PSARC 2005/074 Solaris Key Management Framework

6224192 Solaris needs unified key management interfaces --HG-- rename : usr/src/cmd/cmd-crypto/pktool/biginteger.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/biginteger.h rename : usr/src/cmd/cmd-crypto/pktool/derparse.c => deleted_files/usr/src/cmd/cmd-crypto/pktool/derparse.c rename : usr/src/cmd/cmd-crypto/pktool/derparse.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/derparse.h rename : usr/src/cmd/cmd-crypto/pktool/osslcommon.c => deleted_files/usr/src/cmd/cmd-crypto/pktool/osslcommon.c rename : usr/src/cmd/cmd-crypto/pktool/osslcommon.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/osslcommon.h rename : usr/src/cmd/cmd-crypto/pktool/p12common.c => deleted_files/usr/src/cmd/cmd-crypto/pktool/p12common.c rename : usr/src/cmd/cmd-crypto/pktool/p12common.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/p12common.h
author: wyllys <none@none> 2006-11-10 15:34:56 -0800
committer: wyllys <none@none> 2006-11-10 15:34:56 -0800
commit: 99ebb4ca412cb0a19d77a3899a87c055b9c30fa8 (patch)
tree: a972f78468519a4e00234388688f45a506e934ba /usr/src/lib/libkmf/include
parent: 177fd15c9f814babb60e824f89984cdd8acf7c85 (diff)
download: illumos-joyent-99ebb4ca412cb0a19d77a3899a87c055b9c30fa8.tar.gz
8 files changed, 2659 insertions, 0 deletions
diff --git a/usr/src/lib/libkmf/include/algorithm.h b/usr/src/lib/libkmf/include/algorithm.h
new file mode 100644
index 0000000000..5353e4e8bc
--- /dev/null
+++ b/usr/src/lib/libkmf/include/algorithm.h
@@ -0,0 +1,69 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ *
+ *
+ * File: ALGORITHM.H
+ *
+ * Copyright (c) 1995-2000 Intel Corporation. All rights reserved.
+ */
+
+#ifndef _ALGORITHM_H
+#define	_ALGORITHM_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <kmftypes.h>
+#include <security/cryptoki.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkcs_algorithm_map
+{
+	CK_MECHANISM_TYPE	pkcs_mechanism;
+	uint32_t		algorithm;
+	uint32_t		context_type;
+	uint32_t		enc_mode;
+	CK_BBOOL		bMultiPart;
+	CK_BBOOL		fix_keylength;
+	uint32_t		keylength;
+	CK_BBOOL		fix_blocksize;
+	uint32_t		block_size;
+	CK_BBOOL		requires_iv;
+	uint32_t		iv_length;
+	CK_FLAGS		required_flags;
+	CK_KEY_TYPE		key_type;
+	char			*szDescription;
+} PKCS_ALGORITHM_MAP;
+
+extern KMF_SIGNATURE_MODE PKCS_GetDefaultSignatureMode(KMF_ALGORITHM_INDEX);
+extern PKCS_ALGORITHM_MAP* PKCS_GetAlgorithmMap(KMF_ALGCLASS, uint32_t,
+	uint32_t);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _ALGORITHM_H */
diff --git a/usr/src/lib/libkmf/include/kmfapi.h b/usr/src/lib/libkmf/include/kmfapi.h
new file mode 100644
index 0000000000..64ded2ce6a
--- /dev/null
+++ b/usr/src/lib/libkmf/include/kmfapi.h
@@ -0,0 +1,346 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ *
+ *
+ * Constant definitions and function prototypes for the KMF library.
+ * Commonly used data types are defined in "kmftypes.h".
+ */
+
+#ifndef _KMFAPI_H
+#define	_KMFAPI_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <kmftypes.h>
+#include <security/cryptoki.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Setup operations.
+ */
+extern KMF_RETURN KMF_Initialize(KMF_HANDLE_T *, char *, char *);
+extern KMF_RETURN KMF_ConfigureKeystore(KMF_HANDLE_T, KMF_CONFIG_PARAMS *);
+extern KMF_RETURN KMF_Finalize(KMF_HANDLE_T);
+
+/*
+ * Key operations.
+ */
+extern KMF_RETURN KMF_SignDataWithKey(KMF_HANDLE_T,
+	KMF_KEY_HANDLE *, KMF_OID *,
+	KMF_DATA *, KMF_DATA *);
+
+extern KMF_RETURN KMF_VerifyDataWithKey(KMF_HANDLE_T,
+	KMF_KEY_HANDLE *, KMF_ALGORITHM_INDEX, KMF_DATA *, KMF_DATA *);
+
+extern KMF_RETURN KMF_CreateKeypair(KMF_HANDLE_T,
+	KMF_CREATEKEYPAIR_PARAMS *, KMF_KEY_HANDLE *, KMF_KEY_HANDLE *);
+
+extern KMF_RETURN KMF_DeleteKeyFromKeystore(KMF_HANDLE_T,
+	KMF_DELETEKEY_PARAMS *, KMF_KEY_HANDLE *);
+
+extern KMF_RETURN KMF_SignCertRecord(KMF_HANDLE_T, KMF_KEY_HANDLE *,
+	KMF_X509_CERTIFICATE *, KMF_DATA *);
+
+extern KMF_RETURN KMF_FindKey(KMF_HANDLE_T, KMF_FINDKEY_PARAMS *,
+	KMF_KEY_HANDLE *, uint32_t *);
+
+extern KMF_RETURN KMF_StorePrivateKey(KMF_HANDLE_T, KMF_STOREKEY_PARAMS *,
+	KMF_RAW_KEY_DATA *);
+
+extern KMF_RETURN KMF_CreateSymKey(KMF_HANDLE_T, KMF_CREATESYMKEY_PARAMS *,
+	KMF_KEY_HANDLE *);
+
+extern KMF_RETURN KMF_GetSymKeyValue(KMF_HANDLE_T, KMF_KEY_HANDLE *,
+	KMF_RAW_SYM_KEY *);
+
+/*
+ * Certificate operations.
+ */
+extern KMF_RETURN KMF_FindCert(KMF_HANDLE_T, KMF_FINDCERT_PARAMS *,
+	KMF_X509_DER_CERT *, uint32_t *);
+
+extern KMF_RETURN KMF_EncodeCertRecord(KMF_X509_CERTIFICATE *,
+	KMF_DATA *);
+extern KMF_RETURN KMF_SignCertWithKey(KMF_HANDLE_T, const KMF_DATA *,
+	KMF_KEY_HANDLE *, KMF_DATA *);
+extern KMF_RETURN KMF_SignCertWithCert(KMF_HANDLE_T,
+	KMF_CRYPTOWITHCERT_PARAMS *,
+	const KMF_DATA *, KMF_DATA *, KMF_DATA *);
+
+extern KMF_RETURN KMF_SignDataWithCert(KMF_HANDLE_T,
+	KMF_CRYPTOWITHCERT_PARAMS *, KMF_DATA *, KMF_DATA *, KMF_DATA *);
+
+extern KMF_RETURN KMF_VerifyCertWithKey(KMF_HANDLE_T, KMF_KEY_HANDLE *,
+	const KMF_DATA *);
+extern KMF_RETURN KMF_VerifyCertWithCert(KMF_HANDLE_T, const KMF_DATA *,
+	const KMF_DATA *);
+extern KMF_RETURN KMF_VerifyDataWithCert(KMF_HANDLE_T, KMF_DATA *, KMF_DATA *,
+	const KMF_DATA *);
+
+extern KMF_RETURN KMF_EncryptWithCert(KMF_HANDLE_T, KMF_DATA *,
+	KMF_DATA *, KMF_DATA *);
+
+extern KMF_RETURN KMF_DecryptWithCert(KMF_HANDLE_T,
+	KMF_CRYPTOWITHCERT_PARAMS *, KMF_DATA *, KMF_DATA *, KMF_DATA *);
+
+extern KMF_RETURN KMF_StoreCert(KMF_HANDLE_T,
+	KMF_STORECERT_PARAMS *, KMF_DATA *);
+extern KMF_RETURN KMF_ImportCert(KMF_HANDLE_T, KMF_IMPORTCERT_PARAMS *);
+extern KMF_RETURN KMF_DeleteCertFromKeystore(KMF_HANDLE_T,
+	KMF_DELETECERT_PARAMS *);
+
+extern KMF_RETURN KMF_ValidateCert(KMF_HANDLE_T,
+	KMF_VALIDATECERT_PARAMS *, int  *);
+
+extern KMF_RETURN KMF_CreateCertFile(KMF_DATA *, KMF_ENCODE_FORMAT, char *);
+
+extern KMF_RETURN KMF_DownloadCert(KMF_HANDLE_T, char *, char *, int,
+	unsigned int, char *, KMF_ENCODE_FORMAT *);
+extern KMF_RETURN KMF_IsCertFile(KMF_HANDLE_T, char *, KMF_ENCODE_FORMAT *);
+
+extern KMF_RETURN KMF_CheckCertDate(KMF_HANDLE_T, KMF_DATA *);
+
+/*
+ * CRL operations.
+ */
+extern KMF_RETURN KMF_ImportCRL(KMF_HANDLE_T, KMF_IMPORTCRL_PARAMS *);
+extern KMF_RETURN KMF_DeleteCRL(KMF_HANDLE_T, KMF_DELETECRL_PARAMS *);
+extern KMF_RETURN KMF_ListCRL(KMF_HANDLE_T, KMF_LISTCRL_PARAMS *, char **);
+extern KMF_RETURN KMF_FindCRL(KMF_HANDLE_T, KMF_FINDCRL_PARAMS *,
+	char **, int *);
+
+extern KMF_RETURN KMF_FindCertInCRL(KMF_HANDLE_T,
+	KMF_FINDCERTINCRL_PARAMS *);
+extern KMF_RETURN KMF_VerifyCRLFile(KMF_HANDLE_T,
+	KMF_VERIFYCRL_PARAMS *);
+
+extern KMF_RETURN KMF_CheckCRLDate(KMF_HANDLE_T,
+	KMF_CHECKCRLDATE_PARAMS *);
+extern KMF_RETURN KMF_DownloadCRL(KMF_HANDLE_T, char *, char *,
+	int, unsigned int, char *, KMF_ENCODE_FORMAT *);
+extern KMF_RETURN KMF_IsCRLFile(KMF_HANDLE_T, char *, KMF_ENCODE_FORMAT *);
+
+/*
+ * CSR operations.
+ */
+extern KMF_RETURN KMF_SetCSRPubKey(KMF_HANDLE_T,
+	KMF_KEY_HANDLE *, KMF_CSR_DATA *);
+extern KMF_RETURN KMF_SetCSRVersion(KMF_CSR_DATA *, uint32_t);
+extern KMF_RETURN KMF_SetCSRSubjectName(KMF_CSR_DATA *, KMF_X509_NAME *);
+extern KMF_RETURN KMF_CreateCSRFile(KMF_DATA *, KMF_ENCODE_FORMAT, char *);
+extern KMF_RETURN KMF_SetCSRExtension(KMF_CSR_DATA *, KMF_X509_EXTENSION *);
+extern KMF_RETURN KMF_SetCSRSignatureAlgorithm(KMF_CSR_DATA *,
+	KMF_ALGORITHM_INDEX);
+extern KMF_RETURN KMF_SetCSRSubjectAltName(KMF_CSR_DATA *, char *,
+	int, KMF_GENERALNAMECHOICES);
+extern KMF_RETURN KMF_SetCSRKeyUsage(KMF_CSR_DATA *, int, uint16_t);
+extern KMF_RETURN KMF_SignCSR(KMF_HANDLE_T, const KMF_CSR_DATA *,
+	KMF_KEY_HANDLE *, KMF_DATA *);
+
+/*
+ * GetCert operations.
+ */
+extern KMF_RETURN KMF_GetCertExtensionData(const KMF_DATA *, KMF_OID *,
+	KMF_X509_EXTENSION *);
+
+extern KMF_RETURN KMF_GetCertCriticalExtensions(const KMF_DATA *,
+	KMF_X509_EXTENSION **, int *);
+
+extern KMF_RETURN KMF_GetCertNonCriticalExtensions(const KMF_DATA *,
+	KMF_X509_EXTENSION **, int *);
+
+extern KMF_RETURN KMF_GetCertKeyUsageExt(const KMF_DATA *,
+	KMF_X509EXT_KEY_USAGE *);
+
+extern KMF_RETURN KMF_GetCertEKU(const KMF_DATA *, KMF_X509EXT_EKU *);
+
+extern KMF_RETURN KMF_GetCertBasicConstraintExt(const KMF_DATA *,
+	KMF_BOOL *, KMF_X509EXT_BASICCONSTRAINTS *);
+
+extern KMF_RETURN KMF_GetCertPoliciesExt(const KMF_DATA *,
+	KMF_BOOL *, KMF_X509EXT_CERT_POLICIES *);
+
+extern KMF_RETURN KMF_GetCertAuthInfoAccessExt(const KMF_DATA *,
+	KMF_X509EXT_AUTHINFOACCESS *);
+
+extern KMF_RETURN KMF_GetCertCRLDistributionPointsExt(const KMF_DATA *,
+	KMF_X509EXT_CRLDISTPOINTS *);
+
+extern KMF_RETURN KMF_GetCertVersionString(KMF_HANDLE_T,
+	const KMF_DATA *, char **);
+
+extern KMF_RETURN KMF_GetCertSubjectNameString(KMF_HANDLE_T, const KMF_DATA *,
+	char **);
+
+extern KMF_RETURN KMF_GetCertIssuerNameString(KMF_HANDLE_T,
+	const KMF_DATA *, char **);
+
+extern KMF_RETURN KMF_GetCertSerialNumberString(KMF_HANDLE_T, const KMF_DATA *,
+	char **);
+
+extern KMF_RETURN KMF_GetCertStartDateString(KMF_HANDLE_T,
+	const KMF_DATA *, char **);
+
+extern KMF_RETURN KMF_GetCertEndDateString(KMF_HANDLE_T,
+	const KMF_DATA *, char **);
+
+extern KMF_RETURN KMF_GetCertPubKeyAlgString(KMF_HANDLE_T,
+	const KMF_DATA *, char **);
+
+extern KMF_RETURN KMF_GetCertSignatureAlgString(KMF_HANDLE_T,
+	const KMF_DATA *, char **);
+
+extern KMF_RETURN KMF_GetCertPubKeyDataString(KMF_HANDLE_T,
+	const KMF_DATA *, char **);
+
+extern KMF_RETURN KMF_GetCertEmailString(KMF_HANDLE_T,
+	const KMF_DATA *, char **);
+
+extern KMF_RETURN KMF_GetCertExtensionString(KMF_HANDLE_T, const KMF_DATA *,
+	KMF_PRINTABLE_ITEM, char **);
+
+extern KMF_RETURN KMF_GetCertIDData(const KMF_DATA *, KMF_DATA *);
+extern KMF_RETURN KMF_GetCertIDString(const KMF_DATA *, char **);
+extern KMF_RETURN KMF_GetCertValidity(const KMF_DATA *, time_t *, time_t *);
+
+/*
+ * SetCert operations
+ */
+extern KMF_RETURN KMF_SetCertPubKey(KMF_HANDLE_T, KMF_KEY_HANDLE *,
+	KMF_X509_CERTIFICATE *);
+
+extern KMF_RETURN KMF_SetCertSubjectName(KMF_X509_CERTIFICATE *,
+	KMF_X509_NAME *);
+
+extern KMF_RETURN KMF_SetCertKeyUsage(KMF_X509_CERTIFICATE *, int, uint16_t);
+
+extern KMF_RETURN KMF_SetCertIssuerName(KMF_X509_CERTIFICATE *,
+	KMF_X509_NAME *);
+
+extern KMF_RETURN KMF_SetCertSignatureAlgorithm(KMF_X509_CERTIFICATE *,
+	KMF_ALGORITHM_INDEX);
+
+extern KMF_RETURN KMF_SetCertValidityTimes(KMF_X509_CERTIFICATE *,
+	time_t, uint32_t);
+
+extern KMF_RETURN KMF_SetCertSerialNumber(KMF_X509_CERTIFICATE *,
+	KMF_BIGINT *);
+
+extern KMF_RETURN KMF_SetCertVersion(KMF_X509_CERTIFICATE *, uint32_t);
+
+extern KMF_RETURN KMF_SetCertIssuerAltName(KMF_X509_CERTIFICATE *,
+	int, KMF_GENERALNAMECHOICES, char *);
+
+extern KMF_RETURN KMF_SetCertSubjectAltName(KMF_X509_CERTIFICATE *,
+	int, KMF_GENERALNAMECHOICES, char *);
+
+extern KMF_RETURN KMF_AddCertEKU(KMF_X509_CERTIFICATE *, KMF_OID *, int);
+
+extern KMF_RETURN KMF_SetCertExtension(KMF_X509_CERTIFICATE *,
+	KMF_X509_EXTENSION *);
+
+extern KMF_RETURN KMF_SetCertBasicConstraintExt(KMF_X509_CERTIFICATE *,
+	KMF_BOOL, KMF_X509EXT_BASICCONSTRAINTS *);
+
+extern KMF_RETURN KMF_ExportPK12(KMF_HANDLE_T, KMF_EXPORTP12_PARAMS *, char *);
+extern KMF_RETURN KMF_ImportPK12(KMF_HANDLE_T, char *, KMF_CREDENTIAL *,
+	KMF_DATA **, int *, KMF_RAW_KEY_DATA **, int *);
+
+/*
+ * Get OCSP response operation.
+ */
+extern KMF_RETURN KMF_GetOCSPForCert(KMF_HANDLE_T, KMF_DATA *,	KMF_DATA *,
+	KMF_DATA *);
+
+extern KMF_RETURN KMF_CreateOCSPRequest(KMF_HANDLE_T, KMF_OCSPREQUEST_PARAMS *,
+	char *);
+
+extern KMF_RETURN KMF_GetEncodedOCSPResponse(KMF_HANDLE_T, char *, char *, int,
+	char *, int, char *, unsigned int);
+
+extern KMF_RETURN KMF_GetOCSPStatusForCert(KMF_HANDLE_T,
+	KMF_OCSPRESPONSE_PARAMS_INPUT *,
+	KMF_OCSPRESPONSE_PARAMS_OUTPUT *);
+
+/*
+ * Policy Operations
+ */
+extern KMF_RETURN KMF_SetPolicy(KMF_HANDLE_T, char *, char *);
+
+/*
+ * Error handling.
+ */
+extern KMF_RETURN KMF_GetPluginErrorString(KMF_HANDLE_T, char **);
+extern KMF_RETURN KMF_GetKMFErrorString(KMF_RETURN, char **);
+
+/*
+ * Miscellaneous
+ */
+extern KMF_RETURN KMF_DNParser(char *, KMF_X509_NAME *);
+extern KMF_RETURN KMF_DN2Der(KMF_X509_NAME *, KMF_DATA *);
+extern KMF_RETURN KMF_ReadInputFile(KMF_HANDLE_T, char *, KMF_DATA *);
+extern KMF_RETURN KMF_Der2Pem(KMF_OBJECT_TYPE, unsigned char *,
+	int, unsigned char **, int *);
+extern KMF_RETURN KMF_Pem2Der(unsigned char *, int, unsigned char **, int *);
+extern char *KMF_OID2String(KMF_OID *);
+extern KMF_RETURN KMF_String2OID(char *, KMF_OID *);
+extern int KMF_CompareRDNs(KMF_X509_NAME *, KMF_X509_NAME *);
+extern KMF_RETURN KMF_GetFileFormat(char *, KMF_ENCODE_FORMAT *);
+extern uint16_t KMF_StringToKeyUsage(char *);
+extern KMF_RETURN KMF_SetTokenPin(KMF_HANDLE_T, KMF_SETPIN_PARAMS *,
+	KMF_CREDENTIAL *);
+extern KMF_RETURN KMF_HexString2Bytes(unsigned char *, unsigned char **,
+	size_t *);
+
+/*
+ * Memory cleanup operations
+ */
+extern void KMF_FreeDN(KMF_X509_NAME *);
+extern void KMF_FreeKMFCert(KMF_HANDLE_T, KMF_X509_DER_CERT *);
+extern void KMF_FreeData(KMF_DATA *);
+extern void KMF_FreeAlgOID(KMF_X509_ALGORITHM_IDENTIFIER *);
+extern void KMF_FreeExtension(KMF_X509_EXTENSION *);
+extern void KMF_FreeTBSCSR(KMF_TBS_CSR *);
+extern void KMF_FreeSignedCSR(KMF_CSR_DATA *);
+extern void KMF_FreeTBSCert(KMF_X509_TBS_CERT *);
+extern void KMF_FreeSignedCert(KMF_X509_CERTIFICATE *);
+extern void KMF_FreeString(char *);
+extern void KMF_FreeEKU(KMF_X509EXT_EKU *);
+extern void KMF_FreeSPKI(KMF_X509_SPKI *);
+extern void KMF_FreeKMFKey(KMF_HANDLE_T, KMF_KEY_HANDLE *);
+extern void KMF_FreeBigint(KMF_BIGINT *);
+extern void KMF_FreeRawKey(KMF_RAW_KEY_DATA *);
+extern void KMF_FreeRawSymKey(KMF_RAW_SYM_KEY *);
+extern void KMF_FreeCRLDistributionPoints(KMF_X509EXT_CRLDISTPOINTS *);
+
+/* APIs for PKCS#11 token */
+extern KMF_RETURN KMF_PK11TokenLookup(KMF_HANDLE_T, char *, CK_SLOT_ID *);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _KMFAPI_H */
diff --git a/usr/src/lib/libkmf/include/kmfapiP.h b/usr/src/lib/libkmf/include/kmfapiP.h
new file mode 100644
index 0000000000..64b524b6a7
--- /dev/null
+++ b/usr/src/lib/libkmf/include/kmfapiP.h
@@ -0,0 +1,348 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+#ifndef _KMFAPIP_H
+#define	_KMFAPIP_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <kmfapi.h>
+#include <kmfpolicy.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Plugin function table */
+typedef struct {
+	ushort_t	version;
+	KMF_RETURN	(*ConfigureKeystore) (
+			KMF_HANDLE_T,
+			KMF_CONFIG_PARAMS *);
+
+	KMF_RETURN	(*FindCert) (
+			KMF_HANDLE_T,
+			KMF_FINDCERT_PARAMS	*,
+			KMF_X509_DER_CERT *,
+			uint32_t *);
+
+	void		(*FreeKMFCert) (
+			KMF_HANDLE_T,
+			KMF_X509_DER_CERT *);
+
+	KMF_RETURN	(*StoreCert) (
+			KMF_HANDLE_T,
+			KMF_STORECERT_PARAMS *,
+			KMF_DATA *);
+
+	KMF_RETURN	(*ImportCert) (
+			KMF_HANDLE_T,
+			KMF_IMPORTCERT_PARAMS *);
+
+	KMF_RETURN	(*ImportCRL) (
+			KMF_HANDLE_T,
+			KMF_IMPORTCRL_PARAMS *);
+
+	KMF_RETURN	(*DeleteCert) (
+			KMF_HANDLE_T,
+			KMF_DELETECERT_PARAMS *);
+
+	KMF_RETURN	(*DeleteCRL) (
+			KMF_HANDLE_T,
+			KMF_DELETECRL_PARAMS *);
+
+	KMF_RETURN	(*CreateKeypair) (
+			KMF_HANDLE_T,
+			KMF_CREATEKEYPAIR_PARAMS *,
+			KMF_KEY_HANDLE *,
+			KMF_KEY_HANDLE *);
+
+	KMF_RETURN	(*FindKey) (
+			KMF_HANDLE_T,
+			KMF_FINDKEY_PARAMS *,
+			KMF_KEY_HANDLE *,
+			uint32_t *);
+
+	KMF_RETURN	(*EncodePubkeyData) (
+			KMF_HANDLE_T,
+			KMF_KEY_HANDLE *,
+			KMF_DATA *);
+
+	KMF_RETURN	(*SignData) (
+			KMF_HANDLE_T,
+			KMF_KEY_HANDLE *,
+			KMF_OID *,
+			KMF_DATA *,
+			KMF_DATA *);
+
+	KMF_RETURN	(*DeleteKey) (
+			KMF_HANDLE_T,
+			KMF_DELETEKEY_PARAMS *,
+			KMF_KEY_HANDLE *,
+			boolean_t);
+
+	KMF_RETURN	(*ListCRL) (
+			KMF_HANDLE_T,
+			KMF_LISTCRL_PARAMS *,
+			char **);
+
+	KMF_RETURN	(*FindCRL) (
+			KMF_HANDLE_T,
+			KMF_FINDCRL_PARAMS *,
+			char **,
+			int *);
+
+	KMF_RETURN	(*FindCertInCRL) (
+			KMF_HANDLE_T,
+			KMF_FINDCERTINCRL_PARAMS *);
+
+	KMF_RETURN	(*GetErrorString) (
+			KMF_HANDLE_T,
+			char **);
+
+	KMF_RETURN	(*GetPrikeyByCert) (
+			KMF_HANDLE_T,
+			KMF_CRYPTOWITHCERT_PARAMS *,
+			KMF_DATA *,
+			KMF_KEY_HANDLE *,
+			KMF_KEY_ALG);
+
+	KMF_RETURN	(*DecryptData) (
+			KMF_HANDLE_T,
+			KMF_KEY_HANDLE *,
+			KMF_OID *,
+			KMF_DATA *,
+			KMF_DATA *);
+
+	KMF_RETURN	(*ExportP12)(
+			KMF_HANDLE_T,
+			KMF_EXPORTP12_PARAMS *,
+			int, KMF_X509_DER_CERT *,
+			int, KMF_KEY_HANDLE *,
+			char *);
+
+	KMF_RETURN	(*StorePrivateKey)(
+			KMF_HANDLE_T,
+			KMF_STOREKEY_PARAMS *,
+			KMF_RAW_KEY_DATA *);
+
+	KMF_RETURN	(*CreateSymKey) (
+			KMF_HANDLE_T,
+			KMF_CREATESYMKEY_PARAMS *,
+			KMF_KEY_HANDLE *);
+
+	KMF_RETURN	(*GetSymKeyValue) (
+			KMF_HANDLE_T,
+			KMF_KEY_HANDLE *,
+			KMF_RAW_SYM_KEY *);
+
+	KMF_RETURN	(*SetTokenPin) (
+			KMF_HANDLE_T,
+			KMF_SETPIN_PARAMS *,
+			KMF_CREDENTIAL *);
+
+	void		(*Finalize) ();
+
+} KMF_PLUGIN_FUNCLIST;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	type;
+	char			*applications;
+	char 			*path;
+	void 			*dldesc;
+	KMF_PLUGIN_FUNCLIST	*funclist;
+} KMF_PLUGIN;
+
+typedef struct _KMF_PLUGIN_LIST {
+	KMF_PLUGIN		*plugin;
+	struct _KMF_PLUGIN_LIST *next;
+} KMF_PLUGIN_LIST;
+
+typedef struct _kmf_handle {
+	/*
+	 * session handle opened by KMF_SelectToken() to talk
+	 * to a specific slot in Crypto framework. It is used
+	 * by pkcs11 plugin module.
+	 */
+	CK_SESSION_HANDLE	pk11handle;
+	KMF_ERROR		lasterr;
+	KMF_POLICY_RECORD	*policy;
+	KMF_PLUGIN_LIST		*plugins;
+} KMF_HANDLE;
+
+#define	CLEAR_ERROR(h, rv) { \
+	if (h == NULL) { \
+		rv = KMF_ERR_BAD_PARAMETER; \
+	} else { \
+		h->lasterr.errcode = 0; \
+		h->lasterr.kstype = 0; \
+		rv = KMF_OK; \
+	} \
+}
+
+#define	KMF_PLUGIN_INIT_SYMBOL	"KMF_Plugin_Initialize"
+
+#ifndef KMF_PLUGIN_PATH
+#if defined(__sparcv9)
+#define	KMF_PLUGIN_PATH "/usr/lib/security/sparcv9/"
+#elif defined(__sparc)
+#define	KMF_PLUGIN_PATH "/usr/lib/security/"
+#elif defined(__i386)
+#define	KMF_PLUGIN_PATH "/usr/lib/security/"
+#elif defined(__amd64)
+#define	KMF_PLUGIN_PATH "/usr/lib/security/amd64/"
+#endif
+#endif /* !KMF_PLUGIN_PATH */
+
+KMF_PLUGIN_FUNCLIST *KMF_Plugin_Initialize();
+
+KMF_RETURN
+SignCert(KMF_HANDLE_T, const KMF_DATA *, KMF_KEY_HANDLE *, KMF_DATA *);
+
+KMF_RETURN
+VerifyCertWithKey(KMF_HANDLE_T, KMF_DATA *, const KMF_DATA *);
+
+KMF_RETURN
+VerifyCertWithCert(KMF_HANDLE_T, const KMF_DATA *, const KMF_DATA *);
+
+KMF_RETURN
+VerifyDataWithCert(KMF_HANDLE_T, KMF_DATA *, KMF_DATA *, const KMF_DATA *);
+
+KMF_RETURN
+VerifyDataWithKey(KMF_HANDLE_T, KMF_DATA *, KMF_ALGORITHM_INDEX, KMF_DATA *,
+	KMF_DATA *);
+
+KMF_RETURN
+EncryptWithCert(KMF_HANDLE_T, KMF_DATA *, KMF_DATA *, KMF_DATA *);
+
+KMF_RETURN
+DecryptWithCert(KMF_HANDLE_T, KMF_DATA *, KMF_KEY_HANDLE *, KMF_DATA *,
+	KMF_DATA *);
+
+KMF_RETURN
+SignCsr(KMF_HANDLE_T, const KMF_DATA *, KMF_KEY_HANDLE *,
+		KMF_X509_ALGORITHM_IDENTIFIER *, KMF_DATA *);
+
+KMF_BOOL PKCS_ConvertAlgorithmId2PKCSKeyType(
+	KMF_ALGORITHM_INDEX, CK_KEY_TYPE *);
+
+KMF_RETURN PKCS_VerifyData(
+	KMF_HANDLE *,
+	KMF_ALGORITHM_INDEX,
+	KMF_X509_SPKI *,
+	KMF_DATA *, KMF_DATA *);
+
+KMF_RETURN PKCS_EncryptData(
+	KMF_HANDLE *,
+	KMF_ALGORITHM_INDEX,
+	KMF_X509_SPKI *,
+	KMF_DATA *,
+	KMF_DATA *);
+
+KMF_PLUGIN *FindPlugin(KMF_HANDLE_T, KMF_KEYSTORE_TYPE);
+
+KMF_BOOL IsEqualOid(KMF_OID *, KMF_OID *);
+
+KMF_OID *X509_AlgIdToAlgorithmOid(KMF_ALGORITHM_INDEX);
+
+KMF_ALGORITHM_INDEX X509_AlgorithmOidToAlgId(KMF_OID *);
+KMF_RETURN GetIDFromSPKI(KMF_X509_SPKI *, KMF_DATA *);
+CK_RV DigestData(CK_SESSION_HANDLE, KMF_DATA *, KMF_DATA *);
+
+KMF_RETURN KMF_SetAltName(KMF_X509_EXTENSIONS *,
+	KMF_OID *, int, KMF_GENERALNAMECHOICES, char *);
+KMF_RETURN GetSequenceContents(char *, size_t, char **, size_t *);
+KMF_X509_EXTENSION *FindExtn(KMF_X509_EXTENSIONS *, KMF_OID *);
+KMF_RETURN add_an_extension(KMF_X509_EXTENSIONS *exts,
+	KMF_X509_EXTENSION *newextn);
+KMF_RETURN set_integer(KMF_DATA *, void *, int);
+void free_keyidlist(KMF_OID *, int);
+KMF_RETURN copy_data(KMF_DATA *, KMF_DATA *);
+void Cleanup_PK11_Session(KMF_HANDLE_T handle);
+void free_dp_name(KMF_CRL_DIST_POINT *);
+void free_dp(KMF_CRL_DIST_POINT *);
+KMF_RETURN set_key_usage_extension(KMF_X509_EXTENSIONS *,
+	int, uint32_t);
+int is_pk11_ready();
+KMF_RETURN KMF_SelectToken(KMF_HANDLE_T, char *, int);
+
+
+/* Indexes into the key parts array for RSA keys */
+#define	KMF_RSA_MODULUS			(0)
+#define	KMF_RSA_PUBLIC_EXPONENT		(1)
+#define	KMF_RSA_PRIVATE_EXPONENT	(2)
+#define	KMF_RSA_PRIME1			(3)
+#define	KMF_RSA_PRIME2			(4)
+#define	KMF_RSA_EXPONENT1		(5)
+#define	KMF_RSA_EXPONENT2		(6)
+#define	KMF_RSA_COEFFICIENT		(7)
+
+/* Key part counts for RSA keys */
+#define	KMF_NUMBER_RSA_PUBLIC_KEY_PARTS		(2)
+#define	KMF_NUMBER_RSA_PRIVATE_KEY_PARTS	(8)
+
+/* Key part counts for DSA keys */
+#define	KMF_NUMBER_DSA_PUBLIC_KEY_PARTS		(4)
+#define	KMF_NUMBER_DSA_PRIVATE_KEY_PARTS	(4)
+
+/* Indexes into the key parts array for DSA keys */
+#define	KMF_DSA_PRIME		(0)
+#define	KMF_DSA_SUB_PRIME	(1)
+#define	KMF_DSA_BASE		(2)
+#define	KMF_DSA_PUBLIC_VALUE	(3)
+
+#ifndef max
+#define	max(a, b) ((a) < (b) ? (b) : (a))
+#endif
+
+/* Maximum key parts for all algorithms */
+#define	KMF_MAX_PUBLIC_KEY_PARTS \
+	(max(KMF_NUMBER_RSA_PUBLIC_KEY_PARTS, \
+	KMF_NUMBER_DSA_PUBLIC_KEY_PARTS))
+
+#define	KMF_MAX_PRIVATE_KEY_PARTS \
+	(max(KMF_NUMBER_RSA_PRIVATE_KEY_PARTS, \
+	KMF_NUMBER_DSA_PRIVATE_KEY_PARTS))
+
+#define	KMF_MAX_KEY_PARTS \
+	(max(KMF_MAX_PUBLIC_KEY_PARTS, KMF_MAX_PRIVATE_KEY_PARTS))
+
+typedef enum {
+	KMF_ALGMODE_NONE	= 0,
+	KMF_ALGMODE_CUSTOM,
+	KMF_ALGMODE_PUBLIC_KEY,
+	KMF_ALGMODE_PRIVATE_KEY,
+	KMF_ALGMODE_PKCS1_EMSA_V15
+} KMF_SIGNATURE_MODE;
+
+#define	KMF_CERT_PRINTABLE_LEN	1024
+#define	SHA1_HASH_LENGTH 20
+
+#define	OCSPREQ_TEMPNAME	"/tmp/ocsp.reqXXXXXX"
+#define	OCSPRESP_TEMPNAME	"/tmp/ocsp.respXXXXXX"
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _KMFAPIP_H */
diff --git a/usr/src/lib/libkmf/include/kmfpolicy.h b/usr/src/lib/libkmf/include/kmfpolicy.h
new file mode 100644
index 0000000000..e00c55e620
--- /dev/null
+++ b/usr/src/lib/libkmf/include/kmfpolicy.h
@@ -0,0 +1,197 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ *
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+#ifndef _KMFPOLICY_H
+#define	_KMFPOLICY_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <kmfapi.h>
+#include <libxml/tree.h>
+#include <libxml/parser.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct {
+	char		*name;
+	char		*serial;
+}KMF_RESP_CERT_POLICY;
+
+typedef struct {
+	char		*responderURI;
+	char		*proxy;
+	boolean_t 	uri_from_cert;
+	char		*response_lifetime;
+	boolean_t	ignore_response_sign;
+}KMF_OCSP_BASIC_POLICY;
+
+typedef struct {
+	KMF_OCSP_BASIC_POLICY	basic;
+	KMF_RESP_CERT_POLICY	resp_cert;
+	boolean_t		has_resp_cert;
+}KMF_OCSP_POLICY;
+
+typedef struct {
+	char *basefilename;
+	char *directory;
+	char *proxy;
+	boolean_t get_crl_uri;
+	boolean_t ignore_crl_sign;
+	boolean_t ignore_crl_date;
+}KMF_CRL_POLICY;
+
+typedef struct {
+	KMF_OCSP_POLICY	ocsp_info;
+	KMF_CRL_POLICY	crl_info;
+}KMF_VALIDATION_POLICY;
+
+typedef struct {
+	int		eku_count;
+	KMF_OID		*ekulist;
+}KMF_EKU_POLICY;
+
+
+#define	KMF_REVOCATION_METHOD_CRL		0x1
+#define	KMF_REVOCATION_METHOD_OCSP		0x2
+
+
+typedef struct {
+	char			*name;
+	KMF_VALIDATION_POLICY	validation_info;
+	KMF_EKU_POLICY		eku_set;
+	uint32_t		ku_bits;
+	boolean_t		ignore_date;
+	boolean_t		ignore_unknown_ekus;
+	boolean_t		ignore_trust_anchor;
+	char			*validity_adjusttime;
+	char			*ta_name;
+	char			*ta_serial;
+	uint32_t		revocation;
+} KMF_POLICY_RECORD;
+
+
+/*
+ * Short cut for ocsp_info and etc.
+ */
+#define	VAL_OCSP			validation_info.ocsp_info
+
+#define	VAL_OCSP_BASIC			VAL_OCSP.basic
+#define	VAL_OCSP_RESPONDER_URI		VAL_OCSP_BASIC.responderURI
+#define	VAL_OCSP_PROXY			VAL_OCSP_BASIC.proxy
+#define	VAL_OCSP_URI_FROM_CERT		VAL_OCSP_BASIC.uri_from_cert
+#define	VAL_OCSP_RESP_LIFETIME		VAL_OCSP_BASIC.response_lifetime
+#define	VAL_OCSP_IGNORE_RESP_SIGN	VAL_OCSP_BASIC.ignore_response_sign
+
+#define	VAL_OCSP_RESP_CERT		VAL_OCSP.resp_cert
+#define	VAL_OCSP_RESP_CERT_NAME		VAL_OCSP_RESP_CERT.name
+#define	VAL_OCSP_RESP_CERT_SERIAL	VAL_OCSP_RESP_CERT.serial
+
+/*
+ * Short cut for crl_info and etc.
+ */
+#define	VAL_CRL			validation_info.crl_info
+#define	VAL_CRL_BASEFILENAME	validation_info.crl_info.basefilename
+#define	VAL_CRL_DIRECTORY	validation_info.crl_info.directory
+#define	VAL_CRL_GET_URI		validation_info.crl_info.get_crl_uri
+#define	VAL_CRL_PROXY		validation_info.crl_info.proxy
+#define	VAL_CRL_IGNORE_SIGN	validation_info.crl_info.ignore_crl_sign
+#define	VAL_CRL_IGNORE_DATE	validation_info.crl_info.ignore_crl_date
+
+/*
+ * Policy related constant definitions.
+ */
+#define	KMF_POLICY_DTD		"/usr/share/lib/xml/dtd/kmfpolicy.dtd"
+#define	KMF_DEFAULT_POLICY_FILE	"/etc/security/kmfpolicy.xml"
+
+#define	KMF_DEFAULT_POLICY_NAME	"default"
+
+#define	KMF_POLICY_ROOT	"kmf-policy-db"
+
+#define	KULOWBIT	7
+#define	KUHIGHBIT	15
+
+#define	KMF_POLICY_ELEMENT		"kmf-policy"
+#define	KMF_POLICY_NAME_ATTR		"name"
+#define	KMF_OPTIONS_IGNORE_DATE_ATTR	"ignore-date"
+#define	KMF_OPTIONS_IGNORE_UNKNOWN_EKUS	"ignore-unknown-eku"
+#define	KMF_OPTIONS_IGNORE_TRUST_ANCHOR	"ignore-trust-anchor"
+#define	KMF_OPTIONS_VALIDITY_ADJUSTTIME	"validity-adjusttime"
+#define	KMF_POLICY_TA_NAME_ATTR		"ta-name"
+#define	KMF_POLICY_TA_SERIAL_ATTR	"ta-serial"
+
+#define	KMF_VALIDATION_METHODS_ELEMENT	"validation-methods"
+
+#define	KMF_OCSP_ELEMENT		"ocsp"
+#define	KMF_OCSP_BASIC_ELEMENT		"ocsp-basic"
+#define	KMF_OCSP_RESPONDER_ATTR		"responder"
+#define	KMF_OCSP_PROXY_ATTR		"proxy"
+#define	KMF_OCSP_URI_ATTR		"uri-from-cert"
+#define	KMF_OCSP_RESPONSE_LIFETIME_ATTR	"response-lifetime"
+#define	KMF_OCSP_IGNORE_SIGN_ATTR	"ignore-response-sign"
+#define	KMF_OCSP_RESPONDER_CERT_ELEMENT	"responder-cert"
+
+#define	KMF_CERT_NAME_ATTR		"name"
+#define	KMF_CERT_SERIAL_ATTR		"serial"
+
+#define	KMF_CRL_ELEMENT			"crl"
+#define	KMF_CRL_BASENAME_ATTR		"basefilename"
+#define	KMF_CRL_DIRECTORY_ATTR		"directory"
+#define	KMF_CRL_GET_URI_ATTR		"get-crl-uri"
+#define	KMF_CRL_PROXY_ATTR		"proxy"
+#define	KMF_CRL_IGNORE_SIGN_ATTR	"ignore-crl-sign"
+#define	KMF_CRL_IGNORE_DATE_ATTR	"ignore-crl-date"
+
+#define	KMF_KEY_USAGE_SET_ELEMENT	"key-usage-set"
+#define	KMF_KEY_USAGE_ELEMENT		"key-usage"
+#define	KMF_KEY_USAGE_USE_ATTR		"use"
+
+#define	KMF_EKU_ELEMENT		"ext-key-usage"
+#define	KMF_EKU_NAME_ELEMENT	"eku-name"
+#define	KMF_EKU_NAME_ATTR	"name"
+#define	KMF_EKU_OID_ELEMENT	"eku-oid"
+#define	KMF_EKU_OID_ATTR	"oid"
+
+#define	TMPFILE_TEMPLATE	"policyXXXXXX"
+
+extern char *ku2str(uint32_t);
+extern uint32_t str2ku(char *);
+extern int parsePolicyElement(xmlNodePtr, KMF_POLICY_RECORD *);
+
+extern char *KMF_OID2EKUString(KMF_OID *);
+extern KMF_OID *kmf_ekuname2oid(char *);
+extern KMF_OID *kmf_string2oid(char *);
+
+extern KMF_RETURN KMF_GetPolicy(char *, char *, KMF_POLICY_RECORD *);
+extern KMF_RETURN KMF_AddPolicyToDB(KMF_POLICY_RECORD *, char *, boolean_t);
+extern KMF_RETURN KMF_DeletePolicyFromDB(char *, char *);
+extern KMF_RETURN KMF_VerifyPolicy(KMF_POLICY_RECORD *);
+
+extern void KMF_FreePolicyRecord(KMF_POLICY_RECORD *);
+extern void KMF_FreeEKUPolicy(KMF_EKU_POLICY *);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _KMFPOLICY_H */
diff --git a/usr/src/lib/libkmf/include/kmftypes.h b/usr/src/lib/libkmf/include/kmftypes.h
new file mode 100644
index 0000000000..a5f71d30d9
--- /dev/null
+++ b/usr/src/lib/libkmf/include/kmftypes.h
@@ -0,0 +1,1363 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * File: kmftypes.h
+ *
+ * Copyright (c) 1995-2000 Intel Corporation. All rights reserved.
+ *
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef _KMFTYPES_H
+#define	_KMFTYPES_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <pthread.h>
+
+#include <security/cryptoki.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef uint32_t KMF_BOOL;
+
+#define	KMF_FALSE (0)
+#define	KMF_TRUE  (1)
+
+/* KMF_HANDLE_T is a pointer to an incomplete C struct for type safety. */
+typedef struct _kmf_handle *KMF_HANDLE_T;
+
+/*
+ * KMF_DATA
+ * The KMF_DATA structure is used to associate a length, in bytes, with
+ * an arbitrary block of contiguous memory.
+ */
+typedef struct kmf_data
+{
+    size_t	Length; /* in bytes */
+    uchar_t	*Data;
+} KMF_DATA;
+
+typedef struct {
+	uchar_t		*val;
+	size_t		len;
+} KMF_BIGINT;
+
+/*
+ * KMF_OID
+ * The object identifier (OID) structure is used to hold a unique identifier for
+ * the atomic data fields and the compound substructure that comprise the fields
+ * of a certificate or CRL.
+ */
+typedef KMF_DATA KMF_OID;
+
+typedef struct kmf_x509_private {
+	int	keystore_type;
+	int	flags;			/* see below */
+	char	*label;
+#define	KMF_FLAG_CERT_VALID	1	/* contains valid certificate */
+#define	KMF_FLAG_CERT_SIGNED	2	/* this is a signed certificate */
+} KMF_X509_PRIVATE, KMF_X509_PRIVATE_PTR;
+
+/*
+ * KMF_X509_DER_CERT
+ * This structure associates packed DER certificate data.
+ * Also, it contains the private information internal used
+ * by KMF layer.
+ */
+typedef struct
+{
+	KMF_DATA		certificate;
+	KMF_X509_PRIVATE	kmf_private;
+} KMF_X509_DER_CERT;
+
+typedef enum {
+	KMF_KEYSTORE_NSS = 1,
+	KMF_KEYSTORE_OPENSSL = 2,
+	KMF_KEYSTORE_PK11TOKEN = 3,
+	KMF_KEYSTORE_DEFAULT	/* based on configuration */
+} KMF_KEYSTORE_TYPE;
+
+#define	VALID_KEYSTORE_TYPE(t) ((t >= KMF_KEYSTORE_NSS) &&\
+	(t <= KMF_KEYSTORE_PK11TOKEN))
+
+typedef enum {
+	KMF_FORMAT_UNDEF =	0,
+	KMF_FORMAT_ASN1 =	1,	/* DER */
+	KMF_FORMAT_PEM =	2,
+	KMF_FORMAT_PKCS12 =	3,
+	KMF_FORMAT_RAWKEY =	4	/* For FindKey operation */
+} KMF_ENCODE_FORMAT;
+
+typedef enum {
+	KMF_ALL_CERTS =		0,
+	KMF_NONEXPIRED_CERTS =	1,
+	KMF_EXPIRED_CERTS =	2
+} KMF_CERT_VALIDITY;
+
+typedef enum {
+	KMF_KU_SIGN_CERT	= 0,
+	KMF_KU_SIGN_DATA	= 1,
+	KMF_KU_ENCRYPT_DATA	= 2
+} KMF_KU_PURPOSE;
+
+
+/* Keystore Configuration */
+typedef struct {
+	char    *configdir;
+	char    *certPrefix;
+	char    *keyPrefix;
+	char    *secModName;
+} KMF_NSS_CONFIG;
+
+typedef struct {
+	char		*label;
+	boolean_t	readonly;
+} KMF_PKCS11_CONFIG;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	union {
+		KMF_NSS_CONFIG		nss_conf;
+		KMF_PKCS11_CONFIG	pkcs11_conf;
+	} ks_config_u;
+} KMF_CONFIG_PARAMS;
+
+#define	nssconfig	ks_config_u.nss_conf
+#define	pkcs11config	ks_config_u.pkcs11_conf
+
+/*
+ * Generic credential structure used by other structures below
+ * to convey authentication information to the underlying
+ * mechanisms.
+ */
+typedef struct {
+	char *cred;
+	uint32_t credlen;
+} KMF_CREDENTIAL;
+
+typedef struct
+{
+	char    *trustflag;
+	char	*slotlabel;	/* "internal" by default */
+	int	issuerId;
+	int	subjectId;
+	char	*crlfile;	/* for ImportCRL */
+	boolean_t crl_check;	/* for ImportCRL */
+
+	/*
+	 * crl_subjName and crl_issuerName are used as the CRL deletion
+	 * criteria.  One should be non-NULL and the other one should be NULL.
+	 * If crl_subjName is not NULL, then delete CRL by the subject name.
+	 * Othewise, delete by the issuer name.
+	 */
+	char 	*crl_subjName;
+	char	*crl_issuerName;
+} KMF_NSS_PARAMS;
+
+typedef struct {
+	char	*dirpath;
+	char    *certfile;
+	char	*crlfile;
+	char    *keyfile;
+	char	*outcrlfile;
+	boolean_t crl_check;	/* CRL import check; default is true */
+	KMF_ENCODE_FORMAT	format; /* output file format */
+} KMF_OPENSSL_PARAMS;
+
+typedef struct {
+	boolean_t	private; /* for finding CKA_PRIVATE objects */
+	boolean_t	sensitive;
+	boolean_t	not_extractable;
+} KMF_PKCS11_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	char			*certLabel;
+	char			*issuer;
+	char			*subject;
+	char			*idstr;
+	KMF_BIGINT		*serial;
+	KMF_CERT_VALIDITY	find_cert_validity;
+
+	union {
+		KMF_NSS_PARAMS		nss_opts;
+		KMF_OPENSSL_PARAMS	openssl_opts;
+		KMF_PKCS11_PARAMS	pkcs11_opts;
+	} ks_opt_u;
+} KMF_FINDCERT_PARAMS, KMF_DELETECERT_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	char			*certLabel;
+	char			*issuer;
+	char			*subject;
+	char			*idstr;
+	KMF_BIGINT		*serial;
+	KMF_DATA		*ocsp_response;
+
+	union {
+		KMF_NSS_PARAMS		nss_opts;
+		KMF_OPENSSL_PARAMS	openssl_opts;
+		KMF_PKCS11_PARAMS	pkcs11_opts;
+	} ks_opt_u;
+} KMF_VALIDATECERT_PARAMS;
+
+typedef enum {
+	KMF_KEYALG_NONE = 0,
+	KMF_RSA = 1,
+	KMF_DSA = 2,
+	KMF_AES = 3,
+	KMF_RC4 = 4,
+	KMF_DES = 5,
+	KMF_DES3 = 6
+}KMF_KEY_ALG;
+
+typedef enum {
+	KMF_KEYCLASS_NONE = 0,
+	KMF_ASYM_PUB = 1,	/* public key of an asymmetric keypair */
+	KMF_ASYM_PRI = 2,	/* private key of an asymmetric keypair */
+	KMF_SYMMETRIC = 3	/* symmetric key */
+}KMF_KEY_CLASS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_CREDENTIAL		cred;
+	KMF_KEY_CLASS		keyclass;
+	KMF_KEY_ALG		keytype;
+	KMF_ENCODE_FORMAT	format; /* for key */
+	char			*findLabel;
+	char			*idstr;
+	union {
+		KMF_NSS_PARAMS		nss_opts;
+		KMF_OPENSSL_PARAMS	openssl_opts;
+		KMF_PKCS11_PARAMS	pkcs11_opts;
+	} ks_opt_u;
+} KMF_FINDKEY_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;  /* all */
+	char			*certLabel;
+
+	union {
+		KMF_NSS_PARAMS		nss_opts;
+		KMF_OPENSSL_PARAMS	openssl_opts;
+	} ks_opt_u;
+} KMF_STORECERT_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_CREDENTIAL		cred;
+	KMF_DATA		*certificate;
+	char			*label;
+	union {
+		KMF_NSS_PARAMS		nss_opts;
+		KMF_OPENSSL_PARAMS	openssl_opts;
+	} ks_opt_u;
+} KMF_STOREKEY_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_CREDENTIAL		cred;
+	union {
+		KMF_NSS_PARAMS		nss_opts;
+	} ks_opt_u;
+} KMF_DELETEKEY_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	char			*certfile;
+	char			*certLabel;
+
+	union {
+		KMF_NSS_PARAMS	nss_opts;
+	} ks_opt_u;
+} KMF_IMPORTCERT_PARAMS;
+
+typedef enum {
+	KMF_CERT = 0,
+	KMF_CSR = 1,
+	KMF_CRL = 2
+}KMF_OBJECT_TYPE;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_KEY_ALG		keytype;
+	uint32_t		keylength;
+	char			*keylabel;
+	KMF_CREDENTIAL		cred;
+	KMF_BIGINT		rsa_exponent;
+	union {
+	    KMF_NSS_PARAMS	nss_opts;
+	    KMF_OPENSSL_PARAMS	openssl_opts;
+	}ks_opt_u;
+} KMF_CREATEKEYPAIR_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	union {
+		KMF_NSS_PARAMS	nss_opts;
+		KMF_OPENSSL_PARAMS	openssl_opts;
+	} ks_opt_u;
+} KMF_IMPORTCRL_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	union {
+		KMF_NSS_PARAMS	nss_opts;
+		KMF_OPENSSL_PARAMS	openssl_opts;
+	} ks_opt_u;
+} KMF_DELETECRL_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	union {
+		KMF_NSS_PARAMS	nss_opts;
+		KMF_OPENSSL_PARAMS	openssl_opts;
+	} ks_opt_u;
+} KMF_LISTCRL_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	union {
+		KMF_NSS_PARAMS	nss_opts;
+	} ks_opt_u;
+} KMF_FINDCRL_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	char			*certLabel;
+
+	union {
+		KMF_NSS_PARAMS	nss_opts;
+		KMF_OPENSSL_PARAMS  openssl_opts;
+	} ks_opt_u;
+} KMF_FINDCERTINCRL_PARAMS;
+
+typedef struct {
+	char			*crl_name;
+	KMF_DATA		*tacert;
+} KMF_VERIFYCRL_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_CREDENTIAL		cred;
+	KMF_ENCODE_FORMAT	format; /* for key  */
+	char			*certLabel;
+	union {
+	    KMF_NSS_PARAMS	nss_opts;
+	    KMF_OPENSSL_PARAMS	openssl_opts;
+	}ks_opt_u;
+} KMF_CRYPTOWITHCERT_PARAMS;
+
+typedef struct {
+	char			*crl_name;
+} KMF_CHECKCRLDATE_PARAMS;
+
+typedef struct {
+	CK_SLOT_ID	slot;
+} pk11_setpin_opts;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	char			*tokenname;
+	KMF_CREDENTIAL		cred;	/* current token PIN */
+	union {
+		KMF_NSS_PARAMS		nss_opts;
+		pk11_setpin_opts	pkcs11_opts;
+	}ks_opt_u;
+} KMF_SETPIN_PARAMS;
+
+typedef struct {
+	KMF_BIGINT	mod;
+	KMF_BIGINT	pubexp;
+	KMF_BIGINT	priexp;
+	KMF_BIGINT	prime1;
+	KMF_BIGINT	prime2;
+	KMF_BIGINT	exp1;
+	KMF_BIGINT	exp2;
+	KMF_BIGINT	coef;
+} KMF_RAW_RSA_KEY;
+
+typedef struct {
+	KMF_BIGINT	prime;
+	KMF_BIGINT	subprime;
+	KMF_BIGINT	base;
+	KMF_BIGINT	value;
+} KMF_RAW_DSA_KEY;
+
+typedef struct {
+	KMF_BIGINT	keydata;
+} KMF_RAW_SYM_KEY;
+
+typedef struct {
+	KMF_KEY_ALG keytype;
+	union {
+		KMF_RAW_RSA_KEY	rsa;
+		KMF_RAW_DSA_KEY	dsa;
+		KMF_RAW_SYM_KEY	sym;
+	}rawdata;
+} KMF_RAW_KEY_DATA;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	char			*certLabel;
+	char			*issuer;
+	char			*subject;
+	char			*idstr;
+	KMF_BIGINT		*serial;
+	KMF_CREDENTIAL		cred;	/* cred for accessing the token */
+	KMF_CREDENTIAL		p12cred; /* cred used for securing the file */
+
+	union {
+		KMF_NSS_PARAMS		nss_opts;
+		KMF_OPENSSL_PARAMS	openssl_opts;
+	}ks_opt_u;
+} KMF_EXPORTP12_PARAMS;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_KEY_ALG		keytype;
+	uint32_t		keylength;
+	char			*keylabel;
+	KMF_CREDENTIAL		cred;
+	union {
+	    KMF_NSS_PARAMS	nss_opts;
+	    KMF_OPENSSL_PARAMS	openssl_opts;
+	    KMF_PKCS11_PARAMS	pkcs11_opts;
+	}ks_opt_u;
+} KMF_CREATESYMKEY_PARAMS;
+
+/* Data structures for OCSP support */
+typedef struct {
+	KMF_DATA *issuer_cert;
+	KMF_DATA *user_cert;
+} KMF_OCSPREQUEST_PARAMS;
+
+typedef struct {
+	KMF_DATA *response;
+	KMF_DATA *issuer_cert;
+	KMF_DATA *user_cert;
+	KMF_DATA *signer_cert;  /* can be NULL */
+	boolean_t ignore_response_sign;	/* default is FALSE */
+	uint32_t response_lifetime;	/* in seconds */
+} KMF_OCSPRESPONSE_PARAMS_INPUT;
+
+typedef enum {
+	OCSP_GOOD	= 0,
+	OCSP_REVOKED	= 1,
+	OCSP_UNKNOWN	= 2
+} KMF_OCSP_CERT_STATUS;
+
+typedef struct {
+	int  			response_status;
+	int  			reason; /* if revoked */
+	KMF_OCSP_CERT_STATUS	cert_status;
+} KMF_OCSPRESPONSE_PARAMS_OUTPUT;
+
+#define	nssparms	ks_opt_u.nss_opts
+#define	sslparms	ks_opt_u.openssl_opts
+#define	pkcs11parms	ks_opt_u.pkcs11_opts
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_KEY_ALG		keyalg;
+	KMF_KEY_CLASS		keyclass;
+	boolean_t		israw;
+	char			*keylabel;
+	void			*keyp;
+} KMF_KEY_HANDLE;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	kstype;
+	uint32_t		errcode;
+} KMF_ERROR;
+
+/*
+ * Typenames to use with subjectAltName
+ */
+typedef enum {
+	GENNAME_OTHERNAME	= 0x00,
+	GENNAME_RFC822NAME,
+	GENNAME_DNSNAME,
+	GENNAME_X400ADDRESS,
+	GENNAME_DIRECTORYNAME,
+	GENNAME_EDIPARTYNAME,
+	GENNAME_URI,
+	GENNAME_IPADDRESS,
+	GENNAME_REGISTEREDID
+} KMF_GENERALNAMECHOICES;
+
+/*
+ * KMF_FIELD
+ * This structure contains the OID/value pair for any item that can be
+ * identified by an OID.
+ */
+typedef struct
+{
+	KMF_OID		FieldOid;
+	KMF_DATA	FieldValue;
+} KMF_FIELD;
+
+typedef enum {
+	KMF_OK			= 0x00,
+	KMF_ERR_BAD_PARAMETER	= 0x01,
+	KMF_ERR_BAD_KEY_FORMAT	= 0x02,
+	KMF_ERR_BAD_ALGORITHM	= 0x03,
+	KMF_ERR_MEMORY		= 0x04,
+	KMF_ERR_ENCODING	= 0x05,
+	KMF_ERR_PLUGIN_INIT	= 0x06,
+	KMF_ERR_PLUGIN_NOTFOUND	= 0x07,
+	KMF_ERR_INTERNAL	= 0x0b,
+	KMF_ERR_BAD_CERT_FORMAT	= 0x0c,
+	KMF_ERR_KEYGEN_FAILED	= 0x0d,
+	KMF_ERR_UNINITIALIZED	= 0x10,
+	KMF_ERR_ISSUER		= 0x11,
+	KMF_ERR_NOT_REVOKED	= 0x12,
+	KMF_ERR_CERT_NOT_FOUND	= 0x13,
+	KMF_ERR_CRL_NOT_FOUND	= 0x14,
+	KMF_ERR_RDN_PARSER	= 0x15,
+	KMF_ERR_RDN_ATTR	= 0x16,
+	KMF_ERR_SLOTNAME	= 0x17,
+	KMF_ERR_EMPTY_CRL	= 0x18,
+	KMF_ERR_BUFFER_SIZE	= 0x19,
+	KMF_ERR_AUTH_FAILED	= 0x1a,
+	KMF_ERR_TOKEN_SELECTED	= 0x1b,
+	KMF_ERR_NO_TOKEN_SELECTED	= 0x1c,
+	KMF_ERR_TOKEN_NOT_PRESENT	= 0x1d,
+	KMF_ERR_EXTENSION_NOT_FOUND	= 0x1e,
+	KMF_ERR_POLICY_ENGINE		= 0x1f,
+	KMF_ERR_POLICY_DB_FORMAT	= 0x20,
+	KMF_ERR_POLICY_NOT_FOUND	= 0x21,
+	KMF_ERR_POLICY_DB_FILE		= 0x22,
+	KMF_ERR_POLICY_NAME		= 0x23,
+	KMF_ERR_OCSP_POLICY		= 0x24,
+	KMF_ERR_TA_POLICY		= 0x25,
+	KMF_ERR_KEY_NOT_FOUND		= 0x26,
+	KMF_ERR_OPEN_FILE		= 0x27,
+	KMF_ERR_OCSP_BAD_ISSUER		= 0x28,
+	KMF_ERR_OCSP_BAD_CERT		= 0x29,
+	KMF_ERR_OCSP_CREATE_REQUEST	= 0x2a,
+	KMF_ERR_CONNECT_SERVER		= 0x2b,
+	KMF_ERR_SEND_REQUEST		= 0x2c,
+	KMF_ERR_OCSP_CERTID		= 0x2d,
+	KMF_ERR_OCSP_MALFORMED_RESPONSE	= 0x2e,
+	KMF_ERR_OCSP_RESPONSE_STATUS	= 0x2f,
+	KMF_ERR_OCSP_NO_BASIC_RESPONSE	= 0x30,
+	KMF_ERR_OCSP_BAD_SIGNER		= 0x31,
+	KMF_ERR_OCSP_RESPONSE_SIGNATURE	= 0x32,
+	KMF_ERR_OCSP_UNKNOWN_CERT	= 0x33,
+	KMF_ERR_OCSP_STATUS_TIME_INVALID	= 0x34,
+	KMF_ERR_BAD_HTTP_RESPONSE	= 0x35,
+	KMF_ERR_RECV_RESPONSE		= 0x36,
+	KMF_ERR_RECV_TIMEOUT		= 0x37,
+	KMF_ERR_DUPLICATE_KEYFILE	= 0x38,
+	KMF_ERR_AMBIGUOUS_PATHNAME	= 0x39,
+	KMF_ERR_FUNCTION_NOT_FOUND	= 0x3a,
+	KMF_ERR_PKCS12_FORMAT		= 0x3b,
+	KMF_ERR_BAD_KEY_TYPE		= 0x3c,
+	KMF_ERR_BAD_KEY_CLASS		= 0x3d,
+	KMF_ERR_BAD_KEY_SIZE		= 0x3e,
+	KMF_ERR_BAD_HEX_STRING		= 0x3f,
+	KMF_ERR_KEYUSAGE		= 0x40,
+	KMF_ERR_VALIDITY_PERIOD		= 0x41,
+	KMF_ERR_OCSP_REVOKED		= 0x42,
+	KMF_ERR_CERT_MULTIPLE_FOUND	= 0x43,
+	KMF_ERR_WRITE_FILE		= 0x44,
+	KMF_ERR_BAD_URI			= 0x45,
+	KMF_ERR_BAD_CRLFILE		= 0x46,
+	KMF_ERR_BAD_CERTFILE		= 0x47,
+	KMF_ERR_GETKEYVALUE_FAILED	= 0x48,
+	KMF_ERR_BAD_KEYHANDLE		= 0x49,
+	KMF_ERR_BAD_OBJECT_TYPE		= 0x4a,
+	KMF_ERR_OCSP_RESPONSE_LIFETIME	= 0x4b,
+	KMF_ERR_UNKNOWN_CSR_ATTRIBUTE	= 0x4c,
+	KMF_ERR_UNINITIALIZED_TOKEN	= 0x4d,
+	KMF_ERR_INCOMPLETE_TBS_CERT	= 0x4e,
+	KMF_ERR_MISSING_ERRCODE		= 0x4f,
+	KMF_KEYSTORE_ALREADY_INITIALIZED = 0x50
+} KMF_RETURN;
+
+typedef enum {
+	OCSP_SUCCESS 		= 0,
+	OCSP_MALFORMED_REQUEST	= 1,
+	OCSP_INTERNAL_ERROR	= 2,
+	OCSP_TRYLATER		= 3,
+	OCSP_SIGREQUIRED	= 4,
+	OCSP_UNAUTHORIZED	= 5
+} KMF_OCSP_RESPONSE_STATUS;
+
+typedef enum {
+	OCSP_NOSTATUS		= -1,
+	OCSP_UNSPECIFIED	= 0,
+	OCSP_KEYCOMPROMISE	= 1,
+	OCSP_CACOMPROMISE	= 2,
+	OCSP_AFFILIATIONCHANGE	= 3,
+	OCSP_SUPERCEDED		= 4,
+	OCSP_CESSATIONOFOPERATION = 5,
+	OCSP_CERTIFICATEHOLD	= 6,
+	OCSP_REMOVEFROMCRL	= 7
+} KMF_OCSP_REVOKED_STATUS;
+
+typedef enum {
+	KMF_ALGCLASS_NONE 	= 0,
+	KMF_ALGCLASS_CUSTOM,
+	KMF_ALGCLASS_SIGNATURE,
+	KMF_ALGCLASS_SYMMETRIC,
+	KMF_ALGCLASS_DIGEST,
+	KMF_ALGCLASS_RANDOMGEN,
+	KMF_ALGCLASS_UNIQUEGEN,
+	KMF_ALGCLASS_MAC,
+	KMF_ALGCLASS_ASYMMETRIC,
+	KMF_ALGCLASS_KEYGEN,
+	KMF_ALGCLASS_DERIVEKEY
+} KMF_ALGCLASS;
+
+/*
+ * Algorithms
+ * This type defines a set of constants used to identify cryptographic
+ * algorithms.
+ */
+typedef enum {
+	KMF_ALGID_NONE		= 0,
+	KMF_ALGID_CUSTOM,
+	KMF_ALGID_SHA1,
+	KMF_ALGID_RSA,
+	KMF_ALGID_DSA,
+	KMF_ALGID_MD5WithRSA,
+	KMF_ALGID_MD2WithRSA,
+	KMF_ALGID_SHA1WithRSA,
+	KMF_ALGID_SHA1WithDSA
+} KMF_ALGORITHM_INDEX;
+
+typedef enum {
+	KMF_CERT_ISSUER		= 1,
+	KMF_CERT_SUBJECT,
+	KMF_CERT_VERSION,
+	KMF_CERT_SERIALNUM,
+	KMF_CERT_NOTBEFORE,
+	KMF_CERT_NOTAFTER,
+	KMF_CERT_PUBKEY_ALG,
+	KMF_CERT_SIGNATURE_ALG,
+	KMF_CERT_EMAIL,
+	KMF_CERT_PUBKEY_DATA,
+	KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD,
+	KMF_X509_EXT_CERT_POLICIES,
+	KMF_X509_EXT_SUBJ_ALTNAME,
+	KMF_X509_EXT_ISSUER_ALTNAME,
+	KMF_X509_EXT_BASIC_CONSTRAINTS,
+	KMF_X509_EXT_NAME_CONSTRAINTS,
+	KMF_X509_EXT_POLICY_CONSTRAINTS,
+	KMF_X509_EXT_EXT_KEY_USAGE,
+	KMF_X509_EXT_INHIBIT_ANY_POLICY,
+	KMF_X509_EXT_AUTH_KEY_ID,
+	KMF_X509_EXT_SUBJ_KEY_ID,
+	KMF_X509_EXT_POLICY_MAPPINGS,
+	KMF_X509_EXT_CRL_DIST_POINTS,
+	KMF_X509_EXT_FRESHEST_CRL,
+	KMF_X509_EXT_KEY_USAGE
+} KMF_PRINTABLE_ITEM;
+
+/*
+ * KMF_X509_ALGORITHM_IDENTIFIER
+ * This structure holds an object identifier naming a
+ * cryptographic algorithm and an optional set of
+ * parameters to be used as input to that algorithm.
+ */
+typedef struct
+{
+	KMF_OID algorithm;
+	KMF_DATA parameters;
+} KMF_X509_ALGORITHM_IDENTIFIER;
+
+/*
+ * KMF_X509_TYPE_VALUE_PAIR
+ * This structure contain an type-value pair.
+ */
+typedef struct
+{
+	KMF_OID type;
+	uint8_t valueType; /* The Tag to use when BER encoded */
+	KMF_DATA value;
+} KMF_X509_TYPE_VALUE_PAIR;
+
+
+/*
+ * KMF_X509_RDN
+ * This structure contains a Relative Distinguished Name
+ * composed of an ordered set of type-value pairs.
+ */
+typedef struct
+{
+	uint32_t			numberOfPairs;
+	KMF_X509_TYPE_VALUE_PAIR	*AttributeTypeAndValue;
+} KMF_X509_RDN;
+
+/*
+ * KMF_X509_NAME
+ * This structure contains a set of Relative Distinguished Names.
+ */
+typedef struct
+{
+	uint32_t numberOfRDNs;
+	KMF_X509_RDN	*RelativeDistinguishedName;
+} KMF_X509_NAME;
+
+/*
+ * KMF_X509_SPKI
+ * This structure contains the public key and the
+ * description of the verification algorithm
+ * appropriate for use with this key.
+ */
+typedef struct
+{
+	KMF_X509_ALGORITHM_IDENTIFIER algorithm;
+	KMF_DATA subjectPublicKey;
+} KMF_X509_SPKI;
+
+/*
+ * KMF_X509_TIME
+ * Time is represented as a string according to the
+ * definitions of GeneralizedTime and UTCTime
+ * defined in RFC 2459.
+ */
+typedef struct
+{
+	uint8_t timeType;
+	KMF_DATA time;
+} KMF_X509_TIME;
+
+/*
+ * KMF_X509_VALIDITY
+ */
+typedef struct
+{
+	KMF_X509_TIME notBefore;
+	KMF_X509_TIME notAfter;
+} KMF_X509_VALIDITY;
+
+/*
+ *   KMF_X509EXT_BASICCONSTRAINTS
+ */
+typedef struct
+{
+	KMF_BOOL cA;
+	KMF_BOOL pathLenConstraintPresent;
+	uint32_t pathLenConstraint;
+} KMF_X509EXT_BASICCONSTRAINTS;
+
+/*
+ * KMF_X509EXT_DATA_FORMAT
+ * This list defines the valid formats for a certificate extension.
+ */
+typedef enum
+{
+	KMF_X509_DATAFORMAT_ENCODED = 0,
+	KMF_X509_DATAFORMAT_PARSED,
+	KMF_X509_DATAFORMAT_PAIR
+} KMF_X509EXT_DATA_FORMAT;
+
+
+/*
+ * KMF_X509EXT_TAGandVALUE
+ * This structure contains a BER/DER encoded
+ * extension value and the type of that value.
+ */
+typedef struct
+{
+	uint8_t type;
+	KMF_DATA value;
+} KMF_X509EXT_TAGandVALUE;
+
+
+/*
+ * KMF_X509EXT_PAIR
+ * This structure aggregates two extension representations:
+ * a tag and value, and a parsed X509 extension representation.
+ */
+typedef struct
+{
+	KMF_X509EXT_TAGandVALUE tagAndValue;
+	void *parsedValue;
+} KMF_X509EXT_PAIR;
+
+/*
+ * KMF_X509_EXTENSION
+ * This structure contains a complete certificate extension.
+ */
+typedef struct
+{
+	KMF_OID extnId;
+	KMF_BOOL critical;
+	KMF_X509EXT_DATA_FORMAT format;
+	union
+	{
+		KMF_X509EXT_TAGandVALUE *tagAndValue;
+		void *parsedValue;
+		KMF_X509EXT_PAIR *valuePair;
+	} value;
+	KMF_DATA BERvalue;
+} KMF_X509_EXTENSION;
+
+
+/*
+ * KMF_X509_EXTENSIONS
+ * This structure contains the set of all certificate
+ * extensions contained in a certificate.
+ */
+typedef struct
+{
+	uint32_t numberOfExtensions;
+	KMF_X509_EXTENSION *extensions;
+} KMF_X509_EXTENSIONS;
+
+/*
+ * KMF_X509_TBS_CERT
+ * This structure contains a complete X.509 certificate.
+ */
+typedef struct
+{
+	KMF_DATA version;
+	KMF_BIGINT serialNumber;
+	KMF_X509_ALGORITHM_IDENTIFIER signature;
+	KMF_X509_NAME issuer;
+	KMF_X509_VALIDITY validity;
+	KMF_X509_NAME subject;
+	KMF_X509_SPKI subjectPublicKeyInfo;
+	KMF_DATA issuerUniqueIdentifier;
+	KMF_DATA subjectUniqueIdentifier;
+	KMF_X509_EXTENSIONS extensions;
+} KMF_X509_TBS_CERT;
+
+/*
+ * KMF_X509_SIGNATURE
+ * This structure contains a cryptographic digital signature.
+ */
+typedef struct
+{
+	KMF_X509_ALGORITHM_IDENTIFIER algorithmIdentifier;
+	KMF_DATA encrypted;
+} KMF_X509_SIGNATURE;
+
+/*
+ * KMF_X509_CERTIFICATE
+ * This structure associates a set of decoded certificate
+ * values with the signature covering those values.
+ */
+typedef struct
+{
+	KMF_X509_TBS_CERT certificate;
+	KMF_X509_SIGNATURE signature;
+} KMF_X509_CERTIFICATE;
+
+#define	CERT_ALG_OID(c) &c->certificate.signature.algorithm
+#define	CERT_SIG_OID(c) &c->signature.algorithmIdentifier.algorithm
+
+/*
+ * KMF_TBS_CSR
+ * This structure contains a complete PKCS#10 certificate request
+ */
+typedef struct
+{
+	KMF_DATA version;
+	KMF_X509_NAME subject;
+	KMF_X509_SPKI subjectPublicKeyInfo;
+	KMF_X509_EXTENSIONS extensions;
+} KMF_TBS_CSR;
+
+/*
+ * KMF_CSR_DATA
+ * This structure contains a complete PKCS#10 certificate signed request
+ */
+typedef struct
+{
+	KMF_TBS_CSR csr;
+	KMF_X509_SIGNATURE signature;
+} KMF_CSR_DATA;
+
+/*
+ * KMF_X509EXT_POLICYQUALIFIERINFO
+ */
+typedef struct
+{
+	KMF_OID policyQualifierId;
+	KMF_DATA value;
+} KMF_X509EXT_POLICYQUALIFIERINFO;
+
+/*
+ * KMF_X509EXT_POLICYQUALIFIERS
+ */
+typedef struct
+{
+	uint32_t numberOfPolicyQualifiers;
+	KMF_X509EXT_POLICYQUALIFIERINFO *policyQualifier;
+} KMF_X509EXT_POLICYQUALIFIERS;
+
+/*
+ * KMF_X509EXT_POLICYINFO
+ */
+typedef struct
+{
+	KMF_OID policyIdentifier;
+	KMF_X509EXT_POLICYQUALIFIERS policyQualifiers;
+} KMF_X509EXT_POLICYINFO;
+
+typedef struct
+{
+	uint32_t numberOfPolicyInfo;
+	KMF_X509EXT_POLICYINFO *policyInfo;
+} KMF_X509EXT_CERT_POLICIES;
+
+typedef struct
+{
+	uchar_t critical;
+	uint16_t KeyUsageBits;
+} KMF_X509EXT_KEY_USAGE;
+
+typedef struct
+{
+	uchar_t		critical;
+	uint16_t	nEKUs;
+	KMF_OID	*keyPurposeIdList;
+} KMF_X509EXT_EKU;
+
+
+/*
+ * X509 AuthorityInfoAccess extension
+ */
+typedef struct
+{
+	KMF_OID AccessMethod;
+	KMF_DATA AccessLocation;
+} KMF_X509EXT_ACCESSDESC;
+
+typedef struct
+{
+	uint32_t numberOfAccessDescription;
+	KMF_X509EXT_ACCESSDESC *AccessDesc;
+} KMF_X509EXT_AUTHINFOACCESS;
+
+
+/*
+ * X509 Crl Distribution Point extension
+ */
+typedef struct {
+	KMF_GENERALNAMECHOICES	choice;
+	KMF_DATA		name;
+} KMF_GENERALNAME;
+
+typedef struct {
+	uint32_t	number;
+	KMF_GENERALNAME *namelist;
+} KMF_GENERALNAMES;
+
+typedef enum  {
+	DP_GENERAL_NAME = 1,
+	DP_RELATIVE_NAME = 2
+} KMF_CRL_DIST_POINT_TYPE;
+
+typedef struct {
+	KMF_CRL_DIST_POINT_TYPE type;
+	union {
+		KMF_GENERALNAMES full_name;
+		KMF_DATA relative_name;
+	} name;
+	KMF_DATA reasons;
+	KMF_GENERALNAMES crl_issuer;
+} KMF_CRL_DIST_POINT;
+
+typedef struct {
+	uint32_t number;
+	KMF_CRL_DIST_POINT *dplist;
+} KMF_X509EXT_CRLDISTPOINTS;
+
+
+/*
+ * Definitions for common X.509v3 certificate attribute OIDs
+ */
+#define	OID_ISO_MEMBER	42	/* Also in PKCS */
+#define	OID_US	OID_ISO_MEMBER, 134, 72 /* Also in PKCS */
+#define	OID_CA	OID_ISO_MEMBER, 124
+
+#define	OID_ISO_IDENTIFIED_ORG 43
+#define	OID_OSINET	OID_ISO_IDENTIFIED_ORG, 4
+#define	OID_GOSIP	OID_ISO_IDENTIFIED_ORG, 5
+#define	OID_DOD	OID_ISO_IDENTIFIED_ORG, 6
+#define	OID_OIW	OID_ISO_IDENTIFIED_ORG, 14 /* Also in x9.57 */
+
+#define	OID_ISO_CCITT_DIR_SERVICE 85
+#define	OID_ISO_CCITT_COUNTRY	96
+#define	OID_COUNTRY_US	OID_ISO_CCITT_COUNTRY, 134, 72
+#define	OID_COUNTRY_CA	OID_ISO_CCITT_COUNTRY, 124
+#define	OID_COUNTRY_US_ORG	OID_COUNTRY_US, 1
+#define	OID_COUNTRY_US_MHS_MD	OID_COUNTRY_US, 2
+#define	OID_COUNTRY_US_STATE	OID_COUNTRY_US, 3
+
+/* From the PKCS Standards */
+#define	OID_ISO_MEMBER_LENGTH 1
+#define	OID_US_LENGTH	(OID_ISO_MEMBER_LENGTH + 2)
+
+#define	OID_RSA	OID_US, 134, 247, 13
+#define	OID_RSA_LENGTH	(OID_US_LENGTH + 3)
+
+#define	OID_RSA_HASH	OID_RSA, 2
+#define	OID_RSA_HASH_LENGTH   (OID_RSA_LENGTH + 1)
+
+#define	OID_RSA_ENCRYPT	OID_RSA, 3
+#define	OID_RSA_ENCRYPT_LENGTH (OID_RSA_LENGTH + 1)
+
+#define	OID_PKCS	OID_RSA, 1
+#define	OID_PKCS_LENGTH	(OID_RSA_LENGTH + 1)
+
+#define	OID_PKCS_1	OID_PKCS, 1
+#define	OID_PKCS_1_LENGTH	(OID_PKCS_LENGTH + 1)
+
+#define	OID_PKCS_2	OID_PKCS, 2
+#define	OID_PKCS_3	OID_PKCS, 3
+#define	OID_PKCS_3_LENGTH	(OID_PKCS_LENGTH + 1)
+
+#define	OID_PKCS_4	OID_PKCS, 4
+#define	OID_PKCS_5	OID_PKCS, 5
+#define	OID_PKCS_5_LENGTH	(OID_PKCS_LENGTH + 1)
+#define	OID_PKCS_6	OID_PKCS, 6
+#define	OID_PKCS_7	OID_PKCS, 7
+#define	OID_PKCS_7_LENGTH	(OID_PKCS_LENGTH + 1)
+
+#define	OID_PKCS_7_Data			OID_PKCS_7, 1
+#define	OID_PKCS_7_SignedData		OID_PKCS_7, 2
+#define	OID_PKCS_7_EnvelopedData	OID_PKCS_7, 3
+#define	OID_PKCS_7_SignedAndEnvelopedData	OID_PKCS_7, 4
+#define	OID_PKCS_7_DigestedData		OID_PKCS_7, 5
+#define	OID_PKCS_7_EncryptedData	OID_PKCS_7, 6
+
+#define	OID_PKCS_8	OID_PKCS, 8
+#define	OID_PKCS_9	OID_PKCS, 9
+#define	OID_PKCS_9_LENGTH	(OID_PKCS_LENGTH + 1)
+
+#define	OID_PKCS_9_CONTENT_TYPE		OID_PKCS_9, 3
+#define	OID_PKCS_9_MESSAGE_DIGEST	OID_PKCS_9, 4
+#define	OID_PKCS_9_SIGNING_TIME		OID_PKCS_9, 5
+#define	OID_PKCS_9_COUNTER_SIGNATURE	OID_PKCS_9, 6
+#define	OID_PKCS_9_EXTENSION_REQUEST	OID_PKCS_9, 14
+
+#define	OID_PKCS_10	OID_PKCS, 10
+
+#define	OID_PKCS_12	OID_PKCS, 12
+#define	OID_PKCS_12_LENGTH	(OID_PKCS_LENGTH + 1)
+
+#define	PBEWithSHAAnd128BitRC4	OID_PKCS_12, 1, 1
+#define	PBEWithSHAAnd40BitRC4	OID_PKCS_12, 1, 2
+#define	PBEWithSHAAnd3KeyTripleDES_CBC	OID_PKCS_12, 1, 3
+#define	PBEWithSHAAnd2KeyTripleDES_CBC	OID_PKCS_12, 1, 4
+#define	PBEWithSHAAnd128BitRC2_CBC	OID_PKCS_12, 1, 5
+#define	PBEWithSHAAnd40BitRC2_CBC	OID_PKCS_12, 1, 6
+
+#define	OID_BAG_TYPES		OID_PKCS_12, 10, 1
+#define	OID_KeyBag		OID_BAG_TYPES, 1
+#define	OID_PKCS8ShroudedKeyBag	OID_BAG_TYPES, 2
+#define	OID_CertBag		OID_BAG_TYPES, 3
+#define	OID_CrlBag		OID_BAG_TYPES, 4
+#define	OID_SecretBag		OID_BAG_TYPES, 5
+#define	OID_SafeContentsBag	OID_BAG_TYPES, 6
+
+#define	OID_ContentInfo		OID_PKCS_7, 0, 1
+
+#define	OID_CERT_TYPES		OID_PKCS_9, 22
+#define	OID_x509Certificate	OID_CERT_TYPES, 1
+#define	OID_sdsiCertificate	OID_CERT_TYPES, 2
+
+#define	OID_CRL_TYPES		OID_PKCS_9, 23
+#define	OID_x509Crl		OID_CRL_TYPES, 1
+
+#define	OID_DS	OID_ISO_CCITT_DIR_SERVICE /* Also in X.501 */
+#define	OID_DS_LENGTH	1
+
+#define	OID_ATTR_TYPE	OID_DS, 4	/* Also in X.501 */
+#define	OID_ATTR_TYPE_LENGTH  (OID_DS_LENGTH + 1)
+
+#define	OID_DSALG	OID_DS, 8	/* Also in X.501 */
+#define	OID_DSALG_LENGTH	(OID_DS_LENGTH + 1)
+
+#define	OID_EXTENSION	OID_DS, 29	/* Also in X.501 */
+#define	OID_EXTENSION_LENGTH  (OID_DS_LENGTH + 1)
+
+/*
+ * From RFC 1274:
+ * {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) }
+ */
+#define	OID_PILOT	0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
+#define	OID_PILOT_LENGTH	9
+
+#define	OID_USERID		OID_PILOT 1
+#define	OID_USERID_LENGTH	(OID_PILOT_LENGTH + 1)
+
+/*
+ * From PKIX part1
+ * { iso(1) identified-organization(3) dod(6) internet(1)
+ *   security(5) mechanisms(5) pkix(7) }
+ */
+#define	OID_PKIX	43, 6, 1, 5, 5, 7
+#define	OID_PKIX_LENGTH	6
+
+/* private certificate extensions, { id-pkix 1 } */
+#define	OID_PKIX_PE	OID_PKIX, 1
+#define	OID_PKIX_PE_LENGTH   (OID_PKIX_LENGTH + 1)
+
+/* policy qualifier types {id-pkix 2 } */
+#define	OID_PKIX_QT	OID_PKIX, 2
+#define	OID_PKIX_QT_LENGTH   (OID_PKIX_LENGTH + 1)
+
+/* CPS qualifier, { id-qt 1 } */
+#define	OID_PKIX_QT_CPS	OID_PKIX_QT, 1
+#define	OID_PKIX_QT_CPS_LENGTH (OID_PKIX_QT_LENGTH + 1)
+/* user notice qualifier, { id-qt 2 } */
+#define	OID_PKIX_QT_UNOTICE  OID_PKIX_QT, 2
+#define	OID_PKIX_QT_UNOTICE_LENGTH (OID_PKIX_QT_LENGTH + 1)
+
+/* extended key purpose OIDs {id-pkix 3 } */
+#define	OID_PKIX_KP	OID_PKIX, 3
+#define	OID_PKIX_KP_LENGTH   (OID_PKIX_LENGTH + 1)
+
+/* access descriptors {id-pkix 4 } */
+#define	OID_PKIX_AD	OID_PKIX, 48
+#define	OID_PKIX_AD_LENGTH   (OID_PKIX_LENGTH + 1)
+
+/* access descriptors */
+/* OCSP */
+#define	OID_PKIX_AD_OCSP	OID_PKIX_AD, 1
+#define	OID_PKIX_AD_OCSP_LENGTH (OID_PKIX_AD_LENGTH + 1)
+
+/* cAIssuers */
+#define	OID_PKIX_AD_CAISSUERS OID_PKIX_AD, 2
+#define	OID_PKIX_AD_CAISSUERS_LENGTH (OID_PKIX_AD_LENGTH + 1)
+
+/* end PKIX part1 */
+#define	OID_APPL_TCP_PROTO   43, 6, 1, 2, 1, 27, 4
+#define	OID_APPL_TCP_PROTO_LENGTH   8
+
+#define	OID_DAP	OID_DS, 3, 1
+#define	OID_DAP_LENGTH	(OID_DS_LENGTH + 2)
+
+/* From x9.57 */
+#define	OID_OIW_LENGTH	2
+
+#define	OID_OIW_SECSIG	OID_OIW, 3
+#define	OID_OIW_SECSIG_LENGTH (OID_OIW_LENGTH + 1)
+
+#define	OID_OIW_ALGORITHM	OID_OIW_SECSIG, 2
+#define	OID_OIW_ALGORITHM_LENGTH (OID_OIW_SECSIG_LENGTH + 1)
+
+#define	OID_OIWDIR	OID_OIW, 7, 2
+#define	OID_OIWDIR_LENGTH    (OID_OIW_LENGTH + 2)
+
+#define	OID_OIWDIR_CRPT	OID_OIWDIR, 1
+
+#define	OID_OIWDIR_HASH	OID_OIWDIR, 2
+#define	OID_OIWDIR_HASH_LENGTH (OID_OIWDIR_LENGTH + 1)
+
+#define	OID_OIWDIR_SIGN	OID_OIWDIR, 3
+#define	OID_OIWDIR_SIGN_LENGTH (OID_OIWDIR_LENGTH + 1)
+
+#define	OID_X9CM	OID_US, 206, 56
+#define	OID_X9CM_MODULE	OID_X9CM, 1
+#define	OID_X9CM_INSTRUCTION OID_X9CM, 2
+#define	OID_X9CM_ATTR	OID_X9CM, 3
+#define	OID_X9CM_X9ALGORITHM OID_X9CM, 4
+#define	OID_X9CM_X9ALGORITHM_LENGTH ((OID_US_LENGTH) + 2 + 1)
+
+#define	INTEL	96, 134, 72, 1, 134, 248, 77
+#define	INTEL_LENGTH 7
+
+#define	INTEL_SEC_FORMATS	INTEL_CDSASECURITY, 1
+#define	INTEL_SEC_FORMATS_LENGTH	(INTEL_CDSASECURITY_LENGTH + 1)
+
+#define	INTEL_SEC_ALGS	INTEL_CDSASECURITY, 2, 5
+#define	INTEL_SEC_ALGS_LENGTH	(INTEL_CDSASECURITY_LENGTH + 2)
+
+extern const KMF_OID
+KMFOID_AliasedEntryName,
+KMFOID_AuthorityRevocationList,
+KMFOID_BusinessCategory,
+KMFOID_CACertificate,
+KMFOID_CertificateRevocationList,
+KMFOID_ChallengePassword,
+KMFOID_CollectiveFacsimileTelephoneNumber,
+KMFOID_CollectiveInternationalISDNNumber,
+KMFOID_CollectiveOrganizationName,
+KMFOID_CollectiveOrganizationalUnitName,
+KMFOID_CollectivePhysicalDeliveryOfficeName,
+KMFOID_CollectivePostOfficeBox,
+KMFOID_CollectivePostalAddress,
+KMFOID_CollectivePostalCode,
+KMFOID_CollectiveStateProvinceName,
+KMFOID_CollectiveStreetAddress,
+KMFOID_CollectiveTelephoneNumber,
+KMFOID_CollectiveTelexNumber,
+KMFOID_CollectiveTelexTerminalIdentifier,
+KMFOID_CommonName,
+KMFOID_ContentType,
+KMFOID_CounterSignature,
+KMFOID_CountryName,
+KMFOID_CrossCertificatePair,
+KMFOID_DNQualifier,
+KMFOID_Description,
+KMFOID_DestinationIndicator,
+KMFOID_DistinguishedName,
+KMFOID_EmailAddress,
+KMFOID_EnhancedSearchGuide,
+KMFOID_ExtendedCertificateAttributes,
+KMFOID_ExtensionRequest,
+KMFOID_FacsimileTelephoneNumber,
+KMFOID_GenerationQualifier,
+KMFOID_GivenName,
+KMFOID_HouseIdentifier,
+KMFOID_Initials,
+KMFOID_InternationalISDNNumber,
+KMFOID_KnowledgeInformation,
+KMFOID_LocalityName,
+KMFOID_Member,
+KMFOID_MessageDigest,
+KMFOID_Name,
+KMFOID_ObjectClass,
+KMFOID_OrganizationName,
+KMFOID_OrganizationalUnitName,
+KMFOID_Owner,
+KMFOID_PhysicalDeliveryOfficeName,
+KMFOID_PostOfficeBox,
+KMFOID_PostalAddress,
+KMFOID_PostalCode,
+KMFOID_PreferredDeliveryMethod,
+KMFOID_PresentationAddress,
+KMFOID_ProtocolInformation,
+KMFOID_RFC822mailbox,
+KMFOID_RegisteredAddress,
+KMFOID_RoleOccupant,
+KMFOID_SearchGuide,
+KMFOID_SeeAlso,
+KMFOID_SerialNumber,
+KMFOID_SigningTime,
+KMFOID_StateProvinceName,
+KMFOID_StreetAddress,
+KMFOID_SupportedApplicationContext,
+KMFOID_Surname,
+KMFOID_TelephoneNumber,
+KMFOID_TelexNumber,
+KMFOID_TelexTerminalIdentifier,
+KMFOID_Title,
+KMFOID_UniqueIdentifier,
+KMFOID_UniqueMember,
+KMFOID_UnstructuredAddress,
+KMFOID_UnstructuredName,
+KMFOID_UserCertificate,
+KMFOID_UserPassword,
+KMFOID_X_121Address,
+KMFOID_domainComponent,
+KMFOID_userid;
+
+extern const KMF_OID
+KMFOID_AuthorityKeyID,
+KMFOID_AuthorityInfoAccess,
+KMFOID_VerisignCertificatePolicy,
+KMFOID_KeyUsageRestriction,
+KMFOID_SubjectDirectoryAttributes,
+KMFOID_SubjectKeyIdentifier,
+KMFOID_KeyUsage,
+KMFOID_PrivateKeyUsagePeriod,
+KMFOID_SubjectAltName,
+KMFOID_IssuerAltName,
+KMFOID_BasicConstraints,
+KMFOID_CrlNumber,
+KMFOID_CrlReason,
+KMFOID_HoldInstructionCode,
+KMFOID_InvalidityDate,
+KMFOID_DeltaCrlIndicator,
+KMFOID_IssuingDistributionPoints,
+KMFOID_NameConstraints,
+KMFOID_CrlDistributionPoints,
+KMFOID_CertificatePolicies,
+KMFOID_PolicyMappings,
+KMFOID_PolicyConstraints,
+KMFOID_AuthorityKeyIdentifier,
+KMFOID_ExtendedKeyUsage,
+KMFOID_PkixAdOcsp,
+KMFOID_PkixAdCaIssuers,
+KMFOID_PKIX_PQ_CPSuri,
+KMFOID_PKIX_PQ_Unotice,
+KMFOID_PKIX_KP_ServerAuth,
+KMFOID_PKIX_KP_ClientAuth,
+KMFOID_PKIX_KP_CodeSigning,
+KMFOID_PKIX_KP_EmailProtection,
+KMFOID_PKIX_KP_IPSecEndSystem,
+KMFOID_PKIX_KP_IPSecTunnel,
+KMFOID_PKIX_KP_IPSecUser,
+KMFOID_PKIX_KP_TimeStamping,
+KMFOID_PKIX_KP_OCSPSigning;
+
+/*
+ * KMF Certificate validation codes.  These may be masked together.
+ */
+#define	KMF_CERT_VALIDATE_OK		0x00
+#define	KMF_CERT_VALIDATE_ERR_TA	0x01
+#define	KMF_CERT_VALIDATE_ERR_USER	0x02
+#define	KMF_CERT_VALIDATE_ERR_SIGNATURE	0x04
+#define	KMF_CERT_VALIDATE_ERR_KEYUSAGE	0x08
+#define	KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE	0x10
+#define	KMF_CERT_VALIDATE_ERR_TIME	0x20
+#define	KMF_CERT_VALIDATE_ERR_CRL	0x40
+#define	KMF_CERT_VALIDATE_ERR_OCSP	0x80
+#define	KMF_CERT_VALIDATE_ERR_ISSUER	0x100
+
+/*
+ * KMF Key Usage bitmasks
+ */
+#define	KMF_digitalSignature	0x8000
+#define	KMF_nonRepudiation	0x4000
+#define	KMF_keyEncipherment	0x2000
+#define	KMF_dataEncipherment	0x1000
+#define	KMF_keyAgreement	0x0800
+#define	KMF_keyCertSign		0x0400
+#define	KMF_cRLSign		0x0200
+#define	KMF_encipherOnly	0x0100
+#define	KMF_decipherOnly	0x0080
+
+#define	KMF_KUBITMASK 0xFF80
+
+/*
+ * KMF Extended KeyUsage OID definitions
+ */
+#define	KMF_EKU_SERVERAUTH			0x01
+#define	KMF_EKU_CLIENTAUTH			0x02
+#define	KMF_EKU_CODESIGNING			0x04
+#define	KMF_EKU_EMAIL				0x08
+#define	KMF_EKU_TIMESTAMP			0x10
+#define	KMF_EKU_OCSPSIGNING			0x20
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _KMFTYPES_H */
diff --git a/usr/src/lib/libkmf/include/oidsalg.h b/usr/src/lib/libkmf/include/oidsalg.h
new file mode 100644
index 0000000000..af9f5e2ead
--- /dev/null
+++ b/usr/src/lib/libkmf/include/oidsalg.h
@@ -0,0 +1,73 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ *
+ *
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ *
+ * File: oidsalg.h
+ *
+ * Copyright (c) 1995-2000 Intel Corporation. All rights reserved.
+ *
+ */
+
+#ifndef _OIDSALG_H
+#define	_OIDSALG_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <kmftypes.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+uint8_t
+	OID_OIW_SHA1[] = { OID_OIW_ALGORITHM, 26},
+	OID_OIW_DSA[] = { OID_OIW_ALGORITHM, 12  },
+	OID_OIW_DSAWithSHA1[] = { OID_OIW_ALGORITHM, 27  },
+	OID_RSAEncryption[] = { OID_PKCS_1, 1 },
+	OID_MD2WithRSA[]   = { OID_PKCS_1, 2 },
+	OID_MD5WithRSA[]   = { OID_PKCS_1, 4 },
+	OID_SHA1WithRSA[]  = { OID_PKCS_1, 5 },
+	OID_X9CM_DSA[] = { OID_X9CM_X9ALGORITHM, 1 },
+	OID_X9CM_DSAWithSHA1[] = { OID_X9CM_X9ALGORITHM, 3}
+;
+
+KMF_OID
+	KMFOID_SHA1 = {OID_OIW_ALGORITHM_LENGTH+1, OID_OIW_SHA1},
+	KMFOID_RSA = {OID_PKCS_1_LENGTH+1, OID_RSAEncryption},
+	KMFOID_DSA = {OID_OIW_ALGORITHM_LENGTH+1, OID_OIW_DSA},
+	KMFOID_MD5WithRSA = {OID_PKCS_1_LENGTH+1, OID_MD5WithRSA},
+	KMFOID_MD2WithRSA = {OID_PKCS_1_LENGTH+1, OID_MD2WithRSA},
+	KMFOID_SHA1WithRSA = {OID_PKCS_1_LENGTH+1, OID_SHA1WithRSA},
+	KMFOID_SHA1WithDSA = {OID_OIW_ALGORITHM_LENGTH+1, OID_OIW_DSAWithSHA1},
+	KMFOID_OIW_DSAWithSHA1  = {OID_OIW_ALGORITHM_LENGTH+1,
+		OID_OIW_DSAWithSHA1},
+	KMFOID_X9CM_DSA = {OID_X9CM_X9ALGORITHM_LENGTH+1, OID_X9CM_DSA},
+	KMFOID_X9CM_DSAWithSHA1 = {OID_X9CM_X9ALGORITHM_LENGTH+1,
+		OID_X9CM_DSAWithSHA1}
+
+;
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _OIDSALG_H */
diff --git a/usr/src/lib/libkmf/include/pem_encode.h b/usr/src/lib/libkmf/include/pem_encode.h
new file mode 100644
index 0000000000..7ba568d2cf
--- /dev/null
+++ b/usr/src/lib/libkmf/include/pem_encode.h
@@ -0,0 +1,137 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef _PEM_ENCODE_H
+#define	_PEM_ENCODE_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#define	PEM_STRING_X509		"CERTIFICATE"
+#define	PEM_STRING_X509_REQ	"CERTIFICATE REQUEST"
+#define	PEM_STRING_X509_CRL	"X509 CRL"
+#define	PEM_BUFSIZE		1024
+
+/*
+ * 0xF0 is a EOLN
+ * 0xF1 is ignore but next needs to be 0xF0 (for \r\n processing).
+ * 0xF2 is EOF
+ * 0xE0 is ignore at start of line.
+ * 0xFF is error
+ */
+
+#define	B64_EOLN		0xF0
+#define	B64_CR			0xF1
+#define	B64_EOF			0xF2
+#define	B64_WS			0xE0
+#define	B64_ERROR		0xFF
+#define	B64_NOT_BASE64(a)	(((a)|0x13) == 0xF3)
+
+typedef struct pem_encode_ctx_st
+{
+	int num;	/* number saved in a partial encode/decode */
+	/*
+	 * The length is either the output line length
+	 * (in input bytes) or the shortest input line
+	 * length that is ok.  Once decoding begins,
+	 * the length is adjusted up each time a longer
+	 * line is decoded.
+	 */
+	int length;
+	unsigned char enc_data[80];	/* data to encode */
+	int line_num;	/* number read on current line */
+	int expect_nl;
+} PEM_ENCODE_CTX;
+
+KMF_RETURN
+Der2Pem(KMF_OBJECT_TYPE, unsigned char *, int, unsigned char **, int *);
+
+KMF_RETURN
+Pem2Der(unsigned char *, int, unsigned char **, int *);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _PEM_ENCODE_H */
diff --git a/usr/src/lib/libkmf/include/rdn_parser.h b/usr/src/lib/libkmf/include/rdn_parser.h
new file mode 100644
index 0000000000..d94208e1b2
--- /dev/null
+++ b/usr/src/lib/libkmf/include/rdn_parser.h
@@ -0,0 +1,126 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef _RDN_PARSER_H
+#define	_RDN_PARSER_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+typedef enum {
+	OID_AVA_COMMON_NAME = 0,
+	OID_AVA_SURNAME,
+	OID_AVA_GIVEN_NAME,
+	OID_AVA_LOCALITY,
+	OID_AVA_STATE_OR_PROVINCE,
+	OID_AVA_ORGANIZATION_NAME,
+	OID_AVA_ORGANIZATIONAL_UNIT_NAME,
+	OID_AVA_COUNTRY_NAME,
+	OID_AVA_STREET_ADDRESS,
+	OID_AVA_DC,
+	OID_RFC1274_UID,
+	OID_PKCS9_EMAIL_ADDRESS,
+	OID_RFC1274_MAIL,
+	OID_UNKNOWN
+} OidAvaTag;
+
+struct NameToKind {
+    const char  *name;
+    OidAvaTag    kind;
+    KMF_OID	 *OID;
+};
+
+#define	C_DOUBLE_QUOTE '\042'
+
+#define	C_BACKSLASH '\134'
+
+#define	C_EQUAL '='
+
+#define	OPTIONAL_SPACE(c) \
+	(((c) == ' ') || ((c) == '\r') || ((c) == '\n'))
+
+#define	SPECIAL_CHAR(c)							\
+	(((c) == ',') || ((c) == '=') || ((c) == C_DOUBLE_QUOTE) ||	\
+	((c) == '\r') || ((c) == '\n') || ((c) == '+') ||		\
+	((c) == '<') || ((c) == '>') || ((c) == '#') ||			\
+	((c) == ';') || ((c) == C_BACKSLASH))
+
+
+#define	IS_PRINTABLE(c)							\
+	((((c) >= 'a') && ((c) <= 'z')) ||				\
+	(((c) >= 'A') && ((c) <= 'Z')) ||				\
+	(((c) >= '0') && ((c) <= '9')) ||				\
+	((c) == ' ') ||							\
+	((c) == '\'') ||						\
+	((c) == '\050') ||				/* ( */		\
+	((c) == '\051') ||				/* ) */		\
+	(((c) >= '+') && ((c) <= '/')) ||		/* + , - . / */	\
+	((c) == ':') ||							\
+	((c) == '=') ||							\
+	((c) == '?'))
+
+
+KMF_RETURN ParseDistinguishedName(char *, int, KMF_X509_NAME *);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _RDN_PARSER_H */
author	wyllys <none@none>	2006-11-10 15:34:56 -0800
committer	wyllys <none@none>	2006-11-10 15:34:56 -0800
commit	99ebb4ca412cb0a19d77a3899a87c055b9c30fa8 (patch)
tree	a972f78468519a4e00234388688f45a506e934ba /usr/src/lib/libkmf/include
parent	177fd15c9f814babb60e824f89984cdd8acf7c85 (diff)
download	illumos-joyent-99ebb4ca412cb0a19d77a3899a87c055b9c30fa8.tar.gz