS_G_GEN 0x00002005UL + +#define CKM_AES_OFB 0x00002104UL +#define CKM_AES_CFB64 0x00002105UL +#define CKM_AES_CFB8 0x00002106UL +#define CKM_AES_CFB128 0x00002107UL + +#define CKM_AES_CFB1 0x00002108UL +#define CKM_AES_KEY_WRAP 0x00002109UL /* WAS: 0x00001090 */ +#define CKM_AES_KEY_WRAP_PAD 0x0000210AUL /* WAS: 0x00001091 */ +#define CKM_AES_KEY_WRAP_KWP 0x0000210BUL +#define CKM_AES_KEY_WRAP_PKCS7 0x0000210CUL + +#define CKM_RSA_PKCS_TPM_1_1 0x00004001UL +#define CKM_RSA_PKCS_OAEP_TPM_1_1 0x00004002UL + +#define CKM_SHA_1_KEY_GEN 0x00004003UL +#define CKM_SHA224_KEY_GEN 0x00004004UL +#define CKM_SHA256_KEY_GEN 0x00004005UL +#define CKM_SHA384_KEY_GEN 0x00004006UL +#define CKM_SHA512_KEY_GEN 0x00004007UL +#define CKM_SHA512_224_KEY_GEN 0x00004008UL +#define CKM_SHA512_256_KEY_GEN 0x00004009UL +#define CKM_SHA512_T_KEY_GEN 0x0000400aUL +#define CKM_NULL 0x0000400bUL +#define CKM_BLAKE2B_160 0x0000400cUL +#define CKM_BLAKE2B_160_HMAC 0x0000400dUL +#define CKM_BLAKE2B_160_HMAC_GENERAL 0x0000400eUL +#define CKM_BLAKE2B_160_KEY_DERIVE 0x0000400fUL +#define CKM_BLAKE2B_160_KEY_GEN 0x00004010UL +#define CKM_BLAKE2B_256 0x00004011UL +#define CKM_BLAKE2B_256_HMAC 0x00004012UL +#define CKM_BLAKE2B_256_HMAC_GENERAL 0x00004013UL +#define CKM_BLAKE2B_256_KEY_DERIVE 0x00004014UL +#define CKM_BLAKE2B_256_KEY_GEN 0x00004015UL +#define CKM_BLAKE2B_384 0x00004016UL +#define CKM_BLAKE2B_384_HMAC 0x00004017UL +#define CKM_BLAKE2B_384_HMAC_GENERAL 0x00004018UL +#define CKM_BLAKE2B_384_KEY_DERIVE 0x00004019UL +#define CKM_BLAKE2B_384_KEY_GEN 0x0000401aUL +#define CKM_BLAKE2B_512 0x0000401bUL +#define CKM_BLAKE2B_512_HMAC 0x0000401cUL +#define CKM_BLAKE2B_512_HMAC_GENERAL 0x0000401dUL +#define CKM_BLAKE2B_512_KEY_DERIVE 0x0000401eUL +#define CKM_BLAKE2B_512_KEY_GEN 0x0000401fUL +#define CKM_SALSA20 0x00004020UL +#define CKM_CHACHA20_POLY1305 0x00004021UL +#define CKM_SALSA20_POLY1305 0x00004022UL +#define CKM_X3DH_INITIALIZE 0x00004023UL +#define CKM_X3DH_RESPOND 0x00004024UL +#define CKM_X2RATCHET_INITIALIZE 0x00004025UL +#define CKM_X2RATCHET_RESPOND 0x00004026UL +#define CKM_X2RATCHET_ENCRYPT 0x00004027UL +#define CKM_X2RATCHET_DECRYPT 0x00004028UL +#define CKM_XEDDSA 0x00004029UL +#define CKM_HKDF_DERIVE 0x0000402aUL +#define CKM_HKDF_DATA 0x0000402bUL +#define CKM_HKDF_KEY_GEN 0x0000402cUL +#define CKM_SALSA20_KEY_GEN 0x0000402dUL + +#define CKM_ECDSA_SHA3_224 0x00001047UL +#define CKM_ECDSA_SHA3_256 0x00001048UL +#define CKM_ECDSA_SHA3_384 0x00001049UL +#define CKM_ECDSA_SHA3_512 0x0000104aUL +#define CKM_EC_EDWARDS_KEY_PAIR_GEN 0x00001055UL +#define CKM_EC_MONTGOMERY_KEY_PAIR_GEN 0x00001056UL +#define CKM_EDDSA 0x00001057UL +#define CKM_SP800_108_COUNTER_KDF 0x000003acUL +#define CKM_SP800_108_FEEDBACK_KDF 0x000003adUL +#define CKM_SP800_108_DOUBLE_PIPELINE_KDF 0x000003aeUL + +#define CKM_IKE2_PRF_PLUS_DERIVE 0x0000402eUL +#define CKM_IKE_PRF_DERIVE 0x0000402fUL +#define CKM_IKE1_PRF_DERIVE 0x00004030UL +#define CKM_IKE1_EXTENDED_DERIVE 0x00004031UL +#define CKM_HSS_KEY_PAIR_GEN 0x00004032UL +#define CKM_HSS 0x00004033UL + +#define CKM_VENDOR_DEFINED 0x80000000UL + +typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR; + +/* CK_MECHANISM is a structure that specifies a particular + * mechanism + */ +typedef struct CK_MECHANISM { + CK_MECHANISM_TYPE mechanism; + CK_VOID_PTR pParameter; + CK_ULONG ulParameterLen; /* in bytes */ +} CK_MECHANISM; + +typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR; + +/* CK_MECHANISM_INFO provides information about a particular + * mechanism + */ +typedef struct CK_MECHANISM_INFO { + CK_ULONG ulMinKeySize; + CK_ULONG ulMaxKeySize; + CK_FLAGS flags; +} CK_MECHANISM_INFO; + +/* The flags are defined as follows: + * Bit Flag Mask Meaning */ +#define CKF_HW 0x00000001UL /* performed by HW */ + +/* Specify whether or not a mechanism can be used for a particular task */ +#define CKF_MESSAGE_ENCRYPT 0x00000002UL +#define CKF_MESSAGE_DECRYPT 0x00000004UL +#define CKF_MESSAGE_SIGN 0x00000008UL +#define CKF_MESSAGE_VERIFY 0x00000010UL +#define CKF_MULTI_MESSAGE 0x00000020UL +#define CKF_MULTI_MESSGE CKF_MULTI_MESSAGE +#define CKF_FIND_OBJECTS 0x00000040UL + +#define CKF_ENCRYPT 0x00000100UL +#define CKF_DECRYPT 0x00000200UL +#define CKF_DIGEST 0x00000400UL +#define CKF_SIGN 0x00000800UL +#define CKF_SIGN_RECOVER 0x00001000UL +#define CKF_VERIFY 0x00002000UL +#define CKF_VERIFY_RECOVER 0x00004000UL +#define CKF_GENERATE 0x00008000UL +#define CKF_GENERATE_KEY_PAIR 0x00010000UL +#define CKF_WRAP 0x00020000UL +#define CKF_UNWRAP 0x00040000UL +#define CKF_DERIVE 0x00080000UL + +/* Describe a token's EC capabilities not available in mechanism + * information. + */ +#define CKF_EC_F_P 0x00100000UL +#define CKF_EC_F_2M 0x00200000UL +#define CKF_EC_ECPARAMETERS 0x00400000UL +#define CKF_EC_OID 0x00800000UL +#define CKF_EC_NAMEDCURVE CKF_EC_OID /* deprecated since PKCS#11 3.00 */ +#define CKF_EC_UNCOMPRESS 0x01000000UL +#define CKF_EC_COMPRESS 0x02000000UL +#define CKF_EC_CURVENAME 0x04000000UL + +#define CKF_EXTENSION 0x80000000UL + +typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR; + +/* CK_RV is a value that identifies the return value of a + * Cryptoki function + */ +typedef CK_ULONG CK_RV; + +#define CKR_OK 0x00000000UL +#define CKR_CANCEL 0x00000001UL +#define CKR_HOST_MEMORY 0x00000002UL +#define CKR_SLOT_ID_INVALID 0x00000003UL + +#define CKR_GENERAL_ERROR 0x00000005UL +#define CKR_FUNCTION_FAILED 0x00000006UL + +#define CKR_ARGUMENTS_BAD 0x00000007UL +#define CKR_NO_EVENT 0x00000008UL +#define CKR_NEED_TO_CREATE_THREADS 0x00000009UL +#define CKR_CANT_LOCK 0x0000000AUL + +#define CKR_ATTRIBUTE_READ_ONLY 0x00000010UL +#define CKR_ATTRIBUTE_SENSITIVE 0x00000011UL +#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012UL +#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013UL + +#define CKR_ACTION_PROHIBITED 0x0000001BUL + +#define CKR_DATA_INVALID 0x00000020UL +#define CKR_DATA_LEN_RANGE 0x00000021UL +#define CKR_DEVICE_ERROR 0x00000030UL +#define CKR_DEVICE_MEMORY 0x00000031UL +#define CKR_DEVICE_REMOVED 0x00000032UL +#define CKR_ENCRYPTED_DATA_INVALID 0x00000040UL +#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041UL +#define CKR_AEAD_DECRYPT_FAILED 0x00000042UL +#define CKR_FUNCTION_CANCELED 0x00000050UL +#define CKR_FUNCTION_NOT_PARALLEL 0x00000051UL + +#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054UL + +#define CKR_KEY_HANDLE_INVALID 0x00000060UL + +#define CKR_KEY_SIZE_RANGE 0x00000062UL +#define CKR_KEY_TYPE_INCONSISTENT 0x00000063UL + +#define CKR_KEY_NOT_NEEDED 0x00000064UL +#define CKR_KEY_CHANGED 0x00000065UL +#define CKR_KEY_NEEDED 0x00000066UL +#define CKR_KEY_INDIGESTIBLE 0x00000067UL +#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068UL +#define CKR_KEY_NOT_WRAPPABLE 0x00000069UL +#define CKR_KEY_UNEXTRACTABLE 0x0000006AUL + +#define CKR_MECHANISM_INVALID 0x00000070UL +#define CKR_MECHANISM_PARAM_INVALID 0x00000071UL + +#define CKR_OBJECT_HANDLE_INVALID 0x00000082UL +#define CKR_OPERATION_ACTIVE 0x00000090UL +#define CKR_OPERATION_NOT_INITIALIZED 0x00000091UL +#define CKR_PIN_INCORRECT 0x000000A0UL +#define CKR_PIN_INVALID 0x000000A1UL +#define CKR_PIN_LEN_RANGE 0x000000A2UL + +#define CKR_PIN_EXPIRED 0x000000A3UL +#define CKR_PIN_LOCKED 0x000000A4UL + +#define CKR_SESSION_CLOSED 0x000000B0UL +#define CKR_SESSION_COUNT 0x000000B1UL +#define CKR_SESSION_HANDLE_INVALID 0x000000B3UL +#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4UL +#define CKR_SESSION_READ_ONLY 0x000000B5UL +#define CKR_SESSION_EXISTS 0x000000B6UL + +#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7UL +#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8UL + +#define CKR_SIGNATURE_INVALID 0x000000C0UL +#define CKR_SIGNATURE_LEN_RANGE 0x000000C1UL +#define CKR_TEMPLATE_INCOMPLETE 0x000000D0UL +#define CKR_TEMPLATE_INCONSISTENT 0x000000D1UL +#define CKR_TOKEN_NOT_PRESENT 0x000000E0UL +#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1UL +#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2UL +#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0UL +#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1UL +#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2UL +#define CKR_USER_ALREADY_LOGGED_IN 0x00000100UL +#define CKR_USER_NOT_LOGGED_IN 0x00000101UL +#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102UL +#define CKR_USER_TYPE_INVALID 0x00000103UL + +#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104UL +#define CKR_USER_TOO_MANY_TYPES 0x00000105UL + +#define CKR_WRAPPED_KEY_INVALID 0x00000110UL +#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112UL +#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113UL +#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114UL +#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115UL +#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120UL + +#define CKR_RANDOM_NO_RNG 0x00000121UL + +#define CKR_DOMAIN_PARAMS_INVALID 0x00000130UL + +#define CKR_CURVE_NOT_SUPPORTED 0x00000140UL + +#define CKR_BUFFER_TOO_SMALL 0x00000150UL +#define CKR_SAVED_STATE_INVALID 0x00000160UL +#define CKR_INFORMATION_SENSITIVE 0x00000170UL +#define CKR_STATE_UNSAVEABLE 0x00000180UL + +#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190UL +#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191UL +#define CKR_MUTEX_BAD 0x000001A0UL +#define CKR_MUTEX_NOT_LOCKED 0x000001A1UL + +#define CKR_NEW_PIN_MODE 0x000001B0UL +#define CKR_NEXT_OTP 0x000001B1UL + +#define CKR_EXCEEDED_MAX_ITERATIONS 0x000001B5UL +#define CKR_FIPS_SELF_TEST_FAILED 0x000001B6UL +#define CKR_LIBRARY_LOAD_FAILED 0x000001B7UL +#define CKR_PIN_TOO_WEAK 0x000001B8UL +#define CKR_PUBLIC_KEY_INVALID 0x000001B9UL + +#define CKR_FUNCTION_REJECTED 0x00000200UL +#define CKR_TOKEN_RESOURCE_EXCEEDED 0x00000201UL +#define CKR_OPERATION_CANCEL_FAILED 0x00000202UL +#define CKR_KEY_EXHAUSTED 0x00000203UL + +#define CKR_VENDOR_DEFINED 0x80000000UL + +/* CK_NOTIFY is an application callback that processes events */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_NOTIFICATION event, CK_VOID_PTR pApplication /* passed to C_OpenSession */ +); + +/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec + * version and pointers of appropriate types to all the + * Cryptoki functions + */ +typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST; +typedef struct CK_FUNCTION_LIST_3_0 CK_FUNCTION_LIST_3_0; + +typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR; +typedef CK_FUNCTION_LIST_3_0 CK_PTR CK_FUNCTION_LIST_3_0_PTR; + +typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR; +typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR CK_FUNCTION_LIST_3_0_PTR_PTR; + +typedef struct CK_INTERFACE { + CK_CHAR *pInterfaceName; + CK_VOID_PTR pFunctionList; + CK_FLAGS flags; +} CK_INTERFACE; + +typedef CK_INTERFACE CK_PTR CK_INTERFACE_PTR; +typedef CK_INTERFACE_PTR CK_PTR CK_INTERFACE_PTR_PTR; + +#define CKF_END_OF_MESSAGE 0x00000001UL + +/* CK_CREATEMUTEX is an application callback for creating a + * mutex object + */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)( + CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */ +); + +/* CK_DESTROYMUTEX is an application callback for destroying a + * mutex object + */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)( + CK_VOID_PTR pMutex /* pointer to mutex */ +); + +/* CK_LOCKMUTEX is an application callback for locking a mutex */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)( + CK_VOID_PTR pMutex /* pointer to mutex */ +); + +/* CK_UNLOCKMUTEX is an application callback for unlocking a + * mutex + */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)( + CK_VOID_PTR pMutex /* pointer to mutex */ +); + +/* Get functionlist flags */ +#define CKF_INTERFACE_FORK_SAFE 0x00000001UL + +/* CK_C_INITIALIZE_ARGS provides the optional arguments to + * C_Initialize + */ +typedef struct CK_C_INITIALIZE_ARGS { + CK_CREATEMUTEX CreateMutex; + CK_DESTROYMUTEX DestroyMutex; + CK_LOCKMUTEX LockMutex; + CK_UNLOCKMUTEX UnlockMutex; + CK_FLAGS flags; + CK_VOID_PTR pReserved; +} CK_C_INITIALIZE_ARGS; + +/* flags: bit flags that provide capabilities of the slot + * Bit Flag Mask Meaning + */ +#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001UL +#define CKF_OS_LOCKING_OK 0x00000002UL + +typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR; + +/* additional flags for parameters to functions */ + +/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ +#define CKF_DONT_BLOCK 1 + +/* CK_RSA_PKCS_MGF_TYPE is used to indicate the Message + * Generation Function (MGF) applied to a message block when + * formatting a message block for the PKCS #1 OAEP encryption + * scheme. + */ +typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE; + +typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR; + +/* The following MGFs are defined */ +#define CKG_MGF1_SHA1 0x00000001UL +#define CKG_MGF1_SHA256 0x00000002UL +#define CKG_MGF1_SHA384 0x00000003UL +#define CKG_MGF1_SHA512 0x00000004UL +#define CKG_MGF1_SHA224 0x00000005UL +#define CKG_MGF1_SHA3_224 0x00000006UL +#define CKG_MGF1_SHA3_256 0x00000007UL +#define CKG_MGF1_SHA3_384 0x00000008UL +#define CKG_MGF1_SHA3_512 0x00000009UL + +/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source + * of the encoding parameter when formatting a message block + * for the PKCS #1 OAEP encryption scheme. + */ +typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE; + +typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR; + +/* The following encoding parameter sources are defined */ +#define CKZ_DATA_SPECIFIED 0x00000001UL + +/* CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the + * CKM_RSA_PKCS_OAEP mechanism. + */ +typedef struct CK_RSA_PKCS_OAEP_PARAMS { + CK_MECHANISM_TYPE hashAlg; + CK_RSA_PKCS_MGF_TYPE mgf; + CK_RSA_PKCS_OAEP_SOURCE_TYPE source; + CK_VOID_PTR pSourceData; + CK_ULONG ulSourceDataLen; +} CK_RSA_PKCS_OAEP_PARAMS; + +typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR; + +/* CK_RSA_PKCS_PSS_PARAMS provides the parameters to the + * CKM_RSA_PKCS_PSS mechanism(s). + */ +typedef struct CK_RSA_PKCS_PSS_PARAMS { + CK_MECHANISM_TYPE hashAlg; + CK_RSA_PKCS_MGF_TYPE mgf; + CK_ULONG sLen; +} CK_RSA_PKCS_PSS_PARAMS; + +typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR; + +typedef CK_ULONG CK_EC_KDF_TYPE; +typedef CK_EC_KDF_TYPE CK_PTR CK_EC_KDF_TYPE_PTR; + +/* The following EC Key Derivation Functions are defined */ +#define CKD_NULL 0x00000001UL +#define CKD_SHA1_KDF 0x00000002UL + +/* The following X9.42 DH key derivation functions are defined */ +#define CKD_SHA1_KDF_ASN1 0x00000003UL +#define CKD_SHA1_KDF_CONCATENATE 0x00000004UL +#define CKD_SHA224_KDF 0x00000005UL +#define CKD_SHA256_KDF 0x00000006UL +#define CKD_SHA384_KDF 0x00000007UL +#define CKD_SHA512_KDF 0x00000008UL +#define CKD_CPDIVERSIFY_KDF 0x00000009UL +#define CKD_SHA3_224_KDF 0x0000000AUL +#define CKD_SHA3_256_KDF 0x0000000BUL +#define CKD_SHA3_384_KDF 0x0000000CUL +#define CKD_SHA3_512_KDF 0x0000000DUL +#define CKD_SHA1_KDF_SP800 0x0000000EUL +#define CKD_SHA224_KDF_SP800 0x0000000FUL +#define CKD_SHA256_KDF_SP800 0x00000010UL +#define CKD_SHA384_KDF_SP800 0x00000011UL +#define CKD_SHA512_KDF_SP800 0x00000012UL +#define CKD_SHA3_224_KDF_SP800 0x00000013UL +#define CKD_SHA3_256_KDF_SP800 0x00000014UL +#define CKD_SHA3_384_KDF_SP800 0x00000015UL +#define CKD_SHA3_512_KDF_SP800 0x00000016UL +#define CKD_BLAKE2B_160_KDF 0x00000017UL +#define CKD_BLAKE2B_256_KDF 0x00000018UL +#define CKD_BLAKE2B_384_KDF 0x00000019UL +#define CKD_BLAKE2B_512_KDF 0x0000001aUL + +/* CK_ECDH1_DERIVE_PARAMS provides the parameters to the + * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms, + * where each party contributes one key pair. + */ +typedef struct CK_ECDH1_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; +} CK_ECDH1_DERIVE_PARAMS; + +typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR; + +/* + * CK_ECDH2_DERIVE_PARAMS provides the parameters to the + * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. + */ +typedef struct CK_ECDH2_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; +} CK_ECDH2_DERIVE_PARAMS; + +typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR; + +typedef struct CK_ECMQV_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; + CK_OBJECT_HANDLE publicKey; +} CK_ECMQV_DERIVE_PARAMS; + +typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR; + +/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the + * CKM_X9_42_DH_PARAMETER_GEN mechanisms + */ +typedef CK_ULONG CK_X9_42_DH_KDF_TYPE; +typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR; + +/* CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the + * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party + * contributes one key pair + */ +typedef struct CK_X9_42_DH1_DERIVE_PARAMS { + CK_X9_42_DH_KDF_TYPE kdf; + CK_ULONG ulOtherInfoLen; + CK_BYTE_PTR pOtherInfo; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; +} CK_X9_42_DH1_DERIVE_PARAMS; + +typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR; + +/* CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the + * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation + * mechanisms, where each party contributes two key pairs + */ +typedef struct CK_X9_42_DH2_DERIVE_PARAMS { + CK_X9_42_DH_KDF_TYPE kdf; + CK_ULONG ulOtherInfoLen; + CK_BYTE_PTR pOtherInfo; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; +} CK_X9_42_DH2_DERIVE_PARAMS; + +typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR; + +typedef struct CK_X9_42_MQV_DERIVE_PARAMS { + CK_X9_42_DH_KDF_TYPE kdf; + CK_ULONG ulOtherInfoLen; + CK_BYTE_PTR pOtherInfo; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; + CK_OBJECT_HANDLE publicKey; +} CK_X9_42_MQV_DERIVE_PARAMS; + +typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR; + +/* CK_KEA_DERIVE_PARAMS provides the parameters to the + * CKM_KEA_DERIVE mechanism + */ +typedef struct CK_KEA_DERIVE_PARAMS { + CK_BBOOL isSender; + CK_ULONG ulRandomLen; + CK_BYTE_PTR pRandomA; + CK_BYTE_PTR pRandomB; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; +} CK_KEA_DERIVE_PARAMS; + +typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR; + +/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and + * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just + * holds the effective keysize + */ +typedef CK_ULONG CK_RC2_PARAMS; + +typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR; + +/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC + * mechanism + */ +typedef struct CK_RC2_CBC_PARAMS { + CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ + CK_BYTE iv[8]; /* IV for CBC mode */ +} CK_RC2_CBC_PARAMS; + +typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR; + +/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the + * CKM_RC2_MAC_GENERAL mechanism + */ +typedef struct CK_RC2_MAC_GENERAL_PARAMS { + CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ + CK_ULONG ulMacLength; /* Length of MAC in bytes */ +} CK_RC2_MAC_GENERAL_PARAMS; + +typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR CK_RC2_MAC_GENERAL_PARAMS_PTR; + +/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and + * CKM_RC5_MAC mechanisms + */ +typedef struct CK_RC5_PARAMS { + CK_ULONG ulWordsize; /* wordsize in bits */ + CK_ULONG ulRounds; /* number of rounds */ +} CK_RC5_PARAMS; + +typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR; + +/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC + * mechanism + */ +typedef struct CK_RC5_CBC_PARAMS { + CK_ULONG ulWordsize; /* wordsize in bits */ + CK_ULONG ulRounds; /* number of rounds */ + CK_BYTE_PTR pIv; /* pointer to IV */ + CK_ULONG ulIvLen; /* length of IV in bytes */ +} CK_RC5_CBC_PARAMS; + +typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR; + +/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the + * CKM_RC5_MAC_GENERAL mechanism + */ +typedef struct CK_RC5_MAC_GENERAL_PARAMS { + CK_ULONG ulWordsize; /* wordsize in bits */ + CK_ULONG ulRounds; /* number of rounds */ + CK_ULONG ulMacLength; /* Length of MAC in bytes */ +} CK_RC5_MAC_GENERAL_PARAMS; + +typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR CK_RC5_MAC_GENERAL_PARAMS_PTR; + +/* CK_MAC_GENERAL_PARAMS provides the parameters to most block + * ciphers' MAC_GENERAL mechanisms. Its value is the length of + * the MAC + */ +typedef CK_ULONG CK_MAC_GENERAL_PARAMS; + +typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR; + +typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[8]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_DES_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR + CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR; + +typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[16]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_AES_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR + CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR; + +/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the + * CKM_SKIPJACK_PRIVATE_WRAP mechanism + */ +typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS { + CK_ULONG ulPasswordLen; + CK_BYTE_PTR pPassword; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPAndGLen; + CK_ULONG ulQLen; + CK_ULONG ulRandomLen; + CK_BYTE_PTR pRandomA; + CK_BYTE_PTR pPrimeP; + CK_BYTE_PTR pBaseG; + CK_BYTE_PTR pSubprimeQ; +} CK_SKIPJACK_PRIVATE_WRAP_PARAMS; + +typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR + CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR; + +/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the + * CKM_SKIPJACK_RELAYX mechanism + */ +typedef struct CK_SKIPJACK_RELAYX_PARAMS { + CK_ULONG ulOldWrappedXLen; + CK_BYTE_PTR pOldWrappedX; + CK_ULONG ulOldPasswordLen; + CK_BYTE_PTR pOldPassword; + CK_ULONG ulOldPublicDataLen; + CK_BYTE_PTR pOldPublicData; + CK_ULONG ulOldRandomLen; + CK_BYTE_PTR pOldRandomA; + CK_ULONG ulNewPasswordLen; + CK_BYTE_PTR pNewPassword; + CK_ULONG ulNewPublicDataLen; + CK_BYTE_PTR pNewPublicData; + CK_ULONG ulNewRandomLen; + CK_BYTE_PTR pNewRandomA; +} CK_SKIPJACK_RELAYX_PARAMS; + +typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR CK_SKIPJACK_RELAYX_PARAMS_PTR; + +typedef struct CK_PBE_PARAMS { + CK_BYTE_PTR pInitVector; + CK_UTF8CHAR_PTR pPassword; + CK_ULONG ulPasswordLen; + CK_BYTE_PTR pSalt; + CK_ULONG ulSaltLen; + CK_ULONG ulIteration; +} CK_PBE_PARAMS; + +typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR; + +/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the + * CKM_KEY_WRAP_SET_OAEP mechanism + */ +typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS { + CK_BYTE bBC; /* block contents byte */ + CK_BYTE_PTR pX; /* extra data */ + CK_ULONG ulXLen; /* length of extra data in bytes */ +} CK_KEY_WRAP_SET_OAEP_PARAMS; + +typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR CK_KEY_WRAP_SET_OAEP_PARAMS_PTR; + +typedef struct CK_SSL3_RANDOM_DATA { + CK_BYTE_PTR pClientRandom; + CK_ULONG ulClientRandomLen; + CK_BYTE_PTR pServerRandom; + CK_ULONG ulServerRandomLen; +} CK_SSL3_RANDOM_DATA; + +typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS { + CK_SSL3_RANDOM_DATA RandomInfo; + CK_VERSION_PTR pVersion; +} CK_SSL3_MASTER_KEY_DERIVE_PARAMS; + +typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR + CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR; + +typedef struct CK_SSL3_KEY_MAT_OUT { + CK_OBJECT_HANDLE hClientMacSecret; + CK_OBJECT_HANDLE hServerMacSecret; + CK_OBJECT_HANDLE hClientKey; + CK_OBJECT_HANDLE hServerKey; + CK_BYTE_PTR pIVClient; + CK_BYTE_PTR pIVServer; +} CK_SSL3_KEY_MAT_OUT; + +typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR; + +typedef struct CK_SSL3_KEY_MAT_PARAMS { + CK_ULONG ulMacSizeInBits; + CK_ULONG ulKeySizeInBits; + CK_ULONG ulIVSizeInBits; + CK_BBOOL bIsExport; + CK_SSL3_RANDOM_DATA RandomInfo; + CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial; +} CK_SSL3_KEY_MAT_PARAMS; + +typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR; + +typedef struct CK_TLS_PRF_PARAMS { + CK_BYTE_PTR pSeed; + CK_ULONG ulSeedLen; + CK_BYTE_PTR pLabel; + CK_ULONG ulLabelLen; + CK_BYTE_PTR pOutput; + CK_ULONG_PTR pulOutputLen; +} CK_TLS_PRF_PARAMS; + +typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR; + +typedef struct CK_WTLS_RANDOM_DATA { + CK_BYTE_PTR pClientRandom; + CK_ULONG ulClientRandomLen; + CK_BYTE_PTR pServerRandom; + CK_ULONG ulServerRandomLen; +} CK_WTLS_RANDOM_DATA; + +typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR; + +typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS { + CK_MECHANISM_TYPE DigestMechanism; + CK_WTLS_RANDOM_DATA RandomInfo; + CK_BYTE_PTR pVersion; +} CK_WTLS_MASTER_KEY_DERIVE_PARAMS; + +typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR + CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR; + +typedef struct CK_WTLS_PRF_PARAMS { + CK_MECHANISM_TYPE DigestMechanism; + CK_BYTE_PTR pSeed; + CK_ULONG ulSeedLen; + CK_BYTE_PTR pLabel; + CK_ULONG ulLabelLen; + CK_BYTE_PTR pOutput; + CK_ULONG_PTR pulOutputLen; +} CK_WTLS_PRF_PARAMS; + +typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR; + +typedef struct CK_WTLS_KEY_MAT_OUT { + CK_OBJECT_HANDLE hMacSecret; + CK_OBJECT_HANDLE hKey; + CK_BYTE_PTR pIV; +} CK_WTLS_KEY_MAT_OUT; + +typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR; + +typedef struct CK_WTLS_KEY_MAT_PARAMS { + CK_MECHANISM_TYPE DigestMechanism; + CK_ULONG ulMacSizeInBits; + CK_ULONG ulKeySizeInBits; + CK_ULONG ulIVSizeInBits; + CK_ULONG ulSequenceNumber; + CK_BBOOL bIsExport; + CK_WTLS_RANDOM_DATA RandomInfo; + CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial; +} CK_WTLS_KEY_MAT_PARAMS; + +typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR; + +typedef struct CK_CMS_SIG_PARAMS { + CK_OBJECT_HANDLE certificateHandle; + CK_MECHANISM_PTR pSigningMechanism; + CK_MECHANISM_PTR pDigestMechanism; + CK_UTF8CHAR_PTR pContentType; + CK_BYTE_PTR pRequestedAttributes; + CK_ULONG ulRequestedAttributesLen; + CK_BYTE_PTR pRequiredAttributes; + CK_ULONG ulRequiredAttributesLen; +} CK_CMS_SIG_PARAMS; + +typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR; + +typedef struct CK_KEY_DERIVATION_STRING_DATA { + CK_BYTE_PTR pData; + CK_ULONG ulLen; +} CK_KEY_DERIVATION_STRING_DATA; + +typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR CK_KEY_DERIVATION_STRING_DATA_PTR; + +/* The CK_EXTRACT_PARAMS is used for the + * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit + * of the base key should be used as the first bit of the + * derived key + */ +typedef CK_ULONG CK_EXTRACT_PARAMS; + +typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR; + +/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to + * indicate the Pseudo-Random Function (PRF) used to generate + * key bits using PKCS #5 PBKDF2. + */ +typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE; + +typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR + CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR; + +#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001UL +#define CKP_PKCS5_PBKD2_HMAC_GOSTR3411 0x00000002UL +#define CKP_PKCS5_PBKD2_HMAC_SHA224 0x00000003UL +#define CKP_PKCS5_PBKD2_HMAC_SHA256 0x00000004UL +#define CKP_PKCS5_PBKD2_HMAC_SHA384 0x00000005UL +#define CKP_PKCS5_PBKD2_HMAC_SHA512 0x00000006UL +#define CKP_PKCS5_PBKD2_HMAC_SHA512_224 0x00000007UL +#define CKP_PKCS5_PBKD2_HMAC_SHA512_256 0x00000008UL + +/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the + * source of the salt value when deriving a key using PKCS #5 + * PBKDF2. + */ +typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE; + +typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR + CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR; + +/* The following salt value sources are defined in PKCS #5 v2.0. */ +#define CKZ_SALT_SPECIFIED 0x00000001UL + +/* CK_PKCS5_PBKD2_PARAMS is a structure that provides the + * parameters to the CKM_PKCS5_PBKD2 mechanism. + */ +typedef struct CK_PKCS5_PBKD2_PARAMS { + CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; + CK_VOID_PTR pSaltSourceData; + CK_ULONG ulSaltSourceDataLen; + CK_ULONG iterations; + CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; + CK_VOID_PTR pPrfData; + CK_ULONG ulPrfDataLen; + CK_UTF8CHAR_PTR pPassword; + CK_ULONG_PTR ulPasswordLen; +} CK_PKCS5_PBKD2_PARAMS; + +typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR; + +/* CK_PKCS5_PBKD2_PARAMS2 is a corrected version of the CK_PKCS5_PBKD2_PARAMS + * structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism + * noting that the ulPasswordLen field is a CK_ULONG and not a CK_ULONG_PTR. + */ +typedef struct CK_PKCS5_PBKD2_PARAMS2 { + CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; + CK_VOID_PTR pSaltSourceData; + CK_ULONG ulSaltSourceDataLen; + CK_ULONG iterations; + CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; + CK_VOID_PTR pPrfData; + CK_ULONG ulPrfDataLen; + CK_UTF8CHAR_PTR pPassword; + CK_ULONG ulPasswordLen; +} CK_PKCS5_PBKD2_PARAMS2; + +typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR; + +typedef CK_ULONG CK_OTP_PARAM_TYPE; +typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* backward compatibility */ + +typedef struct CK_OTP_PARAM { + CK_OTP_PARAM_TYPE type; + CK_VOID_PTR pValue; + CK_ULONG ulValueLen; +} CK_OTP_PARAM; + +typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR; + +typedef struct CK_OTP_PARAMS { + CK_OTP_PARAM_PTR pParams; + CK_ULONG ulCount; +} CK_OTP_PARAMS; + +typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR; + +typedef struct CK_OTP_SIGNATURE_INFO { + CK_OTP_PARAM_PTR pParams; + CK_ULONG ulCount; +} CK_OTP_SIGNATURE_INFO; + +typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR; + +#define CK_OTP_VALUE 0UL +#define CK_OTP_PIN 1UL +#define CK_OTP_CHALLENGE 2UL +#define CK_OTP_TIME 3UL +#define CK_OTP_COUNTER 4UL +#define CK_OTP_FLAGS 5UL +#define CK_OTP_OUTPUT_LENGTH 6UL +#define CK_OTP_OUTPUT_FORMAT 7UL + +#define CKF_NEXT_OTP 0x00000001UL +#define CKF_EXCLUDE_TIME 0x00000002UL +#define CKF_EXCLUDE_COUNTER 0x00000004UL +#define CKF_EXCLUDE_CHALLENGE 0x00000008UL +#define CKF_EXCLUDE_PIN 0x00000010UL +#define CKF_USER_FRIENDLY_OTP 0x00000020UL + +typedef struct CK_KIP_PARAMS { + CK_MECHANISM_PTR pMechanism; + CK_OBJECT_HANDLE hKey; + CK_BYTE_PTR pSeed; + CK_ULONG ulSeedLen; +} CK_KIP_PARAMS; + +typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR; + +typedef struct CK_AES_CTR_PARAMS { + CK_ULONG ulCounterBits; + CK_BYTE cb[16]; +} CK_AES_CTR_PARAMS; + +typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR; + +typedef struct CK_GCM_PARAMS { + CK_BYTE_PTR pIv; + CK_ULONG ulIvLen; + CK_ULONG ulIvBits; + CK_BYTE_PTR pAAD; + CK_ULONG ulAADLen; + CK_ULONG ulTagBits; +} CK_GCM_PARAMS; + +typedef CK_GCM_PARAMS CK_PTR CK_GCM_PARAMS_PTR; + +typedef CK_ULONG CK_GENERATOR_FUNCTION; +#define CKG_NO_GENERATE 0x00000000UL +#define CKG_GENERATE 0x00000001UL +#define CKG_GENERATE_COUNTER 0x00000002UL +#define CKG_GENERATE_RANDOM 0x00000003UL +#define CKG_GENERATE_COUNTER_XOR 0x00000004UL + +typedef struct CK_GCM_MESSAGE_PARAMS { + CK_BYTE_PTR pIv; + CK_ULONG ulIvLen; + CK_ULONG ulIvFixedBits; + CK_GENERATOR_FUNCTION ivGenerator; + CK_BYTE_PTR pTag; + CK_ULONG ulTagBits; +} CK_GCM_MESSAGE_PARAMS; + +typedef CK_GCM_MESSAGE_PARAMS CK_PTR CK_GCM_MESSAGE_PARAMS_PTR; + +typedef struct CK_CCM_PARAMS { + CK_ULONG ulDataLen; + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceLen; + CK_BYTE_PTR pAAD; + CK_ULONG ulAADLen; + CK_ULONG ulMACLen; +} CK_CCM_PARAMS; + +typedef CK_CCM_PARAMS CK_PTR CK_CCM_PARAMS_PTR; + +typedef struct CK_CCM_MESSAGE_PARAMS { + CK_ULONG ulDataLen; /*plaintext or ciphertext*/ + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceLen; + CK_ULONG ulNonceFixedBits; + CK_GENERATOR_FUNCTION nonceGenerator; + CK_BYTE_PTR pMAC; + CK_ULONG ulMACLen; +} CK_CCM_MESSAGE_PARAMS; + +typedef CK_CCM_MESSAGE_PARAMS CK_PTR CK_CCM_MESSAGE_PARAMS_PTR; + +/* Deprecated. Use CK_GCM_PARAMS */ +typedef struct CK_AES_GCM_PARAMS { + CK_BYTE_PTR pIv; + CK_ULONG ulIvLen; + CK_ULONG ulIvBits; + CK_BYTE_PTR pAAD; + CK_ULONG ulAADLen; + CK_ULONG ulTagBits; +} CK_AES_GCM_PARAMS; + +typedef CK_AES_GCM_PARAMS CK_PTR CK_AES_GCM_PARAMS_PTR; + +/* Deprecated. Use CK_CCM_PARAMS */ +typedef struct CK_AES_CCM_PARAMS { + CK_ULONG ulDataLen; + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceLen; + CK_BYTE_PTR pAAD; + CK_ULONG ulAADLen; + CK_ULONG ulMACLen; +} CK_AES_CCM_PARAMS; + +typedef CK_AES_CCM_PARAMS CK_PTR CK_AES_CCM_PARAMS_PTR; + +typedef struct CK_CAMELLIA_CTR_PARAMS { + CK_ULONG ulCounterBits; + CK_BYTE cb[16]; +} CK_CAMELLIA_CTR_PARAMS; + +typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR; + +typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[16]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR + CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR; + +typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[16]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR + CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR; + +typedef struct CK_DSA_PARAMETER_GEN_PARAM { + CK_MECHANISM_TYPE hash; + CK_BYTE_PTR pSeed; + CK_ULONG ulSeedLen; + CK_ULONG ulIndex; +} CK_DSA_PARAMETER_GEN_PARAM; + +typedef CK_DSA_PARAMETER_GEN_PARAM CK_PTR CK_DSA_PARAMETER_GEN_PARAM_PTR; + +typedef struct CK_ECDH_AES_KEY_WRAP_PARAMS { + CK_ULONG ulAESKeyBits; + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; +} CK_ECDH_AES_KEY_WRAP_PARAMS; + +typedef CK_ECDH_AES_KEY_WRAP_PARAMS CK_PTR CK_ECDH_AES_KEY_WRAP_PARAMS_PTR; + +typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN; + +typedef CK_ULONG CK_CERTIFICATE_CATEGORY; + +typedef struct CK_RSA_AES_KEY_WRAP_PARAMS { + CK_ULONG ulAESKeyBits; + CK_RSA_PKCS_OAEP_PARAMS_PTR pOAEPParams; +} CK_RSA_AES_KEY_WRAP_PARAMS; + +typedef CK_RSA_AES_KEY_WRAP_PARAMS CK_PTR CK_RSA_AES_KEY_WRAP_PARAMS_PTR; + +typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS { + CK_SSL3_RANDOM_DATA RandomInfo; + CK_VERSION_PTR pVersion; + CK_MECHANISM_TYPE prfHashMechanism; +} CK_TLS12_MASTER_KEY_DERIVE_PARAMS; + +typedef CK_TLS12_MASTER_KEY_DERIVE_PARAMS CK_PTR + CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR; + +typedef struct CK_TLS12_KEY_MAT_PARAMS { + CK_ULONG ulMacSizeInBits; + CK_ULONG ulKeySizeInBits; + CK_ULONG ulIVSizeInBits; + CK_BBOOL bIsExport; + CK_SSL3_RANDOM_DATA RandomInfo; + CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial; + CK_MECHANISM_TYPE prfHashMechanism; +} CK_TLS12_KEY_MAT_PARAMS; + +typedef CK_TLS12_KEY_MAT_PARAMS CK_PTR CK_TLS12_KEY_MAT_PARAMS_PTR; + +typedef struct CK_TLS_KDF_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BYTE_PTR pLabel; + CK_ULONG ulLabelLength; + CK_SSL3_RANDOM_DATA RandomInfo; + CK_BYTE_PTR pContextData; + CK_ULONG ulContextDataLength; +} CK_TLS_KDF_PARAMS; + +typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR; + +typedef struct CK_TLS_MAC_PARAMS { + CK_MECHANISM_TYPE prfHashMechanism; + CK_ULONG ulMacLength; + CK_ULONG ulServerOrClient; +} CK_TLS_MAC_PARAMS; + +typedef CK_TLS_MAC_PARAMS CK_PTR CK_TLS_MAC_PARAMS_PTR; + +typedef struct CK_GOSTR3410_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pUKM; + CK_ULONG ulUKMLen; +} CK_GOSTR3410_DERIVE_PARAMS; + +typedef CK_GOSTR3410_DERIVE_PARAMS CK_PTR CK_GOSTR3410_DERIVE_PARAMS_PTR; + +typedef struct CK_GOSTR3410_KEY_WRAP_PARAMS { + CK_BYTE_PTR pWrapOID; + CK_ULONG ulWrapOIDLen; + CK_BYTE_PTR pUKM; + CK_ULONG ulUKMLen; + CK_OBJECT_HANDLE hKey; +} CK_GOSTR3410_KEY_WRAP_PARAMS; + +typedef CK_GOSTR3410_KEY_WRAP_PARAMS CK_PTR CK_GOSTR3410_KEY_WRAP_PARAMS_PTR; + +typedef struct CK_SEED_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[16]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_SEED_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_SEED_CBC_ENCRYPT_DATA_PARAMS CK_PTR + CK_SEED_CBC_ENCRYPT_DATA_PARAMS_PTR; + +/* + * New PKCS 11 v3.0 data structures. + */ + +typedef CK_ULONG CK_PROFILE_ID; +typedef CK_PROFILE_ID CK_PTR CK_PROFILE_ID_PTR; + +/* Typedefs for Flexible KDF */ +typedef CK_ULONG CK_PRF_DATA_TYPE; +typedef CK_MECHANISM_TYPE CK_SP800_108_PRF_TYPE; +#define CK_SP800_108_ITERATION_VARIABLE 0x00000001UL +#define CK_SP800_108_OPTIONAL_COUNTER 0x00000002UL +#define CK_SP800_108_DKM_LENGTH 0x00000003UL +#define CK_SP800_108_BYTE_ARRAY 0x00000004UL +#define CK_SP800_108_COUNTER CK_SP800_108_OPTIONAL_COUNTER + +typedef struct CK_PRF_DATA_PARAM { + CK_PRF_DATA_TYPE type; + CK_VOID_PTR pValue; + CK_ULONG ulValueLen; +} CK_PRF_DATA_PARAM; + +typedef CK_PRF_DATA_PARAM CK_PTR CK_PRF_DATA_PARAM_PTR; + +typedef struct CK_SP800_108_COUNTER_FORMAT { + CK_BBOOL bLittleEndian; + CK_ULONG ulWidthInBits; +} CK_SP800_108_COUNTER_FORMAT; + +typedef CK_SP800_108_COUNTER_FORMAT CK_PTR CK_SP800_108_COUNTER_FORMAT_PTR; + +typedef CK_ULONG CK_SP800_108_DKM_LENGTH_METHOD; +#define CK_SP800_108_DKM_LENGTH_SUM_OF_KEYS 0x00000001UL +#define CK_SP800_108_DKM_LENGTH_SUM_OF_SEGMENTS 0x00000002UL + +typedef struct CK_SP800_108_DKM_LENGTH_FORMAT { + CK_SP800_108_DKM_LENGTH_METHOD dkmLengthMethod; + CK_BBOOL bLittleEndian; + CK_ULONG ulWidthInBits; +} CK_SP800_108_DKM_LENGTH_FORMAT; + +typedef CK_SP800_108_DKM_LENGTH_FORMAT CK_PTR + CK_SP800_108_DKM_LENGTH_FORMAT_PTR; + +typedef struct CK_DERIVED_KEY { + CK_ATTRIBUTE_PTR pTemplate; + CK_ULONG ulAttributeCount; + CK_OBJECT_HANDLE_PTR phKey; +} CK_DERIVED_KEY; + +typedef CK_DERIVED_KEY CK_PTR CK_DERIVED_KEY_PTR; + +typedef struct CK_SP800_108_KDF_PARAMS { + CK_SP800_108_PRF_TYPE prfType; + CK_ULONG ulNumberOfDataParams; + CK_PRF_DATA_PARAM_PTR pDataParams; + CK_ULONG ulAdditionalDerivedKeys; + CK_DERIVED_KEY_PTR pAdditionalDerivedKeys; +} CK_SP800_108_KDF_PARAMS; + +typedef CK_SP800_108_KDF_PARAMS CK_PTR CK_SP800_108_KDF_PARAMS_PTR; + +typedef struct CK_SP800_108_FEEDBACK_KDF_PARAMS { + CK_SP800_108_PRF_TYPE prfType; + CK_ULONG ulNumberOfDataParams; + CK_PRF_DATA_PARAM_PTR pDataParams; + CK_ULONG ulIVLen; + CK_BYTE_PTR pIV; + CK_ULONG ulAdditionalDerivedKeys; + CK_DERIVED_KEY_PTR pAdditionalDerivedKeys; +} CK_SP800_108_FEEDBACK_KDF_PARAMS; + +typedef CK_SP800_108_FEEDBACK_KDF_PARAMS CK_PTR + CK_SP800_108_FEEDBACK_KDF_PARAMS_PTR; + +/* EDDSA */ +typedef struct CK_EDDSA_PARAMS { + CK_BBOOL phFlag; + CK_ULONG ulContextDataLen; + CK_BYTE_PTR pContextData; +} CK_EDDSA_PARAMS; + +typedef CK_EDDSA_PARAMS CK_PTR CK_EDDSA_PARAMS_PTR; + +/* Extended ChaCha20/Salsa20 support*/ +typedef struct CK_CHACHA20_PARAMS { + CK_BYTE_PTR pBlockCounter; + CK_ULONG blockCounterBits; + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceBits; +} CK_CHACHA20_PARAMS; + +typedef CK_CHACHA20_PARAMS CK_PTR CK_CHACHA20_PARAMS_PTR; + +typedef struct CK_SALSA20_PARAMS { + CK_BYTE_PTR pBlockCounter; + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceBits; +} CK_SALSA20_PARAMS; +typedef CK_SALSA20_PARAMS CK_PTR CK_SALSA20_PARAMS_PTR; + +typedef struct CK_SALSA20_CHACHA20_POLY1305_PARAMS { + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceLen; + CK_BYTE_PTR pAAD; + CK_ULONG ulAADLen; +} CK_SALSA20_CHACHA20_POLY1305_PARAMS; + +typedef CK_SALSA20_CHACHA20_POLY1305_PARAMS CK_PTR + CK_SALSA20_CHACHA20_POLY1305_PARAMS_PTR; + +typedef struct CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS { + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceLen; + CK_BYTE_PTR pTag; +} CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS; + +typedef CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS CK_PTR + CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS_PTR; + +typedef CK_ULONG CK_X3DH_KDF_TYPE; +typedef CK_X3DH_KDF_TYPE CK_PTR CK_X3DH_KDF_TYPE_PTR; + +/* X3dh, ratchet */ +typedef struct CK_X3DH_INITIATE_PARAMS { + CK_X3DH_KDF_TYPE kdf; + CK_OBJECT_HANDLE pPeer_identity; + CK_OBJECT_HANDLE pPeer_prekey; + CK_BYTE_PTR pPrekey_signature; + CK_BYTE_PTR pOnetime_key; + CK_OBJECT_HANDLE pOwn_identity; + CK_OBJECT_HANDLE pOwn_ephemeral; +} CK_X3DH_INITIATE_PARAMS; + +typedef struct CK_X3DH_RESPOND_PARAMS { + CK_X3DH_KDF_TYPE kdf; + CK_BYTE_PTR pIdentity_id; + CK_BYTE_PTR pPrekey_id; + CK_BYTE_PTR pOnetime_id; + CK_OBJECT_HANDLE pInitiator_identity; + CK_BYTE_PTR pInitiator_ephemeral; +} CK_X3DH_RESPOND_PARAMS; + +typedef CK_ULONG CK_X2RATCHET_KDF_TYPE; +typedef CK_X2RATCHET_KDF_TYPE CK_PTR CK_X2RATCHET_KDF_TYPE_PTR; + +typedef struct CK_X2RATCHET_INITIALIZE_PARAMS { + CK_BYTE_PTR sk; + CK_OBJECT_HANDLE peer_public_prekey; + CK_OBJECT_HANDLE peer_public_identity; + CK_OBJECT_HANDLE own_public_identity; + CK_BBOOL bEncryptedHeader; + CK_ULONG eCurve; + CK_MECHANISM_TYPE aeadMechanism; + CK_X2RATCHET_KDF_TYPE kdfMechanism; +} CK_X2RATCHET_INITIALIZE_PARAMS; + +typedef CK_X2RATCHET_INITIALIZE_PARAMS CK_PTR + CK_X2RATCHET_INITIALIZE_PARAMS_PTR; + +typedef struct CK_X2RATCHET_RESPOND_PARAMS { + CK_BYTE_PTR sk; + CK_OBJECT_HANDLE own_prekey; + CK_OBJECT_HANDLE initiator_identity; + CK_OBJECT_HANDLE own_public_identity; + CK_BBOOL bEncryptedHeader; + CK_ULONG eCurve; + CK_MECHANISM_TYPE aeadMechanism; + CK_X2RATCHET_KDF_TYPE kdfMechanism; +} CK_X2RATCHET_RESPOND_PARAMS; +typedef CK_X2RATCHET_RESPOND_PARAMS CK_PTR CK_X2RATCHET_RESPOND_PARAMS_PTR; + +typedef CK_ULONG CK_XEDDSA_HASH_TYPE; +typedef CK_XEDDSA_HASH_TYPE CK_PTR CK_XEDDSA_HASH_TYPE_PTR; + +/* XEDDSA */ +typedef struct CK_XEDDSA_PARAMS { + CK_XEDDSA_HASH_TYPE hash; +} CK_XEDDSA_PARAMS; +typedef CK_XEDDSA_PARAMS CK_PTR CK_XEDDSA_PARAMS_PTR; + +/* HKDF params */ +typedef struct CK_HKDF_PARAMS { + CK_BBOOL bExtract; + CK_BBOOL bExpand; + CK_MECHANISM_TYPE prfHashMechanism; + CK_ULONG ulSaltType; + CK_BYTE_PTR pSalt; + CK_ULONG ulSaltLen; + CK_OBJECT_HANDLE hSaltKey; + CK_BYTE_PTR pInfo; + CK_ULONG ulInfoLen; +} CK_HKDF_PARAMS; +typedef CK_HKDF_PARAMS CK_PTR CK_HKDF_PARAMS_PTR; + +#define CKF_HKDF_SALT_NULL 0x00000001UL +#define CKF_HKDF_SALT_DATA 0x00000002UL +#define CKF_HKDF_SALT_KEY 0x00000004UL + +/* HSS */ +typedef CK_ULONG CK_HSS_LEVELS; +typedef CK_ULONG CK_LMS_TYPE; +typedef CK_ULONG CK_LMOTS_TYPE; + +typedef struct specifiedParams { + CK_HSS_LEVELS levels; + CK_LMS_TYPE lm_type[8]; + CK_LMOTS_TYPE lm_ots_type[8]; +} specifiedParams; + +/* IKE Params */ +typedef struct CK_IKE2_PRF_PLUS_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bHasSeedKey; + CK_OBJECT_HANDLE hSeedKey; + CK_BYTE_PTR pSeedData; + CK_ULONG ulSeedDataLen; +} CK_IKE2_PRF_PLUS_DERIVE_PARAMS; +typedef CK_IKE2_PRF_PLUS_DERIVE_PARAMS CK_PTR + CK_IKE2_PRF_PLUS_DERIVE_PARAMS_PTR; + +typedef struct CK_IKE_PRF_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bDataAsKey; + CK_BBOOL bRekey; + CK_BYTE_PTR pNi; + CK_ULONG ulNiLen; + CK_BYTE_PTR pNr; + CK_ULONG ulNrLen; + CK_OBJECT_HANDLE hNewKey; +} CK_IKE_PRF_DERIVE_PARAMS; +typedef CK_IKE_PRF_DERIVE_PARAMS CK_PTR CK_IKE_PRF_DERIVE_PARAMS_PTR; + +typedef struct CK_IKE1_PRF_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bHasPrevKey; + CK_OBJECT_HANDLE hKeygxy; + CK_OBJECT_HANDLE hPrevKey; + CK_BYTE_PTR pCKYi; + CK_ULONG ulCKYiLen; + CK_BYTE_PTR pCKYr; + CK_ULONG ulCKYrLen; + CK_BYTE keyNumber; +} CK_IKE1_PRF_DERIVE_PARAMS; +typedef CK_IKE1_PRF_DERIVE_PARAMS CK_PTR CK_IKE1_PRF_DERIVE_PARAMS_PTR; + +typedef struct CK_IKE1_EXTENDED_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bHasKeygxy; + CK_OBJECT_HANDLE hKeygxy; + CK_BYTE_PTR pExtraData; + CK_ULONG ulExtraDataLen; +} CK_IKE1_EXTENDED_DERIVE_PARAMS; +typedef CK_IKE1_EXTENDED_DERIVE_PARAMS CK_PTR + CK_IKE1_EXTENDED_DERIVE_PARAMS_PTR; + +#endif /* _PKCS11T_H_ */ diff --git a/pkcs11/pkcs11y.h b/pkcs11/pkcs11y.h index 7cf1aa0ce..555b2f2fd 100644 --- a/pkcs11/pkcs11y.h +++ b/pkcs11/pkcs11y.h @@ -17,8 +17,51 @@ #ifndef PKCS11Y_H #define PKCS11Y_H +#include + +#ifdef CRYPTOKI_EXPORTS +#ifdef _WIN32 +#define CK_SPEC __declspec(dllexport) +#else +#define CK_SPEC __attribute__((visibility("default"))) +#endif +#else +#define CK_SPEC +#endif + +#ifndef NULL_PTR +#define NULL_PTR 0 +#endif + +#define CRYPTOKI_LEGACY_VERSION_MAJOR 2 +#define CRYPTOKI_LEGACY_VERSION_MINOR 40 + +#define CK_PTR * +#define CK_BOOL bool +#define CK_HANDLE void * +#define CK_DECLARE_FUNCTION(returnType, name) returnType CK_SPEC name +#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType(*name) +#define CK_CALLBACK_FUNCTION(returnType, name) returnType(*name) + +#define CK_DEFINE_FUNCTION(returnType, name) returnType CK_SPEC name + +#ifdef _WIN32 +#pragma pack(push, cryptoki, 1) +#endif + +#ifdef __cplusplus +extern "C" { +#endif + #include "pkcs11.h" -#include "yubihsm.h" + +#ifdef __cplusplus +} +#endif + +#ifdef _WIN32 +#pragma pack(pop, cryptoki) +#endif /* This is an offset for the vendor definitions to avoid clashes */ #define YUBICO_BASE_VENDOR 0x59554200 @@ -33,10 +76,4 @@ #define CKM_YUBICO_AES_CCM_WRAP \ (CKM_VENDOR_DEFINED | YUBICO_BASE_VENDOR | YH_WRAP_KEY) -// TODO: These values are from PKCS11 3.0 and should be removed when we upgrade -#define CKD_YUBICO_SHA1_KDF_SP800 0x0000000EUL -#define CKD_YUBICO_SHA256_KDF_SP800 0x00000010UL -#define CKD_YUBICO_SHA384_KDF_SP800 0x00000011UL -#define CKD_YUBICO_SHA512_KDF_SP800 0x00000012UL - #endif diff --git a/pkcs11/tests/CMakeLists.txt b/pkcs11/tests/CMakeLists.txt index 689adcad9..6486543e9 100644 --- a/pkcs11/tests/CMakeLists.txt +++ b/pkcs11/tests/CMakeLists.txt @@ -227,6 +227,12 @@ set ( common.c ) +set ( + SOURCE_PKCS11_INTERFACES_TEST + pkcs11_interfaces_test.c + common.c +) + if(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Windows") add_executable (aes_encrypt_test ${SOURCE_AES_ENCRYPT}) add_executable (ecdh_derive_test ${SOURCE_ECDH_DERIVE}) @@ -287,6 +293,18 @@ if (NOT ${LIBCRYPTO_VERSION} VERSION_LESS 1.1) NAME pss_sign_test COMMAND ${CMAKE_CURRENT_BINARY_DIR}/pss_sign_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} ) + + + add_executable (pkcs11_interfaces_test ${SOURCE_PKCS11_INTERFACES_TEST}) + + target_link_libraries ( + pkcs11_interfaces_test + "-ldl") + + add_test ( + NAME pkcs11_interfaces_test + COMMAND ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_interfaces_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} + ) endif(NOT ${LIBCRYPTO_VERSION} VERSION_LESS 1.1) endif(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Windows") diff --git a/pkcs11/tests/aes_encrypt_test.c b/pkcs11/tests/aes_encrypt_test.c index c636e85d4..a5140f5e3 100644 --- a/pkcs11/tests/aes_encrypt_test.c +++ b/pkcs11/tests/aes_encrypt_test.c @@ -20,7 +20,7 @@ #include #include -#include "../pkcs11.h" +#include "../pkcs11y.h" #include "common.h" #define FAIL(fmt, ...) \ @@ -130,7 +130,7 @@ static struct test tests[] = { }; static CK_BBOOL g_true = TRUE; -static CK_RV create_aes_key(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session, +static CK_RV create_aes_key(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session, CK_BYTE_PTR key, CK_ULONG len, CK_OBJECT_HANDLE *handle) { CK_OBJECT_CLASS class = CKO_SECRET_KEY; @@ -213,7 +213,7 @@ static int do_test_single_part(InitFunc init, SingleFunc single, return 0; } -static int test_single_part(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session, +static int test_single_part(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE handle, struct test *test) { CK_MECHANISM mechanism = {test->mechanism, NULL, 0}; if (mechanism.mechanism != CKM_AES_ECB) { @@ -358,7 +358,7 @@ static size_t pad_output_size(size_t in, size_t out) { return pending <= 16 ? 0 : simple_output_size(in, out); } -static CK_RV test_multiple_part(CK_FUNCTION_LIST_PTR p11, +static CK_RV test_multiple_part(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE handle, struct test *test) { CK_MECHANISM mechanism = {test->mechanism, NULL, 0}; @@ -389,7 +389,7 @@ static CK_RV test_multiple_part(CK_FUNCTION_LIST_PTR p11, return CKR_OK; } -static int run_test(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session, +static int run_test(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session, struct test *test) { CK_OBJECT_HANDLE handle = 0; int rv; @@ -409,7 +409,7 @@ static int run_test(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session, return rv; } -static CK_RV is_aes_supported(CK_FUNCTION_LIST_PTR p11, +static CK_RV is_aes_supported(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session) { CK_SESSION_INFO info; CK_RV r; @@ -470,7 +470,7 @@ int main(int argc, char *argv[]) { } void *handle = open_module(argv[1]); - CK_FUNCTION_LIST_PTR p11 = get_function_list(handle); + CK_FUNCTION_LIST_3_0_PTR p11 = get_function_list(handle); CK_SESSION_HANDLE session = open_session(p11); print_session_state(p11, session); diff --git a/pkcs11/tests/common.c b/pkcs11/tests/common.c index c651bebb4..1eaf011bb 100644 --- a/pkcs11/tests/common.c +++ b/pkcs11/tests/common.c @@ -37,19 +37,19 @@ void close_module(void *handle) { assert(r == 0); } -CK_FUNCTION_LIST_PTR get_function_list(void *handle) { - CK_C_GetFunctionList fn; - *(void **) (&fn) = dlsym(handle, "C_GetFunctionList"); +CK_FUNCTION_LIST_3_0_PTR get_function_list(void *handle) { + CK_C_GetInterface fn; + *(void **) (&fn) = dlsym(handle, "C_GetInterface"); assert(fn != NULL); - CK_FUNCTION_LIST_PTR p11; - CK_RV rv = fn(&p11); + CK_INTERFACE_PTR interface; + CK_RV rv = fn(NULL, NULL, &interface, 0); assert(rv == CKR_OK); - return p11; + return interface->pFunctionList; } -CK_SESSION_HANDLE open_session(CK_FUNCTION_LIST_PTR p11) { +CK_SESSION_HANDLE open_session(CK_FUNCTION_LIST_3_0_PTR p11) { CK_SESSION_HANDLE session; CK_C_INITIALIZE_ARGS initArgs; memset(&initArgs, 0, sizeof(initArgs)); @@ -61,7 +61,7 @@ CK_SESSION_HANDLE open_session(CK_FUNCTION_LIST_PTR p11) { } char config[256]; assert(strlen(connector_url) + strlen("connector=") < 256); - sprintf(config, "connector=%s", connector_url); + snprintf(config, sizeof(config), "connector=%s", connector_url); initArgs.pReserved = (void *) config; CK_RV rv = p11->C_Initialize(&initArgs); assert(rv == CKR_OK); @@ -79,7 +79,7 @@ CK_SESSION_HANDLE open_session(CK_FUNCTION_LIST_PTR p11) { return session; } -void close_session(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session) { +void close_session(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session) { CK_RV rv = p11->C_Logout(session); assert(rv == CKR_OK); @@ -90,7 +90,7 @@ void close_session(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session) { assert(rv == CKR_OK); } -void print_session_state(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session) { +void print_session_state(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session) { CK_SESSION_INFO pInfo; CK_RV rv = p11->C_GetSessionInfo(session, &pInfo); assert(rv == CKR_OK); @@ -119,7 +119,7 @@ void print_session_state(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session) { } } -bool destroy_object(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session, +bool destroy_object(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key) { if ((p11->C_DestroyObject(session, key)) != CKR_OK) { printf("WARN. Failed to destroy object 0x%lx on HSM. FAIL\n", key); diff --git a/pkcs11/tests/common.h b/pkcs11/tests/common.h index 704c5914a..a384a8622 100644 --- a/pkcs11/tests/common.h +++ b/pkcs11/tests/common.h @@ -18,15 +18,15 @@ #define YUBIHSM_PKCS11_TESTS_COMMON_H #include -#include "../pkcs11.h" +#include "../pkcs11y.h" void *open_module(const char *path); void close_module(void *handle); -CK_FUNCTION_LIST_PTR get_function_list(void *handle); -CK_SESSION_HANDLE open_session(CK_FUNCTION_LIST_PTR p11); -void close_session(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session); -void print_session_state(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session); -bool destroy_object(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE session, +CK_FUNCTION_LIST_3_0_PTR get_function_list(void *handle); +CK_SESSION_HANDLE open_session(CK_FUNCTION_LIST_3_0_PTR p11); +void close_session(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session); +void print_session_state(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session); +bool destroy_object(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key); #endif diff --git a/pkcs11/tests/ecdh_derive_test.c b/pkcs11/tests/ecdh_derive_test.c index caf704cfc..3b88029d6 100644 --- a/pkcs11/tests/ecdh_derive_test.c +++ b/pkcs11/tests/ecdh_derive_test.c @@ -26,7 +26,7 @@ #include #include -#include "../pkcs11.h" +#include "../pkcs11y.h" #include "common.h" #define BUFSIZE 1024 @@ -37,7 +37,7 @@ CK_BYTE P256_PARAMS[] = {0x06, 0x08, 0x2a, 0x86, 0x48, CK_BYTE P384_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22}; CK_BYTE P521_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23}; -static CK_FUNCTION_LIST_PTR p11; +static CK_FUNCTION_LIST_3_0_PTR p11; static CK_SESSION_HANDLE session; char *CURVES[] = {"secp224r1", "prime256v1", "secp384r1", "secp521r1"}; diff --git a/pkcs11/tests/ecdh_sp800_test.c b/pkcs11/tests/ecdh_sp800_test.c index 63507f632..7331bb1d0 100644 --- a/pkcs11/tests/ecdh_sp800_test.c +++ b/pkcs11/tests/ecdh_sp800_test.c @@ -17,6 +17,7 @@ #ifdef NDEBUG #undef NDEBUG #endif +#include #include #include #include @@ -26,7 +27,6 @@ #include #include -#include "../pkcs11.h" #include "../pkcs11y.h" #include "common.h" @@ -38,7 +38,7 @@ CK_BYTE P256_PARAMS[] = {0x06, 0x08, 0x2a, 0x86, 0x48, CK_BYTE P384_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22}; CK_BYTE P521_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23}; -static CK_FUNCTION_LIST_PTR p11; +static CK_FUNCTION_LIST_3_0_PTR p11; static CK_SESSION_HANDLE session; char *CURVES[] = {"secp224r1", "prime256v1", "secp384r1", "secp521r1"}; @@ -272,19 +272,19 @@ static size_t openssl_derive(CK_ULONG kdf, EVP_PKEY *private_key, case CKD_NULL: memcpy(*ecdh_key, derived, len); goto c_truncate; - case CKD_YUBICO_SHA1_KDF_SP800: + case CKD_SHA1_KDF_SP800: md = EVP_sha1(); output_bits = 160; break; - case CKD_YUBICO_SHA256_KDF_SP800: + case CKD_SHA256_KDF_SP800: md = EVP_sha256(); output_bits = 256; break; - case CKD_YUBICO_SHA384_KDF_SP800: + case CKD_SHA384_KDF_SP800: md = EVP_sha384(); output_bits = 384; break; - case CKD_YUBICO_SHA512_KDF_SP800: + case CKD_SHA512_KDF_SP800: md = EVP_sha512(); output_bits = 384; break; @@ -518,25 +518,25 @@ int main(int argc, char **argv) { for (int i = 0; i < CURVE_COUNT; i++) { for (size_t j = 0; j < 3; j++) { - run_test(handle, CURVES[i], CKD_YUBICO_SHA1_KDF_SP800, yh_privkey[i], + run_test(handle, CURVES[i], CKD_SHA1_KDF_SP800, yh_privkey[i], yh_pubkey[i], key_lens[j] / 8, key_lens[j] / 8, CKR_OK); - run_test(handle, CURVES[i], CKD_YUBICO_SHA256_KDF_SP800, yh_privkey[i], + run_test(handle, CURVES[i], CKD_SHA256_KDF_SP800, yh_privkey[i], yh_pubkey[i], key_lens[j] / 8, key_lens[j] / 8, CKR_OK); - run_test(handle, CURVES[i], CKD_YUBICO_SHA384_KDF_SP800, yh_privkey[i], + run_test(handle, CURVES[i], CKD_SHA384_KDF_SP800, yh_privkey[i], yh_pubkey[i], key_lens[j] / 8, key_lens[j] / 8, CKR_OK); - run_test(handle, CURVES[i], CKD_YUBICO_SHA512_KDF_SP800, yh_privkey[i], + run_test(handle, CURVES[i], CKD_SHA512_KDF_SP800, yh_privkey[i], yh_pubkey[i], key_lens[j] / 8, key_lens[j] / 8, CKR_OK); } run_test(handle, CURVES[i], CKD_NULL, yh_privkey[i], yh_pubkey[i], 0, CURVE_ECDH_LEN[i], CKR_OK); - run_test(handle, CURVES[i], CKD_YUBICO_SHA1_KDF_SP800, yh_privkey[i], + run_test(handle, CURVES[i], CKD_SHA1_KDF_SP800, yh_privkey[i], yh_pubkey[i], 0, 20, CKR_OK); - run_test(handle, CURVES[i], CKD_YUBICO_SHA256_KDF_SP800, yh_privkey[i], + run_test(handle, CURVES[i], CKD_SHA256_KDF_SP800, yh_privkey[i], yh_pubkey[i], 0, 32, CKR_OK); - run_test(handle, CURVES[i], CKD_YUBICO_SHA384_KDF_SP800, yh_privkey[i], + run_test(handle, CURVES[i], CKD_SHA384_KDF_SP800, yh_privkey[i], yh_pubkey[i], 0, 48, CKR_OK); - run_test(handle, CURVES[i], CKD_YUBICO_SHA512_KDF_SP800, yh_privkey[i], + run_test(handle, CURVES[i], CKD_SHA512_KDF_SP800, yh_privkey[i], yh_pubkey[i], 0, 64, CKR_OK); } run_test(handle, CURVES[0], CKD_NULL, yh_privkey[0], yh_pubkey[0], 1024, 0, diff --git a/pkcs11/tests/pkcs11_interfaces_test.c b/pkcs11/tests/pkcs11_interfaces_test.c new file mode 100644 index 000000000..f7e9064cb --- /dev/null +++ b/pkcs11/tests/pkcs11_interfaces_test.c @@ -0,0 +1,111 @@ +/* +* Copyright 2024 Yubico AB +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +#ifdef NDEBUG +#undef NDEBUG +#endif +#include +#include +#include +#include +#include + +#include "../pkcs11y.h" +#include "common.h" + +CK_VOID_PTR funcs; + +static CK_C_GetInterface get_interface_function(void *handle) { + CK_C_GetInterface fn; + *(void **) (&fn) = dlsym(handle, "C_GetInterface"); + assert(fn != NULL); + return fn; +} + +static void get_default_functions(void *handle) { + funcs = get_function_list(handle); +} + +static void get_named_functions(void *handle) { + CK_C_GetInterface fn = get_interface_function(handle); + CK_INTERFACE_PTR interface; + assert(fn((CK_UTF8CHAR_PTR)"PKCS 11", NULL, &interface, 0) == CKR_OK); + funcs = interface->pFunctionList; +} + +static void get_versioned_functions(void *handle, CK_BYTE major, CK_BYTE minor) { + CK_C_GetInterface fn = get_interface_function(handle); + CK_INTERFACE_PTR interface; + CK_VERSION version; + version.major=major; + version.minor=minor; + assert(fn(NULL,&version,&interface,0) == CKR_OK); + funcs = interface->pFunctionList; +} + +static void test_lib_info(CK_ULONG vmajor, CK_ULONG vminor) { + const CK_CHAR_PTR MANUFACTURER_ID = (const CK_CHAR_PTR)"Yubico (www.yubico.com)"; + const CK_CHAR_PTR PKCS11_DESCRIPTION = (const CK_CHAR_PTR)"YubiHSM PKCS#11 Library"; + + CK_C_INITIALIZE_ARGS initArgs; + memset(&initArgs, 0, sizeof(initArgs)); + + const char *connector_url; + connector_url = getenv("DEFAULT_CONNECTOR_URL"); + if (connector_url == NULL) { + connector_url = DEFAULT_CONNECTOR_URL; + } + char config[256] = {0}; + assert(strlen(connector_url) + strlen("connector=") < 256); + snprintf(config, sizeof(config), "connector=%s", connector_url); + initArgs.pReserved = (void *) config; + assert(((CK_FUNCTION_LIST_3_0*)funcs)->C_Initialize(&initArgs) == CKR_OK); + + CK_INFO info; + assert(((CK_FUNCTION_LIST_3_0*)funcs)->C_GetInfo(&info) == CKR_OK); + assert(strncmp((const char*)info.manufacturerID, (const char*)MANUFACTURER_ID, strlen((const char*)MANUFACTURER_ID)) == 0); + + assert(info.cryptokiVersion.major == vmajor); + assert(info.cryptokiVersion.minor == vminor); + assert(info.libraryVersion.major == VERSION_MAJOR); + assert(info.libraryVersion.minor == ((VERSION_MINOR * 10) + VERSION_PATCH)); + assert(strncmp((const char*)info.libraryDescription, (const char*)PKCS11_DESCRIPTION, strlen((const char*)PKCS11_DESCRIPTION)) == 0); + assert(((CK_FUNCTION_LIST_3_0*)funcs)->C_Finalize(NULL) == CKR_OK); +} + +int main(int argc, char **argv) { + + if (argc != 2) { + fprintf(stderr, "usage: /path/to/yubihsm_pkcs11/module\n"); + exit(EXIT_FAILURE); + } + + void *handle = open_module(argv[1]); + get_default_functions(handle); + test_lib_info(CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR); + assert(((CK_FUNCTION_LIST_3_0*)funcs)->C_SignMessage(0, NULL, 0, NULL, 0, NULL, NULL) == CKR_FUNCTION_NOT_SUPPORTED); + + get_versioned_functions(handle, CRYPTOKI_LEGACY_VERSION_MAJOR, CRYPTOKI_LEGACY_VERSION_MINOR); + test_lib_info(CRYPTOKI_LEGACY_VERSION_MAJOR, CRYPTOKI_LEGACY_VERSION_MINOR); + + get_versioned_functions(handle, CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR); + test_lib_info(CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR); + + get_named_functions(handle); + test_lib_info(CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR); + + return EXIT_SUCCESS; +} diff --git a/pkcs11/tests/pss_sign_test.c b/pkcs11/tests/pss_sign_test.c index d4ffd461c..9ba783b62 100644 --- a/pkcs11/tests/pss_sign_test.c +++ b/pkcs11/tests/pss_sign_test.c @@ -25,12 +25,12 @@ #include #include -#include "../pkcs11.h" +#include "../pkcs11y.h" #include "common.h" #define BUFSIZE 1024 -static CK_FUNCTION_LIST_PTR p11; +static CK_FUNCTION_LIST_3_0_PTR p11; static CK_SESSION_HANDLE session; static void import_rsa_key(int keylen, RSA *rsak, diff --git a/pkcs11/tests/rsa_enc_test.c b/pkcs11/tests/rsa_enc_test.c index c6c78aa32..838855f03 100644 --- a/pkcs11/tests/rsa_enc_test.c +++ b/pkcs11/tests/rsa_enc_test.c @@ -28,12 +28,12 @@ #include #include -#include "../pkcs11.h" +#include "../pkcs11y.h" #include "common.h" #define BUFSIZE 1024 -static CK_FUNCTION_LIST_PTR p11; +static CK_FUNCTION_LIST_3_0_PTR p11; static CK_SESSION_HANDLE session; static void import_rsa_key(int keylen, RSA *rsak, diff --git a/pkcs11/util_pkcs11.c b/pkcs11/util_pkcs11.c index c458a2a47..613224d88 100644 --- a/pkcs11/util_pkcs11.c +++ b/pkcs11/util_pkcs11.c @@ -36,6 +36,7 @@ #include #include #include +#include #include "util_pkcs11.h" #include "debug_p11.h" @@ -43,7 +44,9 @@ #include "../common/insecure_memzero.h" #define UNUSED(x) (void) (x) +#define ASN1_OCTET_STRING 0x04 #define ASN1_OID 0x06 +#define ASN1_PRINTABLE_STRING 0x13 static const uint8_t oid_secp224r1[] = {ASN1_OID, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x21}; static const uint8_t oid_secp256r1[] = {ASN1_OID, 0x08, 0x2a, 0x86, 0x48, @@ -63,6 +66,20 @@ static const uint8_t oid_brainpool384r1[] = {ASN1_OID, 0x09, 0x2b, 0x24, static const uint8_t oid_brainpool512r1[] = {ASN1_OID, 0x09, 0x2b, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0d}; +static const uint8_t oid_ed25519[] = {ASN1_PRINTABLE_STRING, + 0x0c, + 0x65, + 0x64, + 0x77, + 0x61, + 0x72, + 0x64, + 0x73, + 0x32, + 0x35, + 0x35, + 0x31, + 0x39}; CK_RV yrc_to_rv(yh_rc rc) { switch (rc) { @@ -135,6 +152,22 @@ CK_RV yrc_to_rv(yh_rc rc) { } } +static CK_ULONG encode_length(CK_BYTE_PTR buffer, CK_ULONG length) { + if (length < 0x80) { + *buffer++ = length; + return 1; + } else if (length < 0x100) { + *buffer++ = 0x81; + *buffer++ = length; + return 2; + } else { + *buffer++ = 0x82; + *buffer++ = (length >> 8) & 0xff; + *buffer++ = length & 0xff; + return 3; + } +} + static void add_mech(CK_MECHANISM_TYPE *buf, CK_ULONG_PTR count, CK_MECHANISM_TYPE item) { for (CK_ULONG i = 0; i < *count; i++) { @@ -235,6 +268,11 @@ CK_RV get_mechanism_list(yubihsm_pkcs11_slot *slot, add_mech(buffer, &items, CKM_EC_KEY_PAIR_GEN); break; + case YH_ALGO_EC_ED25519: + add_mech(buffer, &items, CKM_EDDSA); + add_mech(buffer, &items, CKM_EC_EDWARDS_KEY_PAIR_GEN); + break; + case YH_ALGO_HMAC_SHA1: add_mech(buffer, &items, CKM_SHA_1_HMAC); add_mech(buffer, &items, CKM_GENERIC_SECRET_KEY_GEN); @@ -506,6 +544,20 @@ CK_RV get_mechanism_info(yubihsm_pkcs11_slot *slot, CK_MECHANISM_TYPE type, CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS; break; + case CKM_EC_EDWARDS_KEY_PAIR_GEN: + pInfo->ulMaxKeySize = 255; + pInfo->ulMinKeySize = 255; + pInfo->flags = CKF_HW | CKF_GENERATE_KEY_PAIR | CKF_EC_F_P | + CKF_EC_NAMEDCURVE | CKF_EC_COMPRESS; + break; + + case CKM_EDDSA: + pInfo->ulMaxKeySize = 255; + pInfo->ulMinKeySize = 255; + pInfo->flags = CKF_HW | CKF_SIGN | CKF_VERIFY | CKF_EC_F_P | + CKF_EC_NAMEDCURVE | CKF_EC_COMPRESS; + break; + case CKM_SHA_1_HMAC: pInfo->ulMaxKeySize = 64 * 8; pInfo->ulMinKeySize = 1; @@ -843,7 +895,7 @@ CK_RV write_meta_object(yubihsm_pkcs11_slot *slot, write_meta_item(p, PKCS11_PUBKEY_LABEL_TAG, &meta_object->cka_label_pubkey); char opaque_label[YH_OBJ_LABEL_LEN] = {0}; - sprintf(opaque_label, "Meta object for 0x%02x%02x%04x", + snprintf(opaque_label, sizeof(opaque_label), "Meta object for 0x%02x%02x%04x", meta_object->target_sequence, meta_object->target_type, meta_object->target_id); @@ -1483,6 +1535,8 @@ static CK_RV get_attribute_private_key(CK_ATTRIBUTE_TYPE type, if (object->type == YH_ASYMMETRIC_KEY) { if (yh_is_rsa(object->algorithm)) { *((CK_KEY_TYPE *) value) = CKK_RSA; + } else if (yh_is_ed(object->algorithm)) { + *((CK_KEY_TYPE *) value) = CKK_EC_EDWARDS; } else { *((CK_KEY_TYPE *) value) = CKK_EC; } @@ -1558,6 +1612,10 @@ static CK_RV get_attribute_private_key(CK_ATTRIBUTE_TYPE type, yh_is_ec(object->algorithm) == true) { get_capability_attribute(object, "sign-ecdsa", true, value, length, NULL); + } else if (object->type == YH_ASYMMETRIC_KEY && + yh_is_ed(object->algorithm) == true) { + get_capability_attribute(object, "sign-eddsa", true, value, length, + NULL); } else { *((CK_BBOOL *) value) = CK_FALSE; *length = sizeof(CK_BBOOL); @@ -1625,6 +1683,10 @@ static CK_RV get_attribute_private_key(CK_ATTRIBUTE_TYPE type, oid = oid_brainpool512r1; *length = sizeof(oid_brainpool512r1); break; + case YH_ALGO_EC_ED25519: + oid = oid_ed25519; + *length = sizeof(oid_ed25519); + break; default: return CKR_ATTRIBUTE_TYPE_INVALID; } @@ -1642,12 +1704,25 @@ static CK_RV get_attribute_private_key(CK_ATTRIBUTE_TYPE type, } uint8_t *p = value; - *p++ = 0x04; - if (resplen + 1 >= 0x80) { - *p++ = 0x81; + *p++ = ASN1_OCTET_STRING; + p += encode_length(p, resplen + 1); + *p++ = 0x04; // UNCOMPRESSED POINT + memcpy(p, resp, resplen); + p += resplen; + *length = p - (uint8_t *) value; + } else if (yh_is_ed(object->algorithm)) { + uint8_t resp[2048]; + size_t resplen = sizeof(resp); + + yh_rc yrc = + yh_util_get_public_key(session->slot->device_session, object->id, resp, &resplen, NULL); + if (yrc != YHR_SUCCESS) { + return yrc_to_rv(yrc); } - *p++ = resplen + 1; - *p++ = 0x04; + + uint8_t *p = value; + *p++ = ASN1_OCTET_STRING; + p += encode_length(p, resplen); memcpy(p, resp, resplen); p += resplen; *length = p - (uint8_t *) value; @@ -1656,6 +1731,20 @@ static CK_RV get_attribute_private_key(CK_ATTRIBUTE_TYPE type, } break; + case CKA_MODULUS_BITS: + if (yh_is_rsa(object->algorithm)) { + size_t key_length = 0; + yh_rc yrc = yh_get_key_bitlength(object->algorithm, &key_length); + if (yrc != YHR_SUCCESS) { + return yrc_to_rv(yrc); + } + *(CK_ULONG *) value = key_length; + *length = sizeof(CK_ULONG); + } else { + return CKR_ATTRIBUTE_TYPE_INVALID; + } + break; + case CKA_MODULUS: if (yh_is_rsa(object->algorithm)) { uint8_t resp[2048] = {0}; @@ -1698,7 +1787,7 @@ static CK_RV get_attribute_private_key(CK_ATTRIBUTE_TYPE type, return CKR_OK; } -static CK_RV load_public_key(yh_session *session, uint16_t id, EVP_PKEY *key) { +static CK_RV load_public_key(yh_session *session, uint16_t id, EVP_PKEY **key) { uint8_t data[1024] = {0}; size_t data_len = sizeof(data) - 1; @@ -1737,10 +1826,15 @@ static CK_RV load_public_key(yh_session *session, uint16_t id, EVP_PKEY *key) { n = NULL; e = NULL; - if (EVP_PKEY_assign_RSA(key, rsa) == 0) { + *key = EVP_PKEY_new(); + if (*key == NULL) { goto l_p_k_failure; } - } else { + + if (EVP_PKEY_assign_RSA(*key, rsa) == 0) { + goto l_p_k_failure; + } + } else if (yh_is_ec(algo)) { ec_key = EC_KEY_new(); if (ec_key == NULL) { goto l_p_k_failure; @@ -1774,12 +1868,28 @@ static CK_RV load_public_key(yh_session *session, uint16_t id, EVP_PKEY *key) { goto l_p_k_failure; } - if (EVP_PKEY_assign_EC_KEY(key, ec_key) == 0) { + *key = EVP_PKEY_new(); + if (*key == NULL) { + goto l_p_k_failure; + } + + if (EVP_PKEY_assign_EC_KEY(*key, ec_key) == 0) { goto l_p_k_failure; } EC_POINT_free(ec_point); EC_GROUP_free(ec_group); +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + } else if (yh_is_ed(algo)) { + *key = + EVP_PKEY_new_raw_public_key(algo2nid(algo), NULL, data + 1, data_len); + if (*key == NULL) { + goto l_p_k_failure; + } +#endif + } else { + DBG_ERR("Unsupported key algorithm"); + goto l_p_k_failure; } return CKR_OK; @@ -1853,6 +1963,10 @@ static CK_RV get_attribute_public_key(CK_ATTRIBUTE_TYPE type, yh_is_ec(object->algorithm) == true) { get_capability_attribute(object, "sign-ecdsa", true, value, length, NULL); + } else if (object->type == (0x80 | YH_ASYMMETRIC_KEY) && + yh_is_ed(object->algorithm) == true) { + get_capability_attribute(object, "sign-eddsa", true, value, length, + NULL); } else { *((CK_BBOOL *) value) = CK_FALSE; *length = sizeof(CK_BBOOL); @@ -1885,6 +1999,10 @@ static CK_RV get_attribute_public_key(CK_ATTRIBUTE_TYPE type, *((CK_KEY_TYPE *) value) = CKK_EC; break; + case YH_ALGO_EC_ED25519: + *((CK_KEY_TYPE *) value) = CKK_EC_EDWARDS; + break; + default: *((CK_KEY_TYPE *) value) = CKK_VENDOR_DEFINED; // TODO: argh } @@ -1981,6 +2099,10 @@ static CK_RV get_attribute_public_key(CK_ATTRIBUTE_TYPE type, oid = oid_brainpool512r1; *length = sizeof(oid_brainpool512r1); break; + case YH_ALGO_EC_ED25519: + oid = oid_ed25519; + *length = sizeof(oid_ed25519); + break; default: return CKR_ATTRIBUTE_TYPE_INVALID; } @@ -2000,12 +2122,25 @@ static CK_RV get_attribute_public_key(CK_ATTRIBUTE_TYPE type, } uint8_t *p = value; - *p++ = 0x04; - if (resplen + 1 >= 0x80) { - *p++ = 0x81; + *p++ = ASN1_OCTET_STRING; + p += encode_length(p, resplen + 1); + *p++ = 0x04; // UNCOMPRESSED POINT + memcpy(p, resp, resplen); + p += resplen; + *length = p - (uint8_t *) value; + } else if (yh_is_ed(object->algorithm)) { + uint8_t resp[2048]; + size_t resplen = sizeof(resp); + + yh_rc yrc = + yh_util_get_public_key(session->slot->device_session, object->id, resp, &resplen, NULL); + if (yrc != YHR_SUCCESS) { + return yrc_to_rv(yrc); } - *p++ = resplen + 1; - *p++ = 0x04; + + uint8_t *p = value; + *p++ = ASN1_OCTET_STRING; + p += encode_length(p, resplen); memcpy(p, resp, resplen); p += resplen; *length = p - (uint8_t *) value; @@ -2059,13 +2194,10 @@ static CK_RV get_attribute_public_key(CK_ATTRIBUTE_TYPE type, break; case CKA_VALUE: { - EVP_PKEY *pkey = EVP_PKEY_new(); - if (pkey == NULL) { - return CKR_HOST_MEMORY; - } + EVP_PKEY *pkey = NULL; CK_RV rv = - load_public_key(session->slot->device_session, object->id, pkey); + load_public_key(session->slot->device_session, object->id, &pkey); if (rv != CKR_OK) { EVP_PKEY_free(pkey); return rv; @@ -2194,9 +2326,10 @@ CK_RV check_sign_mechanism(yubihsm_pkcs11_slot *slot, CK_MECHANISM_TYPE mechanisms[128] = {0}; CK_ULONG count = 128; - if (is_RSA_sign_mechanism(pMechanism->mechanism) == false && - is_ECDSA_sign_mechanism(pMechanism->mechanism) == false && - is_HMAC_sign_mechanism(pMechanism->mechanism) == false) { + if (!is_RSA_sign_mechanism(pMechanism->mechanism) && + !is_ECDSA_sign_mechanism(pMechanism->mechanism) && + !is_EDDSA_sign_mechanism(pMechanism->mechanism) && + !is_HMAC_sign_mechanism(pMechanism->mechanism)) { return CKR_MECHANISM_INVALID; } @@ -2296,6 +2429,7 @@ CK_RV apply_sign_mechanism_init(yubihsm_pkcs11_op_info *op_info) { case CKM_SHA256_HMAC: case CKM_SHA384_HMAC: case CKM_SHA512_HMAC: + case CKM_EDDSA: // NOTE(adma): no hash required for these mechanisms op_info->op.sign.md_ctx = NULL; return CKR_OK; @@ -2361,6 +2495,7 @@ CK_RV apply_verify_mechanism_init(yubihsm_pkcs11_op_info *op_info) { case CKM_SHA256_HMAC: case CKM_SHA384_HMAC: case CKM_SHA512_HMAC: + case CKM_EDDSA: // NOTE(adma): no hash required for these mechanisms return CKR_OK; @@ -2661,6 +2796,7 @@ CK_RV apply_sign_mechanism_update(yubihsm_pkcs11_op_info *op_info, case CKM_SHA256_HMAC: case CKM_SHA384_HMAC: case CKM_SHA512_HMAC: + case CKM_EDDSA: if (op_info->buffer_length + in_len > sizeof(op_info->buffer)) { return CKR_DATA_LEN_RANGE; } @@ -2706,6 +2842,7 @@ CK_RV apply_verify_mechanism_update(yubihsm_pkcs11_op_info *op_info, case CKM_RSA_PKCS: case CKM_RSA_PKCS_PSS: case CKM_ECDSA: + case CKM_EDDSA: // NOTE(adma): no hash required for these mechanisms if (op_info->buffer_length + in_len > sizeof(op_info->buffer)) { return CKR_DATA_LEN_RANGE; @@ -3053,7 +3190,8 @@ CK_RV apply_verify_mechanism_finalize(yubihsm_pkcs11_op_info *op_info, } } else if (is_RSA_sign_mechanism(op_info->mechanism.mechanism)) { siglen = (op_info->op.verify.key_len + 7) / 8; - } else if (is_ECDSA_sign_mechanism(op_info->mechanism.mechanism)) { + } else if (is_ECDSA_sign_mechanism(op_info->mechanism.mechanism) || + is_EDDSA_sign_mechanism(op_info->mechanism.mechanism)) { siglen = ((op_info->op.verify.key_len + 7) / 8) * 2; } else { return CKR_MECHANISM_INVALID; @@ -3229,20 +3367,33 @@ CK_RV perform_verify(yh_session *session, yubihsm_pkcs11_op_info *op_info, uint8_t *md = md_data; unsigned int md_len = sizeof(md_data); EVP_PKEY_CTX *ctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) - EVP_MD *evp_md = NULL; - EVP_MD *evp_mgf1md = NULL; -#endif - if (key == NULL) { - rv = CKR_HOST_MEMORY; + rv = load_public_key(session, op_info->op.verify.key_id, &key); + if (rv != CKR_OK) { goto pv_failure; } - rv = load_public_key(session, op_info->op.verify.key_id, key); - if (rv != CKR_OK) { - goto pv_failure; +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + if (EVP_PKEY_base_id(key) == EVP_PKEY_ED25519) { + EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); + int rc = EVP_DigestVerifyInit(md_ctx, NULL, NULL, NULL, key); + if (rc <= 0) { + EVP_MD_CTX_free(md_ctx); + return CKR_FUNCTION_FAILED; + } + rc = EVP_DigestVerify(md_ctx, signature, signature_len, op_info->buffer, + op_info->buffer_length); + EVP_MD_CTX_free(md_ctx); + EVP_PKEY_free(key); + if (rc == 1) { + return CKR_OK; + } else if (rc == 0) { + return CKR_SIGNATURE_INVALID; + } else { + return CKR_FUNCTION_FAILED; + } } +#endif ctx = EVP_PKEY_CTX_new(key, NULL); if (ctx == NULL) { @@ -3254,7 +3405,6 @@ CK_RV perform_verify(yh_session *session, yubihsm_pkcs11_op_info *op_info, goto pv_failure; } - int res; unsigned char data[2048] = {0}; if (is_hashed_mechanism(op_info->mechanism.mechanism)) { if (EVP_DigestFinal_ex(op_info->op.verify.md_ctx, md, &md_len) <= 0) { @@ -3272,6 +3422,7 @@ CK_RV perform_verify(yh_session *session, yubihsm_pkcs11_op_info *op_info, rv = CKR_DATA_INVALID; goto pv_failure; } + md = op_info->buffer + di_len; md_len = op_info->buffer_length - di_len; } @@ -3294,15 +3445,12 @@ CK_RV perform_verify(yh_session *session, yubihsm_pkcs11_op_info *op_info, rv = CKR_FUNCTION_FAILED; goto pv_failure; } -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) - evp_md = EVP_MD_meth_dup(op_info->op.verify.md); - if (EVP_PKEY_CTX_set_signature_md(ctx, evp_md) <= 0) { -#else + if (EVP_PKEY_CTX_set_signature_md(ctx, op_info->op.verify.md) <= 0) { -#endif rv = CKR_FUNCTION_FAILED; goto pv_failure; } + if (op_info->op.verify.padding) { if (EVP_PKEY_CTX_set_rsa_padding(ctx, op_info->op.verify.padding) <= 0) { rv = CKR_FUNCTION_FAILED; @@ -3314,17 +3462,13 @@ CK_RV perform_verify(yh_session *session, yubihsm_pkcs11_op_info *op_info, rv = CKR_FUNCTION_FAILED; goto pv_failure; } -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) - evp_mgf1md = EVP_MD_meth_dup(op_info->op.verify.mgf1md); - if (EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, evp_mgf1md) <= 0) { -#else if (EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, op_info->op.verify.mgf1md) <= 0) { -#endif rv = CKR_FUNCTION_FAILED; goto pv_failure; } } } + if (is_ECDSA_sign_mechanism(op_info->mechanism.mechanism)) { memcpy(data, signature, signature_len); signature = data; @@ -3334,7 +3478,8 @@ CK_RV perform_verify(yh_session *session, yubihsm_pkcs11_op_info *op_info, goto pv_failure; } } - res = EVP_PKEY_verify(ctx, signature, signature_len, md, md_len); + + int res = EVP_PKEY_verify(ctx, signature, signature_len, md, md_len); if (res == 1) { rv = CKR_OK; @@ -3345,23 +3490,8 @@ CK_RV perform_verify(yh_session *session, yubihsm_pkcs11_op_info *op_info, } pv_failure: -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) - if (evp_md != NULL) { - EVP_MD_meth_free(evp_md); - } - if (evp_mgf1md != NULL) { - EVP_MD_meth_free(evp_mgf1md); - } -#endif - if (ctx != NULL) { - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - } - - if (key != NULL) { - EVP_PKEY_free(key); - key = NULL; - } + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(key); return rv; } @@ -3421,13 +3551,23 @@ CK_RV perform_signature(yh_session *session, yubihsm_pkcs11_op_info *op_info, op_info->buffer, op_info->buffer_length, op_info->buffer, &outlen); } + } else if (is_EDDSA_sign_mechanism(op_info->mechanism.mechanism)) { + yrc = yh_util_sign_eddsa(session, op_info->op.sign.key_id, op_info->buffer, + op_info->buffer_length, op_info->buffer, &outlen); } else if (is_ECDSA_sign_mechanism(op_info->mechanism.mechanism)) { yrc = yh_util_sign_ecdsa(session, op_info->op.sign.key_id, op_info->buffer, op_info->buffer_length, op_info->buffer, &outlen); + if (yrc == YHR_SUCCESS) { + // NOTE(adma): ECDSA, we must remove the DER encoding and only + // return R,S as required by the specs + if (strip_DER_encoding_from_ECSIG(op_info->buffer, &outlen, + op_info->op.sign.sig_len) == false) { + return CKR_FUNCTION_FAILED; + } + } } else if (is_HMAC_sign_mechanism(op_info->mechanism.mechanism)) { yrc = yh_util_sign_hmac(session, op_info->op.sign.key_id, op_info->buffer, op_info->buffer_length, op_info->buffer, &outlen); - } else { DBG_ERR("Mechanism %lu not supported", op_info->mechanism.mechanism); return CKR_MECHANISM_INVALID; @@ -3437,15 +3577,6 @@ CK_RV perform_signature(yh_session *session, yubihsm_pkcs11_op_info *op_info, return yrc_to_rv(yrc); } - if (is_ECDSA_sign_mechanism(op_info->mechanism.mechanism)) { - // NOTE(adma): ECDSA, we must remove the DER encoding and only - // return R,S as required by the specs - if (strip_DER_encoding_from_ECSIG(op_info->buffer, &outlen, - op_info->op.sign.sig_len) == false) { - return CKR_FUNCTION_FAILED; - } - } - if (outlen > *signature_len) { return CKR_BUFFER_TOO_SMALL; } @@ -3492,15 +3623,10 @@ CK_RV perform_rsa_encrypt(yh_session *session, yubihsm_pkcs11_op_info *op_info, return CKR_ARGUMENTS_BAD; } - EVP_PKEY *public_key = EVP_PKEY_new(); - if (public_key == NULL) { - DBG_ERR("Failed to create EVP_PKEY object for public key"); - return CKR_HOST_MEMORY; - } - + EVP_PKEY *public_key = NULL; EVP_PKEY_CTX *ctx = NULL; - CK_RV rv = load_public_key(session, op_info->op.encrypt.key_id, public_key); + CK_RV rv = load_public_key(session, op_info->op.encrypt.key_id, &public_key); if (rv != CKR_OK) { DBG_ERR("Failed to load public key"); goto rsa_enc_cleanup; @@ -3741,6 +3867,19 @@ bool is_ECDSA_sign_mechanism(CK_MECHANISM_TYPE m) { return false; } +bool is_EDDSA_sign_mechanism(CK_MECHANISM_TYPE m) { + + switch (m) { + case CKM_EDDSA: + return true; + + default: + break; + } + + return false; +} + bool is_PSS_sign_mechanism(CK_MECHANISM_TYPE m) { switch (m) { @@ -4210,6 +4349,17 @@ static CK_RV parse_ecparams(const uint8_t *ecparams, uint16_t ecparams_len, return CKR_OK; } +static CK_RV parse_edparams(uint8_t *ecparams, uint16_t ecparams_len, + yh_algorithm *algorithm, uint16_t *key_len) { + if (ecparams_len != sizeof(oid_ed25519) || + memcmp(ecparams, oid_ed25519, sizeof(oid_ed25519))) { + return CKR_CURVE_NOT_SUPPORTED; + } + *algorithm = YH_ALGO_EC_ED25519; + *key_len = 32; + return CKR_OK; +} + CK_RV parse_ec_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template) { @@ -4314,6 +4464,77 @@ CK_RV parse_ec_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, return CKR_OK; } +CK_RV parse_ed_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + yubihsm_pkcs11_object_template *template) { + + uint8_t *ecparams = NULL; + uint16_t ecparams_len = 0; + CK_RV rv; + for (CK_ULONG i = 0; i < ulCount; i++) { + switch (pTemplate[i].type) { + + case CKA_VALUE: + if (template->obj.buf == NULL) { + template->obj.buf = (CK_BYTE_PTR) pTemplate[i].pValue; + template->objlen = pTemplate[i].ulValueLen; + } else { + return CKR_TEMPLATE_INCONSISTENT; + } + break; + + case CKA_EC_PARAMS: + if (ecparams == NULL) { + ecparams = (CK_BYTE_PTR) pTemplate[i].pValue; + ecparams_len = pTemplate[i].ulValueLen; + } else { + return CKR_TEMPLATE_INCONSISTENT; + } + break; + + case CKA_SIGN: + if ((rv = set_template_attribute(&template->sign, + pTemplate[i].pValue)) != CKR_OK) { + return rv; + } + break; + + case CKA_TOKEN: + case CKA_PRIVATE: + case CKA_SENSITIVE: + if ((rv = check_bool_attribute(pTemplate[i].pValue, true)) != CKR_OK) { + return rv; + } + break; + + case CKA_CLASS: + case CKA_KEY_TYPE: + case CKA_SUBJECT: + case CKA_ID: + case CKA_LABEL: + case CKA_EXTRACTABLE: + case CKA_DERIVE: + break; + + default: + return CKR_ATTRIBUTE_TYPE_INVALID; + } + } + if (ecparams && template->obj.buf) { + uint16_t key_len; + rv = parse_edparams(ecparams, ecparams_len, &template->algorithm, &key_len); + if (rv != CKR_OK) { + return rv; + } + if (key_len != template->objlen) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + } else { + return CKR_TEMPLATE_INCONSISTENT; + } + + return CKR_OK; +} + CK_RV parse_hmac_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template, bool generate) { @@ -4946,6 +5167,214 @@ CK_RV parse_ec_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate, return CKR_OK; } +CK_RV parse_ed_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate, + CK_ULONG ulPublicKeyAttributeCount, + CK_ATTRIBUTE_PTR pPrivateKeyTemplate, + CK_ULONG ulPrivateKeyAttributeCount, + yubihsm_pkcs11_object_template *template, + pkcs11_meta_object *pkcs11meta) { + + uint8_t *ecparams = NULL; + uint16_t ecparams_len = 0; + CK_RV rv; + + memset(template->label, 0, sizeof(template->label)); + for (CK_ULONG i = 0; i < ulPublicKeyAttributeCount; i++) { + switch (pPublicKeyTemplate[i].type) { + case CKA_CLASS: + if (*((CK_ULONG_PTR) pPublicKeyTemplate[i].pValue) != CKO_PUBLIC_KEY) { + DBG_ERR("CKA_CLASS inconsistent in PublicKeyTemplate"); + return CKR_TEMPLATE_INCONSISTENT; + } + break; + + case CKA_KEY_TYPE: + if (*((CK_ULONG_PTR) pPublicKeyTemplate[i].pValue) != CKK_EC_EDWARDS) { + DBG_ERR("CKA_KEY_TYPE inconsistent in PublicKeyTemplate"); + return CKR_TEMPLATE_INCONSISTENT; + } + break; + + case CKA_ID: + rv = parse_meta_id_template(template, pkcs11meta, true, + pPublicKeyTemplate[i].pValue, + pPublicKeyTemplate[i].ulValueLen); + if (rv != CKR_OK) { + return rv; + } + break; + + case CKA_EC_PARAMS: + if (ecparams == NULL) { + ecparams = (CK_BYTE_PTR) pPublicKeyTemplate[i].pValue; + ecparams_len = pPublicKeyTemplate[i].ulValueLen; + } else { + DBG_ERR("CKA_PUBLIC_EXPONENT inconsistent in PublicKeyTemplate"); + return CKR_TEMPLATE_INCONSISTENT; + } + break; + + case CKA_LABEL: + rv = parse_meta_label_template(template, pkcs11meta, true, + pPublicKeyTemplate[i].pValue, + pPublicKeyTemplate[i].ulValueLen); + if (rv != CKR_OK) { + return rv; + } + break; + + case CKA_TOKEN: + case CKA_EXTRACTABLE: + case CKA_DESTROYABLE: + case CKA_VERIFY: + if ((rv = check_bool_attribute(pPublicKeyTemplate[i].pValue, true)) != + CKR_OK) { + DBG_ERR("Boolean truth check failed for attribute 0x%lx", + pPublicKeyTemplate[i].type); + return rv; + } + break; + + case CKA_SENSITIVE: + case CKA_PRIVATE: + case CKA_COPYABLE: + case CKA_MODIFIABLE: + case CKA_ENCRYPT: + case CKA_DECRYPT: + case CKA_SIGN: + case CKA_SIGN_RECOVER: + case CKA_WRAP: + case CKA_WRAP_WITH_TRUSTED: + case CKA_UNWRAP: + case CKA_DERIVE: + case CKA_VERIFY_RECOVER: + if ((rv = check_bool_attribute(pPublicKeyTemplate[i].pValue, false)) != + CKR_OK) { + DBG_ERR("Boolean false check failed for attribute 0x%lx", + pPublicKeyTemplate[i].type); + return rv; + } + break; + + case CKA_SUBJECT: + break; + + default: + DBG_ERR("invalid attribute type in PublicKeyTemplate: 0x%lx\n", + pPublicKeyTemplate[i].type); + return CKR_ATTRIBUTE_TYPE_INVALID; + } + } + + for (CK_ULONG i = 0; i < ulPrivateKeyAttributeCount; i++) { + switch (pPrivateKeyTemplate[i].type) { + case CKA_CLASS: + if (*((CK_ULONG_PTR) pPrivateKeyTemplate[i].pValue) != + CKO_PRIVATE_KEY) { + DBG_ERR("CKA_CLASS inconsistent in PrivateKeyTemplate"); + return CKR_TEMPLATE_INCONSISTENT; + } + break; + + case CKA_KEY_TYPE: + if (*((CK_ULONG_PTR) pPrivateKeyTemplate[i].pValue) != CKK_EC_EDWARDS) { + DBG_ERR("CKA_KEY_TYPE inconsistent in PrivateKeyTemplate"); + return CKR_TEMPLATE_INCONSISTENT; + } + break; + + case CKA_ID: { + rv = parse_meta_id_template(template, pkcs11meta, false, + pPrivateKeyTemplate[i].pValue, + pPrivateKeyTemplate[i].ulValueLen); + if (rv != CKR_OK) { + return rv; + } + } break; + + case CKA_SIGN: + if ((rv = set_template_attribute(&template->sign, + pPrivateKeyTemplate[i].pValue)) != + CKR_OK) { + DBG_ERR("CKA_SIGN inconsistent in PrivateKeyTemplate"); + return rv; + } + break; + + case CKA_EXTRACTABLE: + if ((rv = set_template_attribute(&template->exportable, + pPrivateKeyTemplate[i].pValue)) != + CKR_OK) { + DBG_ERR("CKA_EXTRACTABLE inconsistent in PrivateKeyTemplate"); + return rv; + } + break; + + case CKA_LABEL: + rv = parse_meta_label_template(template, pkcs11meta, false, + pPrivateKeyTemplate[i].pValue, + pPrivateKeyTemplate[i].ulValueLen); + if (rv != CKR_OK) { + return rv; + } + break; + + case CKA_TOKEN: + case CKA_SENSITIVE: + case CKA_PRIVATE: + case CKA_DESTROYABLE: + if ((rv = check_bool_attribute(pPrivateKeyTemplate[i].pValue, true)) != + CKR_OK) { + DBG_ERR("Boolean truth check failed for attribute 0x%lx", + pPrivateKeyTemplate[i].type); + return rv; + } + break; + + case CKA_COPYABLE: + case CKA_MODIFIABLE: + case CKA_ENCRYPT: + case CKA_DECRYPT: + case CKA_SIGN_RECOVER: + case CKA_VERIFY: + case CKA_VERIFY_RECOVER: + case CKA_WRAP: + case CKA_WRAP_WITH_TRUSTED: + case CKA_UNWRAP: + case CKA_DERIVE: + if ((rv = check_bool_attribute(pPrivateKeyTemplate[i].pValue, false)) != + CKR_OK) { + DBG_ERR("Boolean false check failed for attribute 0x%lx", + pPrivateKeyTemplate[i].type); + return rv; + } + break; + + case CKA_SUBJECT: + break; + + default: + DBG_ERR("invalid attribute type in PrivateKeyTemplate: 0x%lx\n", + pPrivateKeyTemplate[i].type); + return CKR_ATTRIBUTE_TYPE_INVALID; + } + } + + if (ecparams == NULL) { + DBG_ERR("CKA_ECPARAMS not set"); + return CKR_TEMPLATE_INCOMPLETE; + } + + uint16_t key_len; + rv = parse_edparams(ecparams, ecparams_len, &template->algorithm, &key_len); + if (rv != CKR_OK) { + DBG_ERR("Failed to parse CKA_ECPARAMS"); + return rv; + } + + return CKR_OK; +} + CK_RV parse_wrap_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template, yh_algorithm algorithm, bool generate) { @@ -5330,19 +5759,19 @@ CK_RV ecdh_with_kdf(ecdh_session_key *shared_secret, uint8_t *fixed_info, DBG_INFO("KDF is CKD_NULL"); // Do nothing break; - case CKD_YUBICO_SHA1_KDF_SP800: + case CKD_SHA1_KDF_SP800: DBG_INFO("KDF is CKD_SHA1_KDF_SP800"); hash_create(&hash, _SHA1); break; - case CKD_YUBICO_SHA256_KDF_SP800: + case CKD_SHA256_KDF_SP800: DBG_INFO("KDF is CKD_SHA256_KDF_SP800"); hash_create(&hash, _SHA256); break; - case CKD_YUBICO_SHA384_KDF_SP800: + case CKD_SHA384_KDF_SP800: DBG_INFO("KDF is CKD_SHA384_KDF_SP800"); hash_create(&hash, _SHA384); break; - case CKD_YUBICO_SHA512_KDF_SP800: + case CKD_SHA512_KDF_SP800: DBG_INFO("KDF is CKD_SHA512_KDF_SP800"); hash_create(&hash, _SHA512); break; diff --git a/pkcs11/util_pkcs11.h b/pkcs11/util_pkcs11.h index bf3f977e5..8deb3fb2c 100644 --- a/pkcs11/util_pkcs11.h +++ b/pkcs11/util_pkcs11.h @@ -105,6 +105,7 @@ bool is_RSA_decrypt_mechanism(CK_MECHANISM_TYPE m); bool is_hashed_mechanism(CK_MECHANISM_TYPE m); bool is_PKCS1v1_5_sign_mechanism(CK_MECHANISM_TYPE m); bool is_ECDSA_sign_mechanism(CK_MECHANISM_TYPE m); +bool is_EDDSA_sign_mechanism(CK_MECHANISM_TYPE m); bool is_PSS_sign_mechanism(CK_MECHANISM_TYPE m); bool is_HMAC_sign_mechanism(CK_MECHANISM_TYPE m); @@ -128,6 +129,8 @@ CK_RV parse_rsa_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template); CK_RV parse_ec_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template); +CK_RV parse_ed_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + yubihsm_pkcs11_object_template *template); CK_RV parse_hmac_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template, bool generate); @@ -152,6 +155,13 @@ CK_RV parse_ec_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate, yubihsm_pkcs11_object_template *template, pkcs11_meta_object *pkcs11meta); +CK_RV parse_ed_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate, + CK_ULONG ulPublicKeyAttributeCount, + CK_ATTRIBUTE_PTR pPrivateKeyTemplate, + CK_ULONG ulPrivateKeyAttributeCount, + yubihsm_pkcs11_object_template *template, + pkcs11_meta_object *pkcs11meta); + uint16_t parse_id_value(void *value, CK_ULONG len); CK_RV populate_template(int type, void *object, CK_ATTRIBUTE_PTR pTemplate, diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c index d195cfe34..ec1ca87a5 100644 --- a/pkcs11/yubihsm_pkcs11.c +++ b/pkcs11/yubihsm_pkcs11.c @@ -45,8 +45,8 @@ #define YUBIHSM_PKCS11_MANUFACTURER "Yubico (www.yubico.com)" #define YUBIHSM_PKCS11_LIBDESC "YubiHSM PKCS#11 Library" -#define YUBIHSM_PKCS11_MIN_PIN_LEN 12 // key_id (4) + password (8) -#define YUBIHSM_PKCS11_MAX_PIN_LEN 68 // key_id (4) + password (64) +#define YUBIHSM_PKCS11_MIN_PIN_LEN 8 +#define YUBIHSM_PKCS11_MAX_PIN_LEN 64 #define UNUSED(x) (void) (x) // TODO(adma): also in yubihsm-shell.h @@ -72,7 +72,12 @@ } \ } while (0) -extern CK_FUNCTION_LIST function_list; +static const CK_FUNCTION_LIST function_list; +static const CK_FUNCTION_LIST_3_0 function_list_3; + +static const CK_INTERFACE interfaces_list[] = + {{(CK_CHAR_PTR) "PKCS 11", (CK_VOID_PTR) &function_list_3, 0}, + {(CK_CHAR_PTR) "PKCS 11", (CK_VOID_PTR) &function_list, 0}}; static bool g_yh_initialized = false; @@ -207,7 +212,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) { char *new_args = realloc(args_parsed, len + strlen(part) + 4); if (new_args) { args_parsed = new_args; - sprintf(args_parsed + len, "--%s ", part); + snprintf(args_parsed + len, strlen(part) + 4, "--%s ", part); } else { DBG_ERR("Failed allocating memory for args"); rv = CKR_HOST_MEMORY; @@ -435,9 +440,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_Finalize)(CK_VOID_PTR pReserved) { return CKR_OK; } -CK_DEFINE_FUNCTION(CK_RV, C_GetInfo)(CK_INFO_PTR pInfo) { - - DIN; +static CK_RV C_GetInfo_Ex(CK_INFO_PTR pInfo, CK_VERSION cryptokiVersion) { if (g_yh_initialized == false) { DBG_ERR("libyubihsm is not initialized or already finalized"); @@ -447,9 +450,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetInfo)(CK_INFO_PTR pInfo) { return CKR_ARGUMENTS_BAD; } - CK_VERSION ver = {VERSION_MAJOR, (VERSION_MINOR * 10) + VERSION_PATCH}; - - pInfo->cryptokiVersion = function_list.version; + pInfo->cryptokiVersion = cryptokiVersion; memset(pInfo->manufacturerID, ' ', sizeof(pInfo->manufacturerID)); memcpy((char *) pInfo->manufacturerID, YUBIHSM_PKCS11_MANUFACTURER, @@ -461,12 +462,34 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetInfo)(CK_INFO_PTR pInfo) { memcpy((char *) pInfo->libraryDescription, YUBIHSM_PKCS11_LIBDESC, strlen(YUBIHSM_PKCS11_LIBDESC)); - pInfo->libraryVersion = ver; + CK_VERSION libraryVersion = {VERSION_MAJOR, (VERSION_MINOR * 10) + VERSION_PATCH}; + + pInfo->libraryVersion = libraryVersion; - DOUT; return CKR_OK; } + +CK_DEFINE_FUNCTION(CK_RV, C_GetInfo)(CK_INFO_PTR pInfo) { + + DIN; + + CK_RV rv = C_GetInfo_Ex(pInfo, function_list.version); + + DOUT; + return rv; +} + +static CK_RV C_GetInfo_3_0(CK_INFO_PTR pInfo) { + + DIN; + + CK_RV rv = C_GetInfo_Ex(pInfo, function_list_3.version); + + DOUT; + return rv; +} + CK_DEFINE_FUNCTION(CK_RV, C_GetFunctionList) (CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { yh_dbg_init(false, false, 0, "stderr"); @@ -478,7 +501,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetFunctionList) return CKR_ARGUMENTS_BAD; } - *ppFunctionList = &function_list; + *ppFunctionList = (CK_FUNCTION_LIST_PTR) &function_list; DOUT; return CKR_OK; @@ -684,7 +707,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetTokenInfo) memcpy((char *) pInfo->model, s, l); memset(pInfo->serialNumber, ' ', sizeof(pInfo->serialNumber)); - l = sprintf((char *) pInfo->serialNumber, "%08u", serial); + l = snprintf((char *) pInfo->serialNumber, sizeof(pInfo->serialNumber), "%08u", serial); pInfo->serialNumber[l] = ' '; pInfo->flags = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | @@ -1136,143 +1159,22 @@ CK_DEFINE_FUNCTION(CK_RV, C_Login) DIN; - if (g_yh_initialized == false) { - DBG_ERR("libyubihsm is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (userType != CKU_USER) { - DBG_ERR("Invalid user type, only regular user allowed"); - return CKR_USER_TYPE_INVALID; - } - - CK_UTF8CHAR prefix = *pPin; - if (prefix == '@') { - pPin++; - ulPinLen--; - } - - if (ulPinLen < YUBIHSM_PKCS11_MIN_PIN_LEN || - ulPinLen > YUBIHSM_PKCS11_MAX_PIN_LEN) { - DBG_ERR("Wrong PIN length, must be [%d, %d] got %lu", - YUBIHSM_PKCS11_MIN_PIN_LEN, YUBIHSM_PKCS11_MAX_PIN_LEN, ulPinLen); + if (pPin == NULL) { + DBG_ERR("Wrong/Missing parameter"); return CKR_ARGUMENTS_BAD; } - uint16_t key_id = 0; - size_t key_id_len = sizeof(key_id); - char tmpPin[5] = {0}; - memcpy(tmpPin, pPin, 4); - - if (hex_decode((const char *) tmpPin, (uint8_t *) &key_id, &key_id_len) == - false || - key_id_len != sizeof(key_id)) { - DBG_ERR( - "PIN contains invalid characters, first four digits must be [0-9A-Fa-f]"); - return CKR_PIN_INCORRECT; - } - - key_id = ntohs(key_id); - - pPin += 4; - ulPinLen -= 4; - - yubihsm_pkcs11_session *session = 0; - CK_RV rv = get_session(&g_ctx, hSession, &session, SESSION_NOT_AUTHENTICATED); - if (rv != CKR_OK) { - DBG_ERR("Invalid session ID: %lu", hSession); - return rv; - } - - yh_rc yrc = YHR_SUCCESS; - - if (prefix == '@') { // Asymmetric authentication - - uint8_t sk_oce[YH_EC_P256_PRIVKEY_LEN] = {0}, - pk_oce[YH_EC_P256_PUBKEY_LEN] = {0}, - pk_sd[YH_EC_P256_PUBKEY_LEN] = {0}; - size_t pk_sd_len = sizeof(pk_sd); - yrc = yh_util_derive_ec_p256_key(pPin, ulPinLen, sk_oce, sizeof(sk_oce), - pk_oce, sizeof(pk_oce)); - if (yrc != YHR_SUCCESS) { - DBG_ERR("Failed to derive asymmetric key: %s", yh_strerror(yrc)); - rv = yrc_to_rv(yrc); - goto c_l_out; - } - - yrc = yh_util_get_device_pubkey(session->slot->connector, pk_sd, &pk_sd_len, - NULL); - if (yrc != YHR_SUCCESS) { - DBG_ERR("Failed to get device public key: %s", yh_strerror(yrc)); - rv = yrc_to_rv(yrc); - goto c_l_out; - } - - if (pk_sd_len != YH_EC_P256_PUBKEY_LEN) { - DBG_ERR("Invalid device public key"); - rv = CKR_DATA_LEN_RANGE; - goto c_l_out; - } - - int hits = 0; - for (ListItem *item = g_ctx.device_pubkeys.head; item != NULL; - item = item->next) { - if (!memcmp(item->data, pk_sd, YH_EC_P256_PUBKEY_LEN)) { - hits++; - } - } - - if (g_ctx.device_pubkeys.length > 0 && hits == 0) { - DBG_ERR("Failed to validate device public key"); - rv = CKR_FUNCTION_REJECTED; - goto c_l_out; - } + CK_ULONG ulUsernameLen = *pPin == '@' ? 5 : 4; - yrc = yh_create_session_asym(session->slot->connector, key_id, sk_oce, - sizeof(sk_oce), pk_sd, pk_sd_len, - &session->slot->device_session); - if (yrc != YHR_SUCCESS) { - DBG_ERR("Failed to create asymmetric session: %s", yh_strerror(yrc)); - if (yrc == YHR_SESSION_AUTHENTICATION_FAILED) { - rv = CKR_PIN_INCORRECT; - } else { - rv = yrc_to_rv(yrc); - } - goto c_l_out; - } - } else { // Symmetric authentication - yrc = - yh_create_session_derived(session->slot->connector, key_id, pPin, - ulPinLen, true, &session->slot->device_session); - if (yrc != YHR_SUCCESS) { - DBG_ERR("Failed to create session: %s", yh_strerror(yrc)); - if (yrc == YHR_CRYPTOGRAM_MISMATCH || - yrc == YHR_DEVICE_AUTHENTICATION_FAILED) { - rv = CKR_PIN_INCORRECT; - } else { - rv = yrc_to_rv(yrc); - } - goto c_l_out; - } + if (ulUsernameLen > ulPinLen) { + ulUsernameLen = ulPinLen; } - list_iterate(&session->slot->pkcs11_sessions, login_sessions); - populate_cache_with_data_opaques(session->slot); - - yubihsm_pkcs11_object_desc *authkey_desc = - _get_object_desc(session->slot, key_id, YH_AUTHENTICATION_KEY, 0xffff); - if (authkey_desc == NULL) { - DBG_ERR("Failed to read authentication key info."); - goto c_l_out; - } - session->slot->authkey_domains = authkey_desc->object.domains; + CK_RV rv = C_LoginUser(hSession, userType, pPin + ulUsernameLen, + ulPinLen - ulUsernameLen, pPin, ulUsernameLen); DOUT; -c_l_out: - - release_session(&g_ctx, session); - return rv; } @@ -1467,7 +1369,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_CreateObject) template.label, 0xffff, &capabilities, template.algorithm, p, q); if (rc != YHR_SUCCESS) { - DBG_ERR("Failed writing RSA key to device: %s", yh_strerror(rc)); + DBG_ERR("Failed importing RSA key to device: %s", yh_strerror(rc)); rv = yrc_to_rv(rc); goto c_co_out; } @@ -1505,7 +1407,33 @@ CK_DEFINE_FUNCTION(CK_RV, C_CreateObject) template.label, 0xffff, &capabilities, template.algorithm, d); if (rc != YHR_SUCCESS) { - DBG_ERR("Failed writing EC key to device: %s", yh_strerror(rc)); + DBG_ERR("Failed importing EC key to device: %s", yh_strerror(rc)); + rv = yrc_to_rv(rc); + goto c_co_out; + } + } else if (key_type.d == CKK_EC_EDWARDS) { + rv = parse_ed_template(pTemplate, ulCount, &template); + if (rv != CKR_OK) { + goto c_co_out; + } + + DBG_INFO("parsed ED key, algorithm: %d, objlen: %d", template.algorithm, + template.objlen); + + if (template.sign == ATTRIBUTE_TRUE) { + rc = yh_string_to_capabilities("sign-eddsa", &capabilities); + if (rc != YHR_SUCCESS) { + rv = yrc_to_rv(rc); + goto c_co_out; + } + } + + rc = yh_util_import_ed_key(session->slot->device_session, &template.id, + template.label, 0xffff, &capabilities, + template.algorithm, + template.obj.buf); + if(rc != YHR_SUCCESS) { + DBG_ERR("Failed importing ED key to device"); rv = yrc_to_rv(rc); goto c_co_out; } @@ -2379,24 +2307,30 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit) uint8_t class_type = 0; switch (value) { case CKO_CERTIFICATE: - DBG_INFO("Filtering for certificate"); + DBG_INFO("filtering for certificates"); algorithm = YH_ALGO_OPAQUE_X509_CERTIFICATE; // TODO: handle other certs? + type = YH_OPAQUE; + break; + case CKO_DATA: class_type = YH_OPAQUE; break; case CKO_PUBLIC_KEY: + DBG_INFO("filtering for public keys"); pub = true; class_type = YH_ASYMMETRIC_KEY; break; case CKO_PRIVATE_KEY: + DBG_INFO("filtering for private keys"); session->operation.op.find.only_private = true; class_type = YH_ASYMMETRIC_KEY; break; case CKO_SECRET_KEY: + DBG_INFO("filtering for secret keys"); secret_key = true; break; @@ -4129,8 +4063,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit) if (object->object.type == YH_ASYMMETRIC_KEY) { if (yh_is_rsa(object->object.algorithm)) { - if (is_RSA_sign_mechanism(session->operation.mechanism.mechanism) == - true) { + if (is_RSA_sign_mechanism(session->operation.mechanism.mechanism)) { DBG_INFO("RSA signature requested"); session->operation.op.sign.sig_len = (session->operation.op.sign.key_len + 7) / 8; @@ -4178,9 +4111,19 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit) rv = CKR_MECHANISM_INVALID; goto c_si_out; } + } else if (yh_is_ed(object->object.algorithm)) { + if (is_EDDSA_sign_mechanism(session->operation.mechanism.mechanism)) { + DBG_INFO("EDDSA signature requested"); + session->operation.op.sign.sig_len = + ((session->operation.op.sign.key_len + 7) / 8) * 2; + } else { + DBG_ERR("Mechanism %lu not supported", + session->operation.mechanism.mechanism); + rv = CKR_MECHANISM_INVALID; + goto c_si_out; + } } else { - if (is_ECDSA_sign_mechanism(session->operation.mechanism.mechanism) == - true) { + if (is_ECDSA_sign_mechanism(session->operation.mechanism.mechanism)) { DBG_INFO("ECDSA signature requested"); session->operation.op.sign.sig_len = ((session->operation.op.sign.key_len + 7) / 8) * 2; @@ -4618,7 +4561,33 @@ CK_DEFINE_FUNCTION(CK_RV, C_VerifyInit) } else if (is_PKCS1v1_5_sign_mechanism( session->operation.mechanism.mechanism)) { session->operation.op.verify.padding = RSA_PKCS1_PADDING; + } else if (!is_RSA_sign_mechanism(session->operation.mechanism.mechanism)) { + DBG_ERR("Unsupported mechanism for RSA key"); + rv = CKR_KEY_TYPE_INCONSISTENT; + goto c_vi_out; } + } else if (yh_is_ec(object->object.algorithm)) { + if (!is_ECDSA_sign_mechanism(session->operation.mechanism.mechanism)) { + DBG_ERR("Unsupported mechanism for EC key"); + rv = CKR_KEY_TYPE_INCONSISTENT; + goto c_vi_out; + } + } else if (yh_is_ed(object->object.algorithm)) { + if (!is_EDDSA_sign_mechanism(session->operation.mechanism.mechanism)) { + DBG_ERR("Unsupported mechanism for ED key"); + rv = CKR_KEY_TYPE_INCONSISTENT; + goto c_vi_out; + } + } else if (yh_is_hmac(object->object.algorithm)) { + if (!is_HMAC_sign_mechanism(session->operation.mechanism.mechanism)) { + DBG_ERR("Unsupported mechanism for HMAC key"); + rv = CKR_KEY_TYPE_INCONSISTENT; + goto c_vi_out; + } + } else { + DBG_ERR("Unsupported key type"); + rv = CKR_KEY_TYPE_INCONSISTENT; + goto c_vi_out; } session->operation.type = OPERATION_VERIFY; @@ -4737,7 +4706,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_VerifyUpdate) goto c_vu_out; } - DBG_ERR("Verification update with %lu bytes", ulPartLen); + DBG_INFO("Verification update with %lu bytes", ulPartLen); rv = apply_verify_mechanism_update(&session->operation, pPart, ulPartLen); if (rv != CKR_OK) { @@ -5251,6 +5220,12 @@ CK_DEFINE_FUNCTION(CK_RV, C_GenerateKeyPair) pPrivateKeyTemplate, ulPrivateKeyAttributeCount, &template, &meta_object); + } else if (pMechanism->mechanism == CKM_EC_EDWARDS_KEY_PAIR_GEN) { + rv = + parse_ed_generate_template(pPublicKeyTemplate, ulPublicKeyAttributeCount, + pPrivateKeyTemplate, + ulPrivateKeyAttributeCount, &template, + &meta_object); } else { DBG_ERR("Invalid mechanism for key generation: %lu", pMechanism->mechanism); rv = CKR_MECHANISM_INVALID; @@ -5302,6 +5277,25 @@ CK_DEFINE_FUNCTION(CK_RV, C_GenerateKeyPair) rv = yrc_to_rv(rc); goto c_gkp_out; } + } else if (yh_is_ed(template.algorithm)) { + + if (template.sign == ATTRIBUTE_TRUE) { + rc = yh_string_to_capabilities("sign-eddsa", &capabilities); + if (rc != YHR_SUCCESS) { + rv = yrc_to_rv(rc); + goto c_gkp_out; + } + } + + rc = yh_util_generate_ed_key(session->slot->device_session, &template.id, + template.label, 0xffff, &capabilities, + template.algorithm); + + if (rc != YHR_SUCCESS) { + DBG_ERR("Failed generating ED key on device"); + rv = yrc_to_rv(rc); + goto c_gkp_out; + } } else { if (template.sign == ATTRIBUTE_TRUE) { @@ -5823,11 +5817,669 @@ CK_DEFINE_FUNCTION(CK_RV, C_CancelFunction)(CK_SESSION_HANDLE hSession) { return CKR_FUNCTION_NOT_PARALLEL; } -CK_FUNCTION_LIST function_list = { - {CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR}, - C_Initialize, - C_Finalize, - C_GetInfo, +/* C_GetInterfaceList returns all the interfaces supported by the module*/ +CK_DEFINE_FUNCTION(CK_RV, C_GetInterfaceList) +(CK_INTERFACE_PTR pInterfacesList, /* returned interfaces */ + CK_ULONG_PTR pulCount /* number of interfaces returned */ +) { + yh_dbg_init(false, false, 0, "stderr"); + DIN; + CK_RV rv = CKR_OK; + if (!pulCount) { + DBG_ERR("C_GetInterfaceList called with pulCount = NULL"); + rv = CKR_ARGUMENTS_BAD; + goto out; + } + if (pInterfacesList) { + if (*pulCount < sizeof(interfaces_list) / sizeof(interfaces_list[0])) { + DBG_ERR("C_GetInterfaceList called with *pulCount = %lu", *pulCount); + *pulCount = sizeof(interfaces_list) / sizeof(interfaces_list[0]); + rv = CKR_BUFFER_TOO_SMALL; + goto out; + } + memcpy(pInterfacesList, interfaces_list, sizeof(interfaces_list)); + } + *pulCount = sizeof(interfaces_list) / sizeof(interfaces_list[0]); +out: + DOUT; + return rv; +} + +/* C_GetInterface returns a specific interface from the module. */ +CK_DEFINE_FUNCTION(CK_RV, C_GetInterface) +(CK_UTF8CHAR_PTR pInterfaceName, /* name of the interface */ + CK_VERSION_PTR pVersion, /* version of the interface */ + CK_INTERFACE_PTR_PTR ppInterface, /* returned interface */ + CK_FLAGS flags /* flags controlling the semantics + * of the interface */ +) { + yh_dbg_init(false, false, 0, "stderr"); + DIN; + CK_RV rv = CKR_FUNCTION_FAILED; + if (!ppInterface) { + DBG_ERR("C_GetInterface called with ppInterface = NULL"); + rv = CKR_ARGUMENTS_BAD; + goto out; + } + size_t i; + for (i = 0; i < sizeof(interfaces_list) / sizeof(interfaces_list[0]); i++) { + CK_FUNCTION_LIST_PTR func_list = + (CK_FUNCTION_LIST_PTR) interfaces_list[i].pFunctionList; + if ((flags & interfaces_list[i].flags) != flags) { + DBG_INFO("C_GetInterface skipped interface %zu (%s %u.%u) because flags " + "was %lu", + i, interfaces_list[i].pInterfaceName, func_list->version.major, + func_list->version.minor, flags); + continue; + } + if (pVersion && (pVersion->major != func_list->version.major || + pVersion->minor != func_list->version.minor)) { + DBG_INFO("C_GetInterface skipped interface %zu (%s %u.%u) because " + "pVersion was %u.%u", + i, interfaces_list[i].pInterfaceName, func_list->version.major, + func_list->version.minor, pVersion->major, pVersion->minor); + continue; + } + if (pInterfaceName && strcmp((char *) pInterfaceName, + (char *) interfaces_list[i].pInterfaceName)) { + DBG_INFO("C_GetInterface skipped interface %zu (%s %u.%u) because " + "pInterfacename was %s", + i, interfaces_list[i].pInterfaceName, func_list->version.major, + func_list->version.minor, pInterfaceName); + continue; + } + DBG_INFO("C_GetInterface selected interface %zu (%s %u.%u)", i, + interfaces_list[i].pInterfaceName, func_list->version.major, + func_list->version.minor); + *ppInterface = (CK_INTERFACE_PTR) &interfaces_list[i]; + rv = CKR_OK; + break; + } +out: + DOUT; + return rv; +} + +CK_DEFINE_FUNCTION(CK_RV, C_LoginUser) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_USER_TYPE userType, /* the user type */ + CK_UTF8CHAR_PTR pPin, /* the user's PIN */ + CK_ULONG ulPinLen, /* the length of the PIN */ + CK_UTF8CHAR_PTR pUsername, /* the user's name */ + CK_ULONG ulUsernameLen /*the length of the user's name */ +) { + DIN; + + if (g_yh_initialized == false) { + DBG_ERR("libyubihsm is not initialized or already finalized"); + return CKR_CRYPTOKI_NOT_INITIALIZED; + } + + if (userType != CKU_USER) { + DBG_ERR("Inalid user type, only regular user allowed"); + return CKR_USER_TYPE_INVALID; + } + + if (pPin == NULL) { + DBG_ERR("Invalid argument pPin"); + return CKR_ARGUMENTS_BAD; + } + + if (pUsername == NULL) { + DBG_ERR("Invalid argument pUsername"); + return CKR_ARGUMENTS_BAD; + } + + if (ulPinLen < YUBIHSM_PKCS11_MIN_PIN_LEN || + ulPinLen > YUBIHSM_PKCS11_MAX_PIN_LEN) { + DBG_ERR("Wrong PIN length, must be [%u, %u] got %lu", + YUBIHSM_PKCS11_MIN_PIN_LEN, YUBIHSM_PKCS11_MAX_PIN_LEN, ulPinLen); + return CKR_ARGUMENTS_BAD; + } + + CK_UTF8CHAR prefix = *pUsername; + if (prefix == '@') { + pUsername++; + ulUsernameLen--; + } + + if (ulUsernameLen != 4) { + DBG_ERR("Wrong username length, must be 4 got %lu", ulUsernameLen); + return CKR_ARGUMENTS_BAD; + } + + uint16_t key_id = 0; + size_t key_id_len = sizeof(key_id); + char tmpUser[5] = {0}; + memcpy(tmpUser, pUsername, 4); + + if (hex_decode((const char *) tmpUser, (uint8_t *) &key_id, &key_id_len) == + false || + key_id_len != sizeof(key_id)) { + DBG_ERR( + "PIN contains invalid characters, first four digits must be [0-9A-Fa-f]"); + return CKR_PIN_INCORRECT; + } + + key_id = ntohs(key_id); + + yubihsm_pkcs11_session *session = 0; + CK_RV rv = get_session(&g_ctx, hSession, &session, SESSION_NOT_AUTHENTICATED); + if (rv != CKR_OK) { + DBG_ERR("Invalid session ID: %lu", hSession); + return rv; + } + + yh_rc yrc = YHR_SUCCESS; + + if (prefix == '@') { // Asymmetric authentication + + uint8_t sk_oce[YH_EC_P256_PRIVKEY_LEN], pk_oce[YH_EC_P256_PUBKEY_LEN], + pk_sd[YH_EC_P256_PUBKEY_LEN]; + size_t pk_sd_len = sizeof(pk_sd); + yrc = yh_util_derive_ec_p256_key(pPin, ulPinLen, sk_oce, sizeof(sk_oce), + pk_oce, sizeof(pk_oce)); + if (yrc != YHR_SUCCESS) { + DBG_ERR("Failed to derive asymmetric key: %s", yh_strerror(yrc)); + rv = yrc_to_rv(yrc); + goto c_l_out; + } + + yrc = yh_util_get_device_pubkey(session->slot->connector, pk_sd, &pk_sd_len, + NULL); + if (yrc != YHR_SUCCESS) { + DBG_ERR("Failed to get device public key: %s", yh_strerror(yrc)); + rv = yrc_to_rv(yrc); + goto c_l_out; + } + + if (pk_sd_len != YH_EC_P256_PUBKEY_LEN) { + DBG_ERR("Invalid device public key"); + rv = CKR_DATA_LEN_RANGE; + goto c_l_out; + } + + int hits = 0; + + for (ListItem *item = g_ctx.device_pubkeys.head; item != NULL; + item = item->next) { + if (!memcmp(item->data, pk_sd, YH_EC_P256_PUBKEY_LEN)) { + hits++; + } + } + + if (g_ctx.device_pubkeys.length > 0 && hits == 0) { + DBG_ERR("Failed to validate device public key"); + rv = CKR_DATA_LEN_RANGE; + goto c_l_out; + } + + yrc = yh_create_session_asym(session->slot->connector, key_id, sk_oce, + sizeof(sk_oce), pk_sd, pk_sd_len, + &session->slot->device_session); + if (yrc != YHR_SUCCESS) { + DBG_ERR("Failed to create asymmetric session: %s", yh_strerror(yrc)); + if (yrc == YHR_SESSION_AUTHENTICATION_FAILED) { + rv = CKR_PIN_INCORRECT; + } else { + rv = yrc_to_rv(yrc); + } + goto c_l_out; + } + } else { // Symmetric authentication + yrc = + yh_create_session_derived(session->slot->connector, key_id, pPin, + ulPinLen, true, &session->slot->device_session); + if (yrc != YHR_SUCCESS) { + DBG_ERR("Failed to create session: %s", yh_strerror(yrc)); + if (yrc == YHR_CRYPTOGRAM_MISMATCH || + yrc == YHR_DEVICE_AUTHENTICATION_FAILED) { + rv = CKR_PIN_INCORRECT; + } else { + rv = yrc_to_rv(yrc); + } + goto c_l_out; + } + + yrc = yh_authenticate_session(session->slot->device_session); + if (yrc != YHR_SUCCESS) { + DBG_ERR("Failed to authenticate session: %s", yh_strerror(yrc)); + if (yrc == YHR_CRYPTOGRAM_MISMATCH) { + rv = CKR_PIN_INCORRECT; + } else { + rv = yrc_to_rv(yrc); + } + goto c_l_out; + } + } + + list_iterate(&session->slot->pkcs11_sessions, login_sessions); + + DOUT; + +c_l_out: + + release_session(&g_ctx, session); + + return rv; +} + +CK_DEFINE_FUNCTION(CK_RV, C_SessionCancel) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_FLAGS flags /* flags control which sessions are cancelled */ +) { + DIN; + UNUSED(hSession); + UNUSED(flags); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_MessageEncryptInit) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of encryption key */ +) { + DIN; + UNUSED(hSession); + UNUSED(pMechanism); + UNUSED(hKey); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_EncryptMessage) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen, /* AEAD Associated data length */ + CK_BYTE_PTR pPlaintext, /* plain text */ + CK_ULONG ulPlaintextLen, /* plain text length */ + CK_BYTE_PTR pCiphertext, /* gets cipher text */ + CK_ULONG_PTR pulCiphertextLen /* gets cipher text length */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pAssociatedData); + UNUSED(ulAssociatedDataLen); + UNUSED(pPlaintext); + UNUSED(ulPlaintextLen); + UNUSED(pCiphertext); + UNUSED(pulCiphertextLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_EncryptMessageBegin) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen /* AEAD Associated data length */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pAssociatedData); + UNUSED(ulAssociatedDataLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_EncryptMessageNext) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pPlaintextPart, /* plain text */ + CK_ULONG ulPlaintextPartLen, /* plain text length */ + CK_BYTE_PTR pCiphertextPart, /* gets cipher text */ + CK_ULONG_PTR pulCiphertextPartLen, /* gets cipher text length */ + CK_FLAGS flags /* multi mode flag */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pPlaintextPart); + UNUSED(ulPlaintextPartLen); + UNUSED(pCiphertextPart); + UNUSED(pulCiphertextPartLen); + UNUSED(flags); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_MessageEncryptFinal) +(CK_SESSION_HANDLE hSession /* the session's handle */ +) { + DIN; + UNUSED(hSession); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_MessageDecryptInit) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of decryption key */ +) { + DIN; + UNUSED(hSession); + UNUSED(pMechanism); + UNUSED(hKey); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_DecryptMessage) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen, /* AEAD Associated data length */ + CK_BYTE_PTR pCiphertext, /* cipher text */ + CK_ULONG ulCiphertextLen, /* cipher text length */ + CK_BYTE_PTR pPlaintext, /* gets plain text */ + CK_ULONG_PTR pulPlaintextLen /* gets plain text length */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pAssociatedData); + UNUSED(ulAssociatedDataLen); + UNUSED(pCiphertext); + UNUSED(ulCiphertextLen); + UNUSED(pPlaintext); + UNUSED(pulPlaintextLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_DecryptMessageBegin) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen /* AEAD Associated data length */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pAssociatedData); + UNUSED(ulAssociatedDataLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_DecryptMessageNext) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pCiphertext, /* cipher text */ + CK_ULONG ulCiphertextLen, /* cipher text length */ + CK_BYTE_PTR pPlaintext, /* gets plain text */ + CK_ULONG_PTR pulPlaintextLen, /* gets plain text length */ + CK_FLAGS flags /* multi mode flag */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pCiphertext); + UNUSED(ulCiphertextLen); + UNUSED(pPlaintext); + UNUSED(pulPlaintextLen); + UNUSED(flags); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_MessageDecryptFinal) +(CK_SESSION_HANDLE hSession /* the session's handle */ +) { + DIN; + UNUSED(hSession); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_MessageSignInit) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signing mechanism */ + CK_OBJECT_HANDLE hKey /* handle of signing key */ +) { + DIN; + UNUSED(hSession); + UNUSED(pMechanism); + UNUSED(hKey); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_SignMessage) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* gets signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pData); + UNUSED(ulDataLen); + UNUSED(pSignature); + UNUSED(pulSignatureLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_SignMessageBegin) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen /* length of message specific parameter */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_SignMessageNext) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* gets signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pData); + UNUSED(ulDataLen); + UNUSED(pSignature); + UNUSED(pulSignatureLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_MessageSignFinal) +(CK_SESSION_HANDLE hSession /* the session's handle */ +) { + DIN; + UNUSED(hSession); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_MessageVerifyInit) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signing mechanism */ + CK_OBJECT_HANDLE hKey /* handle of signing key */ +) { + DIN; + UNUSED(hSession); + UNUSED(pMechanism); + UNUSED(hKey); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_VerifyMessage) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* signature */ + CK_ULONG ulSignatureLen /* signature length */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pData); + UNUSED(ulDataLen); + UNUSED(pSignature); + UNUSED(ulSignatureLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_VerifyMessageBegin) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen /* length of message specific parameter */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_VerifyMessageNext) +(CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* signature */ + CK_ULONG ulSignatureLen /* signature length */ +) { + DIN; + UNUSED(hSession); + UNUSED(pParameter); + UNUSED(ulParameterLen); + UNUSED(pData); + UNUSED(ulDataLen); + UNUSED(pSignature); + UNUSED(ulSignatureLen); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_DEFINE_FUNCTION(CK_RV, C_MessageVerifyFinal) +(CK_SESSION_HANDLE hSession /* the session's handle */ +) { + DIN; + UNUSED(hSession); + DOUT; + return CKR_FUNCTION_NOT_SUPPORTED; +} + +static const CK_FUNCTION_LIST function_list = { + {CRYPTOKI_LEGACY_VERSION_MAJOR, CRYPTOKI_LEGACY_VERSION_MINOR}, + C_Initialize, + C_Finalize, + C_GetInfo, + C_GetFunctionList, + C_GetSlotList, + C_GetSlotInfo, + C_GetTokenInfo, + C_GetMechanismList, + C_GetMechanismInfo, + C_InitToken, + C_InitPIN, + C_SetPIN, + C_OpenSession, + C_CloseSession, + C_CloseAllSessions, + C_GetSessionInfo, + C_GetOperationState, + C_SetOperationState, + C_Login, + C_Logout, + C_CreateObject, + C_CopyObject, + C_DestroyObject, + C_GetObjectSize, + C_GetAttributeValue, + C_SetAttributeValue, + C_FindObjectsInit, + C_FindObjects, + C_FindObjectsFinal, + C_EncryptInit, + C_Encrypt, + C_EncryptUpdate, + C_EncryptFinal, + C_DecryptInit, + C_Decrypt, + C_DecryptUpdate, + C_DecryptFinal, + C_DigestInit, + C_Digest, + C_DigestUpdate, + C_DigestKey, + C_DigestFinal, + C_SignInit, + C_Sign, + C_SignUpdate, + C_SignFinal, + C_SignRecoverInit, + C_SignRecover, + C_VerifyInit, + C_Verify, + C_VerifyUpdate, + C_VerifyFinal, + C_VerifyRecoverInit, + C_VerifyRecover, + C_DigestEncryptUpdate, + C_DecryptDigestUpdate, + C_SignEncryptUpdate, + C_DecryptVerifyUpdate, + C_GenerateKey, + C_GenerateKeyPair, + C_WrapKey, + C_UnwrapKey, + C_DeriveKey, + C_SeedRandom, + C_GenerateRandom, + C_GetFunctionStatus, + C_CancelFunction, + C_WaitForSlotEvent, +}; + +static const CK_FUNCTION_LIST_3_0 function_list_3 = { + {CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR}, + C_Initialize, + C_Finalize, + C_GetInfo_3_0, C_GetFunctionList, C_GetSlotList, C_GetSlotInfo, @@ -5893,4 +6545,28 @@ CK_FUNCTION_LIST function_list = { C_GetFunctionStatus, C_CancelFunction, C_WaitForSlotEvent, + C_GetInterfaceList, + C_GetInterface, + C_LoginUser, + C_SessionCancel, + C_MessageEncryptInit, + C_EncryptMessage, + C_EncryptMessageBegin, + C_EncryptMessageNext, + C_MessageEncryptFinal, + C_MessageDecryptInit, + C_DecryptMessage, + C_DecryptMessageBegin, + C_DecryptMessageNext, + C_MessageDecryptFinal, + C_MessageSignInit, + C_SignMessage, + C_SignMessageBegin, + C_SignMessageNext, + C_MessageSignFinal, + C_MessageVerifyInit, + C_VerifyMessage, + C_VerifyMessageBegin, + C_VerifyMessageNext, + C_MessageVerifyFinal, }; diff --git a/resources/release/linux/yubihsm-shell.spec b/resources/release/linux/yubihsm-shell.spec index 94e430a8b..8fe5494eb 100644 --- a/resources/release/linux/yubihsm-shell.spec +++ b/resources/release/linux/yubihsm-shell.spec @@ -70,6 +70,8 @@ install -m 0644 ../LICENSE %{buildroot}/%{_prefix}/share/licenses/%{name} %{_includedir}/ykhsmauth.h %dir %{_includedir}/pkcs11 %{_includedir}/pkcs11/pkcs11.h +%{_includedir}/pkcs11/pkcs11f.h +%{_includedir}/pkcs11/pkcs11t.h %{_includedir}/pkcs11/pkcs11y.h %{_libdir}/pkgconfig/yubihsm.pc %{_libdir}/pkgconfig/ykhsmauth.pc diff --git a/resources/release/macos/make_release_binaries.sh b/resources/release/macos/make_release_binaries.sh index 2d70cf672..b61d9a9f6 100755 --- a/resources/release/macos/make_release_binaries.sh +++ b/resources/release/macos/make_release_binaries.sh @@ -8,8 +8,6 @@ SO_VERSION=$3 BREW_LIB="/opt/homebrew/opt" -brew install cmake pkg-config gengetopt help2man openssl - export PKG_CONFIG_PATH=$BREW_LIB/openssl/lib/pkgconfig SOURCE_DIR=$PWD