secoid.c (111063B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 5 #include "secoid.h" 6 #include "pkcs11t.h" 7 #include "secitem.h" 8 #include "secerr.h" 9 #include "prenv.h" 10 #include "plhash.h" 11 #include "nssrwlk.h" 12 #include "nssutil.h" 13 #include "secoidt.h" 14 15 /* Library identity and versioning */ 16 17 #if defined(DEBUG) 18 #define _DEBUG_STRING " (debug)" 19 #else 20 #define _DEBUG_STRING "" 21 #endif 22 23 /* 24 * Version information 25 */ 26 const char __nss_util_version[] = "Version: NSS " NSSUTIL_VERSION _DEBUG_STRING; 27 28 /* MISSI Mosaic Object ID space */ 29 /* USGov algorithm OID space: { 2 16 840 1 101 } */ 30 #define USGOV 0x60, 0x86, 0x48, 0x01, 0x65 31 #define MISSI USGOV, 0x02, 0x01, 0x01 32 #define MISSI_OLD_KEA_DSS MISSI, 0x0c 33 #define MISSI_OLD_DSS MISSI, 0x02 34 #define MISSI_KEA_DSS MISSI, 0x14 35 #define MISSI_DSS MISSI, 0x13 36 #define MISSI_KEA MISSI, 0x0a 37 #define MISSI_ALT_KEA MISSI, 0x16 38 39 #define NISTALGS USGOV, 3, 4 40 #define AES NISTALGS, 1 41 #define SHAXXX NISTALGS, 2 42 #define DSA2 NISTALGS, 3 43 44 /** 45 ** The Netscape OID space is allocated by Terry Hayes. If you need 46 ** a piece of the space, contact him at thayes@netscape.com. 47 **/ 48 49 /* Netscape Communications Corporation Object ID space */ 50 /* { 2 16 840 1 113730 } */ 51 #define NETSCAPE_OID 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42 52 #define NETSCAPE_CERT_EXT NETSCAPE_OID, 0x01 53 #define NETSCAPE_DATA_TYPE NETSCAPE_OID, 0x02 54 /* netscape directory oid - owned by Mark Smith (mcs@netscape.com) */ 55 #define NETSCAPE_DIRECTORY NETSCAPE_OID, 0x03 56 #define NETSCAPE_POLICY NETSCAPE_OID, 0x04 57 #define NETSCAPE_CERT_SERVER NETSCAPE_OID, 0x05 58 #define NETSCAPE_ALGS NETSCAPE_OID, 0x06 /* algorithm OIDs */ 59 #define NETSCAPE_NAME_COMPONENTS NETSCAPE_OID, 0x07 60 61 #define NETSCAPE_CERT_EXT_AIA NETSCAPE_CERT_EXT, 0x10 62 #define NETSCAPE_CERT_SERVER_CRMF NETSCAPE_CERT_SERVER, 0x01 63 64 /* these are old and should go away soon */ 65 #define OLD_NETSCAPE 0x60, 0x86, 0x48, 0xd8, 0x6a 66 #define NS_CERT_EXT OLD_NETSCAPE, 0x01 67 #define NS_FILE_TYPE OLD_NETSCAPE, 0x02 68 #define NS_IMAGE_TYPE OLD_NETSCAPE, 0x03 69 70 /* RSA OID name space */ 71 #define RSADSI 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d 72 #define PKCS RSADSI, 0x01 73 #define DIGEST RSADSI, 0x02 74 #define CIPHER RSADSI, 0x03 75 #define PKCS1 PKCS, 0x01 76 #define PKCS5 PKCS, 0x05 77 #define PKCS7 PKCS, 0x07 78 #define PKCS9 PKCS, 0x09 79 #define PKCS12 PKCS, 0x0c 80 81 /* Other OID name spaces */ 82 #define ALGORITHM 0x2b, 0x0e, 0x03, 0x02 83 #define X500 0x55 84 #define X520_ATTRIBUTE_TYPE X500, 0x04 85 #define X500_ALG X500, 0x08 86 #define X500_ALG_ENCRYPTION X500_ALG, 0x01 87 88 /** X.509 v3 Extension OID 89 ** {joint-iso-ccitt (2) ds(5) 29} 90 **/ 91 #define ID_CE_OID X500, 0x1d 92 93 #define RFC1274_ATTR_TYPE 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1 94 /* #define RFC2247_ATTR_TYPE 0x09, 0x92, 0x26, 0xf5, 0x98, 0x1e, 0x64, 0x1 this is WRONG! */ 95 96 /* PKCS #12 name spaces */ 97 #define PKCS12_MODE_IDS PKCS12, 0x01 98 #define PKCS12_ESPVK_IDS PKCS12, 0x02 99 #define PKCS12_BAG_IDS PKCS12, 0x03 100 #define PKCS12_CERT_BAG_IDS PKCS12, 0x04 101 #define PKCS12_OIDS PKCS12, 0x05 102 #define PKCS12_PBE_IDS PKCS12_OIDS, 0x01 103 #define PKCS12_ENVELOPING_IDS PKCS12_OIDS, 0x02 104 #define PKCS12_SIGNATURE_IDS PKCS12_OIDS, 0x03 105 #define PKCS12_V2_PBE_IDS PKCS12, 0x01 106 #define PKCS9_CERT_TYPES PKCS9, 0x16 107 #define PKCS9_CRL_TYPES PKCS9, 0x17 108 #define PKCS9_SMIME_IDS PKCS9, 0x10 109 #define PKCS9_SMIME_ATTRS PKCS9_SMIME_IDS, 2 110 #define PKCS9_SMIME_ALGS PKCS9_SMIME_IDS, 3 111 #define PKCS12_VERSION1 PKCS12, 0x0a 112 #define PKCS12_V1_BAG_IDS PKCS12_VERSION1, 1 113 114 /* for DSA algorithm */ 115 /* { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) } */ 116 #define ANSI_X9_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x38, 0x4 117 118 /* for DH algorithm */ 119 /* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */ 120 /* need real OID person to look at this, copied the above line 121 * and added 6 to second to last value (and changed '4' to '2' */ 122 #define ANSI_X942_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2 123 124 #define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45 125 126 #define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05 127 128 #define PKIX INTERNET_SECURITY_MECH, 0x07 129 #define PKIX_CERT_EXTENSIONS PKIX, 1 130 #define PKIX_POLICY_QUALIFIERS PKIX, 2 131 #define PKIX_KEY_USAGE PKIX, 3 132 #define PKIX_ACCESS_DESCRIPTION PKIX, 0x30 133 #define PKIX_OCSP PKIX_ACCESS_DESCRIPTION, 1 134 #define PKIX_CA_ISSUERS PKIX_ACCESS_DESCRIPTION, 2 135 136 #define PKIX_ID_PKIP PKIX, 5 137 #define PKIX_ID_REGCTRL PKIX_ID_PKIP, 1 138 #define PKIX_ID_REGINFO PKIX_ID_PKIP, 2 139 140 /* Microsoft Object ID space */ 141 /* { 1.3.6.1.4.1.311 } */ 142 #define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 143 #define EV_NAME_ATTRIBUTE MICROSOFT_OID, 60, 2, 1 144 145 /* Microsoft Crypto 2.0 ID space */ 146 /* { 1.3.6.1.4.1.311.10 } */ 147 #define MS_CRYPTO_20 MICROSOFT_OID, 10 148 /* Microsoft Crypto 2.0 Extended Key Usage ID space */ 149 /* { 1.3.6.1.4.1.311.10.3 } */ 150 #define MS_CRYPTO_EKU MS_CRYPTO_20, 3 151 152 #define CERTICOM_OID 0x2b, 0x81, 0x04 153 #define SECG_OID CERTICOM_OID, 0x00 154 155 #define ANSI_X962_OID 0x2a, 0x86, 0x48, 0xce, 0x3d 156 #define ANSI_X962_CURVE_OID ANSI_X962_OID, 0x03 157 #define ANSI_X962_GF2m_OID ANSI_X962_CURVE_OID, 0x00 158 #define ANSI_X962_GFp_OID ANSI_X962_CURVE_OID, 0x01 159 #define ANSI_X962_SIGNATURE_OID ANSI_X962_OID, 0x04 160 #define ANSI_X962_SPECIFY_OID ANSI_X962_SIGNATURE_OID, 0x03 161 162 #define X9_63_SCHEME 0x2B, 0x81, 0x05, 0x10, 0x86, 0x48, 0x3F, 0x00 163 #define SECG_SCHEME CERTICOM_OID, 0x01 164 165 /* for Camellia: iso(1) member-body(2) jisc(392) 166 * mitsubishi(200011) isl(61) security(1) algorithm(1) 167 */ 168 #define MITSUBISHI_ALG 0x2a, 0x83, 0x08, 0x8c, 0x9a, 0x4b, 0x3d, 0x01, 0x01 169 #define CAMELLIA_ENCRYPT_OID MITSUBISHI_ALG, 1 170 #define CAMELLIA_WRAP_OID MITSUBISHI_ALG, 3 171 172 /* For IDEA: 1.3.6.1.4.1.188.7.1.1 173 */ 174 #define ASCOM_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0xbc 175 #define ASCOM_IDEA_ALG ASCOM_OID, 0x7, 0x1, 0x1 176 177 /* for SEED : iso(1) member-body(2) korea(410) 178 * kisa(200004) algorithm(1) 179 */ 180 #define SEED_OID 0x2a, 0x83, 0x1a, 0x8c, 0x9a, 0x44, 0x01 181 182 #define CONST_OID static const unsigned char 183 184 CONST_OID md2[] = { DIGEST, 0x02 }; 185 CONST_OID md4[] = { DIGEST, 0x04 }; 186 CONST_OID md5[] = { DIGEST, 0x05 }; 187 CONST_OID hmac_sha1[] = { DIGEST, 7 }; 188 CONST_OID hmac_sha224[] = { DIGEST, 8 }; 189 CONST_OID hmac_sha256[] = { DIGEST, 9 }; 190 CONST_OID hmac_sha384[] = { DIGEST, 10 }; 191 CONST_OID hmac_sha512[] = { DIGEST, 11 }; 192 193 CONST_OID rc2cbc[] = { CIPHER, 0x02 }; 194 CONST_OID rc4[] = { CIPHER, 0x04 }; 195 CONST_OID desede3cbc[] = { CIPHER, 0x07 }; 196 CONST_OID rc5cbcpad[] = { CIPHER, 0x09 }; 197 198 CONST_OID desecb[] = { ALGORITHM, 0x06 }; 199 CONST_OID descbc[] = { ALGORITHM, 0x07 }; 200 CONST_OID desofb[] = { ALGORITHM, 0x08 }; 201 CONST_OID descfb[] = { ALGORITHM, 0x09 }; 202 CONST_OID desmac[] = { ALGORITHM, 0x0a }; 203 CONST_OID sdn702DSASignature[] = { ALGORITHM, 0x0c }; 204 CONST_OID isoSHAWithRSASignature[] = { ALGORITHM, 0x0f }; 205 CONST_OID desede[] = { ALGORITHM, 0x11 }; 206 CONST_OID sha1[] = { ALGORITHM, 0x1a }; 207 CONST_OID bogusDSASignaturewithSHA1Digest[] = { ALGORITHM, 0x1b }; 208 CONST_OID isoSHA1WithRSASignature[] = { ALGORITHM, 0x1d }; 209 210 CONST_OID pkcs1RSAEncryption[] = { PKCS1, 0x01 }; 211 CONST_OID pkcs1MD2WithRSAEncryption[] = { PKCS1, 0x02 }; 212 CONST_OID pkcs1MD4WithRSAEncryption[] = { PKCS1, 0x03 }; 213 CONST_OID pkcs1MD5WithRSAEncryption[] = { PKCS1, 0x04 }; 214 CONST_OID pkcs1SHA1WithRSAEncryption[] = { PKCS1, 0x05 }; 215 CONST_OID pkcs1RSAOAEPEncryption[] = { PKCS1, 0x07 }; 216 CONST_OID pkcs1MGF1[] = { PKCS1, 0x08 }; 217 CONST_OID pkcs1PSpecified[] = { PKCS1, 0x09 }; 218 CONST_OID pkcs1RSAPSSSignature[] = { PKCS1, 10 }; 219 CONST_OID pkcs1SHA256WithRSAEncryption[] = { PKCS1, 11 }; 220 CONST_OID pkcs1SHA384WithRSAEncryption[] = { PKCS1, 12 }; 221 CONST_OID pkcs1SHA512WithRSAEncryption[] = { PKCS1, 13 }; 222 CONST_OID pkcs1SHA224WithRSAEncryption[] = { PKCS1, 14 }; 223 224 CONST_OID pkcs5PbeWithMD2AndDEScbc[] = { PKCS5, 0x01 }; 225 CONST_OID pkcs5PbeWithMD5AndDEScbc[] = { PKCS5, 0x03 }; 226 CONST_OID pkcs5PbeWithSha1AndDEScbc[] = { PKCS5, 0x0a }; 227 CONST_OID pkcs5Pbkdf2[] = { PKCS5, 12 }; 228 CONST_OID pkcs5Pbes2[] = { PKCS5, 13 }; 229 CONST_OID pkcs5Pbmac1[] = { PKCS5, 14 }; 230 231 CONST_OID pkcs7[] = { PKCS7 }; 232 CONST_OID pkcs7Data[] = { PKCS7, 0x01 }; 233 CONST_OID pkcs7SignedData[] = { PKCS7, 0x02 }; 234 CONST_OID pkcs7EnvelopedData[] = { PKCS7, 0x03 }; 235 CONST_OID pkcs7SignedEnvelopedData[] = { PKCS7, 0x04 }; 236 CONST_OID pkcs7DigestedData[] = { PKCS7, 0x05 }; 237 CONST_OID pkcs7EncryptedData[] = { PKCS7, 0x06 }; 238 239 CONST_OID pkcs9EmailAddress[] = { PKCS9, 0x01 }; 240 CONST_OID pkcs9UnstructuredName[] = { PKCS9, 0x02 }; 241 CONST_OID pkcs9ContentType[] = { PKCS9, 0x03 }; 242 CONST_OID pkcs9MessageDigest[] = { PKCS9, 0x04 }; 243 CONST_OID pkcs9SigningTime[] = { PKCS9, 0x05 }; 244 CONST_OID pkcs9CounterSignature[] = { PKCS9, 0x06 }; 245 CONST_OID pkcs9ChallengePassword[] = { PKCS9, 0x07 }; 246 CONST_OID pkcs9UnstructuredAddress[] = { PKCS9, 0x08 }; 247 CONST_OID pkcs9ExtendedCertificateAttributes[] = { PKCS9, 0x09 }; 248 CONST_OID pkcs9ExtensionRequest[] = { PKCS9, 14 }; 249 CONST_OID pkcs9SMIMECapabilities[] = { PKCS9, 15 }; 250 CONST_OID pkcs9FriendlyName[] = { PKCS9, 20 }; 251 CONST_OID pkcs9LocalKeyID[] = { PKCS9, 21 }; 252 253 CONST_OID pkcs9X509Certificate[] = { PKCS9_CERT_TYPES, 1 }; 254 CONST_OID pkcs9SDSICertificate[] = { PKCS9_CERT_TYPES, 2 }; 255 CONST_OID pkcs9X509CRL[] = { PKCS9_CRL_TYPES, 1 }; 256 257 /* RFC2630 (CMS) OIDs */ 258 CONST_OID cmsESDH[] = { PKCS9_SMIME_ALGS, 5 }; 259 CONST_OID cms3DESwrap[] = { PKCS9_SMIME_ALGS, 6 }; 260 CONST_OID cmsRC2wrap[] = { PKCS9_SMIME_ALGS, 7 }; 261 262 /* RFC2633 SMIME message attributes */ 263 CONST_OID smimeEncryptionKeyPreference[] = { PKCS9_SMIME_ATTRS, 11 }; 264 CONST_OID ms_smimeEncryptionKeyPreference[] = { MICROSOFT_OID, 0x10, 0x4 }; 265 266 CONST_OID x520CommonName[] = { X520_ATTRIBUTE_TYPE, 3 }; 267 CONST_OID x520SurName[] = { X520_ATTRIBUTE_TYPE, 4 }; 268 CONST_OID x520SerialNumber[] = { X520_ATTRIBUTE_TYPE, 5 }; 269 CONST_OID x520CountryName[] = { X520_ATTRIBUTE_TYPE, 6 }; 270 CONST_OID x520LocalityName[] = { X520_ATTRIBUTE_TYPE, 7 }; 271 CONST_OID x520StateOrProvinceName[] = { X520_ATTRIBUTE_TYPE, 8 }; 272 CONST_OID x520StreetAddress[] = { X520_ATTRIBUTE_TYPE, 9 }; 273 CONST_OID x520OrgName[] = { X520_ATTRIBUTE_TYPE, 10 }; 274 CONST_OID x520OrgUnitName[] = { X520_ATTRIBUTE_TYPE, 11 }; 275 CONST_OID x520Title[] = { X520_ATTRIBUTE_TYPE, 12 }; 276 CONST_OID x520BusinessCategory[] = { X520_ATTRIBUTE_TYPE, 15 }; 277 CONST_OID x520PostalAddress[] = { X520_ATTRIBUTE_TYPE, 16 }; 278 CONST_OID x520PostalCode[] = { X520_ATTRIBUTE_TYPE, 17 }; 279 CONST_OID x520PostOfficeBox[] = { X520_ATTRIBUTE_TYPE, 18 }; 280 CONST_OID x520Name[] = { X520_ATTRIBUTE_TYPE, 41 }; 281 CONST_OID x520GivenName[] = { X520_ATTRIBUTE_TYPE, 42 }; 282 CONST_OID x520Initials[] = { X520_ATTRIBUTE_TYPE, 43 }; 283 CONST_OID x520GenerationQualifier[] = { X520_ATTRIBUTE_TYPE, 44 }; 284 CONST_OID x520DnQualifier[] = { X520_ATTRIBUTE_TYPE, 46 }; 285 CONST_OID x520HouseIdentifier[] = { X520_ATTRIBUTE_TYPE, 51 }; 286 CONST_OID x520Pseudonym[] = { X520_ATTRIBUTE_TYPE, 65 }; 287 288 CONST_OID nsTypeGIF[] = { NETSCAPE_DATA_TYPE, 0x01 }; 289 CONST_OID nsTypeJPEG[] = { NETSCAPE_DATA_TYPE, 0x02 }; 290 CONST_OID nsTypeURL[] = { NETSCAPE_DATA_TYPE, 0x03 }; 291 CONST_OID nsTypeHTML[] = { NETSCAPE_DATA_TYPE, 0x04 }; 292 CONST_OID nsTypeCertSeq[] = { NETSCAPE_DATA_TYPE, 0x05 }; 293 294 CONST_OID missiCertKEADSSOld[] = { MISSI_OLD_KEA_DSS }; 295 CONST_OID missiCertDSSOld[] = { MISSI_OLD_DSS }; 296 CONST_OID missiCertKEADSS[] = { MISSI_KEA_DSS }; 297 CONST_OID missiCertDSS[] = { MISSI_DSS }; 298 CONST_OID missiCertKEA[] = { MISSI_KEA }; 299 CONST_OID missiCertAltKEA[] = { MISSI_ALT_KEA }; 300 CONST_OID x500RSAEncryption[] = { X500_ALG_ENCRYPTION, 0x01 }; 301 302 /* added for alg 1485 */ 303 CONST_OID rfc1274Uid[] = { RFC1274_ATTR_TYPE, 1 }; 304 CONST_OID rfc1274Mail[] = { RFC1274_ATTR_TYPE, 3 }; 305 CONST_OID rfc2247DomainComponent[] = { RFC1274_ATTR_TYPE, 25 }; 306 307 /* Netscape private certificate extensions */ 308 CONST_OID nsCertExtNetscapeOK[] = { NS_CERT_EXT, 1 }; 309 CONST_OID nsCertExtIssuerLogo[] = { NS_CERT_EXT, 2 }; 310 CONST_OID nsCertExtSubjectLogo[] = { NS_CERT_EXT, 3 }; 311 CONST_OID nsExtCertType[] = { NETSCAPE_CERT_EXT, 0x01 }; 312 CONST_OID nsExtBaseURL[] = { NETSCAPE_CERT_EXT, 0x02 }; 313 CONST_OID nsExtRevocationURL[] = { NETSCAPE_CERT_EXT, 0x03 }; 314 CONST_OID nsExtCARevocationURL[] = { NETSCAPE_CERT_EXT, 0x04 }; 315 CONST_OID nsExtCACRLURL[] = { NETSCAPE_CERT_EXT, 0x05 }; 316 CONST_OID nsExtCACertURL[] = { NETSCAPE_CERT_EXT, 0x06 }; 317 CONST_OID nsExtCertRenewalURL[] = { NETSCAPE_CERT_EXT, 0x07 }; 318 CONST_OID nsExtCAPolicyURL[] = { NETSCAPE_CERT_EXT, 0x08 }; 319 CONST_OID nsExtHomepageURL[] = { NETSCAPE_CERT_EXT, 0x09 }; 320 CONST_OID nsExtEntityLogo[] = { NETSCAPE_CERT_EXT, 0x0a }; 321 CONST_OID nsExtUserPicture[] = { NETSCAPE_CERT_EXT, 0x0b }; 322 CONST_OID nsExtSSLServerName[] = { NETSCAPE_CERT_EXT, 0x0c }; 323 CONST_OID nsExtComment[] = { NETSCAPE_CERT_EXT, 0x0d }; 324 325 /* the following 2 extensions are defined for and used by Cartman(NSM) */ 326 CONST_OID nsExtLostPasswordURL[] = { NETSCAPE_CERT_EXT, 0x0e }; 327 CONST_OID nsExtCertRenewalTime[] = { NETSCAPE_CERT_EXT, 0x0f }; 328 329 CONST_OID nsExtAIACertRenewal[] = { NETSCAPE_CERT_EXT_AIA, 0x01 }; 330 CONST_OID nsExtCertScopeOfUse[] = { NETSCAPE_CERT_EXT, 0x11 }; 331 /* Reserved Netscape (2 16 840 1 113730 1 18) = { NETSCAPE_CERT_EXT, 0x12 }; */ 332 333 /* Netscape policy values */ 334 CONST_OID nsKeyUsageGovtApproved[] = { NETSCAPE_POLICY, 0x01 }; 335 336 /* Netscape other name types */ 337 CONST_OID netscapeNickname[] = { NETSCAPE_NAME_COMPONENTS, 0x01 }; 338 CONST_OID netscapeAOLScreenname[] = { NETSCAPE_NAME_COMPONENTS, 0x02 }; 339 340 /* OIDs needed for cert server */ 341 CONST_OID netscapeRecoveryRequest[] = { NETSCAPE_CERT_SERVER_CRMF, 0x01 }; 342 343 /* Standard x.509 v3 Certificate & CRL Extensions */ 344 CONST_OID x509SubjectDirectoryAttr[] = { ID_CE_OID, 9 }; 345 CONST_OID x509SubjectKeyID[] = { ID_CE_OID, 14 }; 346 CONST_OID x509KeyUsage[] = { ID_CE_OID, 15 }; 347 CONST_OID x509PrivateKeyUsagePeriod[] = { ID_CE_OID, 16 }; 348 CONST_OID x509SubjectAltName[] = { ID_CE_OID, 17 }; 349 CONST_OID x509IssuerAltName[] = { ID_CE_OID, 18 }; 350 CONST_OID x509BasicConstraints[] = { ID_CE_OID, 19 }; 351 CONST_OID x509CRLNumber[] = { ID_CE_OID, 20 }; 352 CONST_OID x509ReasonCode[] = { ID_CE_OID, 21 }; 353 CONST_OID x509HoldInstructionCode[] = { ID_CE_OID, 23 }; 354 CONST_OID x509InvalidDate[] = { ID_CE_OID, 24 }; 355 CONST_OID x509DeltaCRLIndicator[] = { ID_CE_OID, 27 }; 356 CONST_OID x509IssuingDistributionPoint[] = { ID_CE_OID, 28 }; 357 CONST_OID x509CertIssuer[] = { ID_CE_OID, 29 }; 358 CONST_OID x509NameConstraints[] = { ID_CE_OID, 30 }; 359 CONST_OID x509CRLDistPoints[] = { ID_CE_OID, 31 }; 360 CONST_OID x509CertificatePolicies[] = { ID_CE_OID, 32 }; 361 CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 }; 362 CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 }; 363 CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 36 }; 364 CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 }; 365 CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 }; 366 CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 }; 367 368 CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 }; 369 CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 }; 370 371 CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 }; 372 CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 }; 373 374 CONST_OID x509SIATimeStamping[] = { PKIX_ACCESS_DESCRIPTION, 0x03 }; 375 CONST_OID x509SIACaRepository[] = { PKIX_ACCESS_DESCRIPTION, 0x05 }; 376 377 /* pkcs 12 additions */ 378 CONST_OID pkcs12[] = { PKCS12 }; 379 CONST_OID pkcs12ModeIDs[] = { PKCS12_MODE_IDS }; 380 CONST_OID pkcs12ESPVKIDs[] = { PKCS12_ESPVK_IDS }; 381 CONST_OID pkcs12BagIDs[] = { PKCS12_BAG_IDS }; 382 CONST_OID pkcs12CertBagIDs[] = { PKCS12_CERT_BAG_IDS }; 383 CONST_OID pkcs12OIDs[] = { PKCS12_OIDS }; 384 CONST_OID pkcs12PBEIDs[] = { PKCS12_PBE_IDS }; 385 CONST_OID pkcs12EnvelopingIDs[] = { PKCS12_ENVELOPING_IDS }; 386 CONST_OID pkcs12SignatureIDs[] = { PKCS12_SIGNATURE_IDS }; 387 CONST_OID pkcs12PKCS8KeyShrouding[] = { PKCS12_ESPVK_IDS, 0x01 }; 388 CONST_OID pkcs12KeyBagID[] = { PKCS12_BAG_IDS, 0x01 }; 389 CONST_OID pkcs12CertAndCRLBagID[] = { PKCS12_BAG_IDS, 0x02 }; 390 CONST_OID pkcs12SecretBagID[] = { PKCS12_BAG_IDS, 0x03 }; 391 CONST_OID pkcs12X509CertCRLBag[] = { PKCS12_CERT_BAG_IDS, 0x01 }; 392 CONST_OID pkcs12SDSICertBag[] = { PKCS12_CERT_BAG_IDS, 0x02 }; 393 CONST_OID pkcs12PBEWithSha1And128BitRC4[] = { PKCS12_PBE_IDS, 0x01 }; 394 CONST_OID pkcs12PBEWithSha1And40BitRC4[] = { PKCS12_PBE_IDS, 0x02 }; 395 CONST_OID pkcs12PBEWithSha1AndTripleDESCBC[] = { PKCS12_PBE_IDS, 0x03 }; 396 CONST_OID pkcs12PBEWithSha1And128BitRC2CBC[] = { PKCS12_PBE_IDS, 0x04 }; 397 CONST_OID pkcs12PBEWithSha1And40BitRC2CBC[] = { PKCS12_PBE_IDS, 0x05 }; 398 CONST_OID pkcs12RSAEncryptionWith128BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x01 }; 399 CONST_OID pkcs12RSAEncryptionWith40BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x02 }; 400 CONST_OID pkcs12RSAEncryptionWithTripleDES[] = { PKCS12_ENVELOPING_IDS, 0x03 }; 401 CONST_OID pkcs12RSASignatureWithSHA1Digest[] = { PKCS12_SIGNATURE_IDS, 0x01 }; 402 403 /* pkcs 12 version 1.0 ids */ 404 CONST_OID pkcs12V2PBEWithSha1And128BitRC4[] = { PKCS12_V2_PBE_IDS, 0x01 }; 405 CONST_OID pkcs12V2PBEWithSha1And40BitRC4[] = { PKCS12_V2_PBE_IDS, 0x02 }; 406 CONST_OID pkcs12V2PBEWithSha1And3KeyTripleDEScbc[] = { PKCS12_V2_PBE_IDS, 0x03 }; 407 CONST_OID pkcs12V2PBEWithSha1And2KeyTripleDEScbc[] = { PKCS12_V2_PBE_IDS, 0x04 }; 408 CONST_OID pkcs12V2PBEWithSha1And128BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x05 }; 409 CONST_OID pkcs12V2PBEWithSha1And40BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x06 }; 410 411 CONST_OID pkcs12SafeContentsID[] = { PKCS12_BAG_IDS, 0x04 }; 412 CONST_OID pkcs12PKCS8ShroudedKeyBagID[] = { PKCS12_BAG_IDS, 0x05 }; 413 414 CONST_OID pkcs12V1KeyBag[] = { PKCS12_V1_BAG_IDS, 0x01 }; 415 CONST_OID pkcs12V1PKCS8ShroudedKeyBag[] = { PKCS12_V1_BAG_IDS, 0x02 }; 416 CONST_OID pkcs12V1CertBag[] = { PKCS12_V1_BAG_IDS, 0x03 }; 417 CONST_OID pkcs12V1CRLBag[] = { PKCS12_V1_BAG_IDS, 0x04 }; 418 CONST_OID pkcs12V1SecretBag[] = { PKCS12_V1_BAG_IDS, 0x05 }; 419 CONST_OID pkcs12V1SafeContentsBag[] = { PKCS12_V1_BAG_IDS, 0x06 }; 420 421 /* The following encoding is INCORRECT, but correcting it would create a 422 * duplicate OID in the table. So, we will leave it alone. 423 */ 424 CONST_OID pkcs12KeyUsageAttr[] = { 2, 5, 29, 15 }; 425 426 CONST_OID ansix9DSASignature[] = { ANSI_X9_ALGORITHM, 0x01 }; 427 CONST_OID ansix9DSASignaturewithSHA1Digest[] = { ANSI_X9_ALGORITHM, 0x03 }; 428 CONST_OID nistDSASignaturewithSHA224Digest[] = { DSA2, 0x01 }; 429 CONST_OID nistDSASignaturewithSHA256Digest[] = { DSA2, 0x02 }; 430 431 /* verisign OIDs */ 432 CONST_OID verisignUserNotices[] = { VERISIGN, 1, 7, 1, 1 }; 433 434 /* pkix OIDs */ 435 CONST_OID pkixCPSPointerQualifier[] = { PKIX_POLICY_QUALIFIERS, 1 }; 436 CONST_OID pkixUserNoticeQualifier[] = { PKIX_POLICY_QUALIFIERS, 2 }; 437 438 CONST_OID pkixOCSP[] = { PKIX_OCSP }; 439 CONST_OID pkixOCSPBasicResponse[] = { PKIX_OCSP, 1 }; 440 CONST_OID pkixOCSPNonce[] = { PKIX_OCSP, 2 }; 441 CONST_OID pkixOCSPCRL[] = { PKIX_OCSP, 3 }; 442 CONST_OID pkixOCSPResponse[] = { PKIX_OCSP, 4 }; 443 CONST_OID pkixOCSPNoCheck[] = { PKIX_OCSP, 5 }; 444 CONST_OID pkixOCSPArchiveCutoff[] = { PKIX_OCSP, 6 }; 445 CONST_OID pkixOCSPServiceLocator[] = { PKIX_OCSP, 7 }; 446 447 CONST_OID pkixCAIssuers[] = { PKIX_CA_ISSUERS }; 448 449 CONST_OID pkixRegCtrlRegToken[] = { PKIX_ID_REGCTRL, 1 }; 450 CONST_OID pkixRegCtrlAuthenticator[] = { PKIX_ID_REGCTRL, 2 }; 451 CONST_OID pkixRegCtrlPKIPubInfo[] = { PKIX_ID_REGCTRL, 3 }; 452 CONST_OID pkixRegCtrlPKIArchOptions[] = { PKIX_ID_REGCTRL, 4 }; 453 CONST_OID pkixRegCtrlOldCertID[] = { PKIX_ID_REGCTRL, 5 }; 454 CONST_OID pkixRegCtrlProtEncKey[] = { PKIX_ID_REGCTRL, 6 }; 455 CONST_OID pkixRegInfoUTF8Pairs[] = { PKIX_ID_REGINFO, 1 }; 456 CONST_OID pkixRegInfoCertReq[] = { PKIX_ID_REGINFO, 2 }; 457 458 CONST_OID pkixExtendedKeyUsageServerAuth[] = { PKIX_KEY_USAGE, 1 }; 459 CONST_OID pkixExtendedKeyUsageClientAuth[] = { PKIX_KEY_USAGE, 2 }; 460 CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 }; 461 CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 }; 462 /* IPsecEnd, IPsecTunnel, and IPsecUser are deprecated, but still in use 463 * (see RFC4945) */ 464 CONST_OID pkixExtendedKeyUsageIPsecEnd[] = { PKIX_KEY_USAGE, 5 }; 465 CONST_OID pkixExtendedKeyUsageIPsecTunnel[] = { PKIX_KEY_USAGE, 6 }; 466 CONST_OID pkixExtendedKeyUsageIPsecUser[] = { PKIX_KEY_USAGE, 7 }; 467 CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 }; 468 CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 }; 469 /* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */ 470 CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 }; 471 CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 }; 472 473 CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 }; 474 CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 }; 475 476 /* OIDs for Netscape defined algorithms */ 477 CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 }; 478 479 /* Fortezza algorithm OIDs */ 480 CONST_OID skipjackCBC[] = { MISSI, 0x04 }; 481 CONST_OID dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 }; 482 483 CONST_OID idea_CBC[] = { ASCOM_IDEA_ALG, 2 }; 484 CONST_OID aes128_GCM[] = { AES, 0x6 }; 485 CONST_OID aes192_GCM[] = { AES, 0x1a }; 486 CONST_OID aes256_GCM[] = { AES, 0x2e }; 487 CONST_OID aes128_ECB[] = { AES, 1 }; 488 CONST_OID aes128_CBC[] = { AES, 2 }; 489 #ifdef DEFINE_ALL_AES_CIPHERS 490 CONST_OID aes128_OFB[] = { AES, 3 }; 491 CONST_OID aes128_CFB[] = { AES, 4 }; 492 #endif 493 CONST_OID aes128_KEY_WRAP[] = { AES, 5 }; 494 495 CONST_OID aes192_ECB[] = { AES, 21 }; 496 CONST_OID aes192_CBC[] = { AES, 22 }; 497 #ifdef DEFINE_ALL_AES_CIPHERS 498 CONST_OID aes192_OFB[] = { AES, 23 }; 499 CONST_OID aes192_CFB[] = { AES, 24 }; 500 #endif 501 CONST_OID aes192_KEY_WRAP[] = { AES, 25 }; 502 503 CONST_OID aes256_ECB[] = { AES, 41 }; 504 CONST_OID aes256_CBC[] = { AES, 42 }; 505 #ifdef DEFINE_ALL_AES_CIPHERS 506 CONST_OID aes256_OFB[] = { AES, 43 }; 507 CONST_OID aes256_CFB[] = { AES, 44 }; 508 #endif 509 CONST_OID aes256_KEY_WRAP[] = { AES, 45 }; 510 511 CONST_OID camellia128_CBC[] = { CAMELLIA_ENCRYPT_OID, 2 }; 512 CONST_OID camellia192_CBC[] = { CAMELLIA_ENCRYPT_OID, 3 }; 513 CONST_OID camellia256_CBC[] = { CAMELLIA_ENCRYPT_OID, 4 }; 514 515 CONST_OID sha256[] = { SHAXXX, 1 }; 516 CONST_OID sha384[] = { SHAXXX, 2 }; 517 CONST_OID sha512[] = { SHAXXX, 3 }; 518 CONST_OID sha224[] = { SHAXXX, 4 }; 519 520 CONST_OID sha3_224[] = { SHAXXX, 7 }; 521 CONST_OID sha3_256[] = { SHAXXX, 8 }; 522 CONST_OID sha3_384[] = { SHAXXX, 9 }; 523 CONST_OID sha3_512[] = { SHAXXX, 10 }; 524 525 CONST_OID hmac_sha3_224[] = { SHAXXX, 13 }; 526 CONST_OID hmac_sha3_256[] = { SHAXXX, 14 }; 527 CONST_OID hmac_sha3_384[] = { SHAXXX, 15 }; 528 CONST_OID hmac_sha3_512[] = { SHAXXX, 16 }; 529 530 CONST_OID ansix962ECPublicKey[] = { ANSI_X962_OID, 0x02, 0x01 }; 531 CONST_OID ansix962SignaturewithSHA1Digest[] = { ANSI_X962_SIGNATURE_OID, 0x01 }; 532 CONST_OID ansix962SignatureRecommended[] = { ANSI_X962_SIGNATURE_OID, 0x02 }; 533 CONST_OID ansix962SignatureSpecified[] = { ANSI_X962_SPECIFY_OID }; 534 CONST_OID ansix962SignaturewithSHA224Digest[] = { ANSI_X962_SPECIFY_OID, 0x01 }; 535 CONST_OID ansix962SignaturewithSHA256Digest[] = { ANSI_X962_SPECIFY_OID, 0x02 }; 536 CONST_OID ansix962SignaturewithSHA384Digest[] = { ANSI_X962_SPECIFY_OID, 0x03 }; 537 CONST_OID ansix962SignaturewithSHA512Digest[] = { ANSI_X962_SPECIFY_OID, 0x04 }; 538 539 /* ANSI X9.62 prime curve OIDs */ 540 /* NOTE: prime192v1 is the same as secp192r1, prime256v1 is the 541 * same as secp256r1 542 */ 543 CONST_OID ansiX962prime192v1[] = { ANSI_X962_GFp_OID, 0x01 }; /* unsupported by freebl */ 544 CONST_OID ansiX962prime192v2[] = { ANSI_X962_GFp_OID, 0x02 }; /* unsupported by freebl */ 545 CONST_OID ansiX962prime192v3[] = { ANSI_X962_GFp_OID, 0x03 }; /* unsupported by freebl */ 546 CONST_OID ansiX962prime239v1[] = { ANSI_X962_GFp_OID, 0x04 }; /* unsupported by freebl */ 547 CONST_OID ansiX962prime239v2[] = { ANSI_X962_GFp_OID, 0x05 }; /* unsupported by freebl */ 548 CONST_OID ansiX962prime239v3[] = { ANSI_X962_GFp_OID, 0x06 }; /* unsupported by freebl */ 549 CONST_OID ansiX962prime256v1[] = { ANSI_X962_GFp_OID, 0x07 }; 550 551 /* SECG prime curve OIDs */ 552 CONST_OID secgECsecp112r1[] = { SECG_OID, 0x06 }; /* unsupported by freebl */ 553 CONST_OID secgECsecp112r2[] = { SECG_OID, 0x07 }; /* unsupported by freebl */ 554 CONST_OID secgECsecp128r1[] = { SECG_OID, 0x1c }; /* unsupported by freebl */ 555 CONST_OID secgECsecp128r2[] = { SECG_OID, 0x1d }; /* unsupported by freebl */ 556 CONST_OID secgECsecp160k1[] = { SECG_OID, 0x09 }; /* unsupported by freebl */ 557 CONST_OID secgECsecp160r1[] = { SECG_OID, 0x08 }; /* unsupported by freebl */ 558 CONST_OID secgECsecp160r2[] = { SECG_OID, 0x1e }; /* unsupported by freebl */ 559 CONST_OID secgECsecp192k1[] = { SECG_OID, 0x1f }; /* unsupported by freebl */ 560 CONST_OID secgECsecp224k1[] = { SECG_OID, 0x20 }; /* unsupported by freebl */ 561 CONST_OID secgECsecp224r1[] = { SECG_OID, 0x21 }; /* unsupported by freebl */ 562 CONST_OID secgECsecp256k1[] = { SECG_OID, 0x0a }; /* unsupported by freebl */ 563 CONST_OID secgECsecp384r1[] = { SECG_OID, 0x22 }; 564 CONST_OID secgECsecp521r1[] = { SECG_OID, 0x23 }; 565 566 /* ANSI X9.62 characteristic two curve OIDs */ 567 CONST_OID ansiX962c2pnb163v1[] = { ANSI_X962_GF2m_OID, 0x01 }; /* unsupported by freebl */ 568 CONST_OID ansiX962c2pnb163v2[] = { ANSI_X962_GF2m_OID, 0x02 }; /* unsupported by freebl */ 569 CONST_OID ansiX962c2pnb163v3[] = { ANSI_X962_GF2m_OID, 0x03 }; /* unsupported by freebl */ 570 CONST_OID ansiX962c2pnb176v1[] = { ANSI_X962_GF2m_OID, 0x04 }; /* unsupported by freebl */ 571 CONST_OID ansiX962c2tnb191v1[] = { ANSI_X962_GF2m_OID, 0x05 }; /* unsupported by freebl */ 572 CONST_OID ansiX962c2tnb191v2[] = { ANSI_X962_GF2m_OID, 0x06 }; /* unsupported by freebl */ 573 CONST_OID ansiX962c2tnb191v3[] = { ANSI_X962_GF2m_OID, 0x07 }; /* unsupported by freebl */ 574 CONST_OID ansiX962c2onb191v4[] = { ANSI_X962_GF2m_OID, 0x08 }; /* unsupported by freebl */ 575 CONST_OID ansiX962c2onb191v5[] = { ANSI_X962_GF2m_OID, 0x09 }; /* unsupported by freebl */ 576 CONST_OID ansiX962c2pnb208w1[] = { ANSI_X962_GF2m_OID, 0x0a }; /* unsupported by freebl */ 577 CONST_OID ansiX962c2tnb239v1[] = { ANSI_X962_GF2m_OID, 0x0b }; /* unsupported by freebl */ 578 CONST_OID ansiX962c2tnb239v2[] = { ANSI_X962_GF2m_OID, 0x0c }; /* unsupported by freebl */ 579 CONST_OID ansiX962c2tnb239v3[] = { ANSI_X962_GF2m_OID, 0x0d }; /* unsupported by freebl */ 580 CONST_OID ansiX962c2onb239v4[] = { ANSI_X962_GF2m_OID, 0x0e }; /* unsupported by freebl */ 581 CONST_OID ansiX962c2onb239v5[] = { ANSI_X962_GF2m_OID, 0x0f }; /* unsupported by freebl */ 582 CONST_OID ansiX962c2pnb272w1[] = { ANSI_X962_GF2m_OID, 0x10 }; /* unsupported by freebl */ 583 CONST_OID ansiX962c2pnb304w1[] = { ANSI_X962_GF2m_OID, 0x11 }; /* unsupported by freebl */ 584 CONST_OID ansiX962c2tnb359v1[] = { ANSI_X962_GF2m_OID, 0x12 }; /* unsupported by freebl */ 585 CONST_OID ansiX962c2pnb368w1[] = { ANSI_X962_GF2m_OID, 0x13 }; /* unsupported by freebl */ 586 CONST_OID ansiX962c2tnb431r1[] = { ANSI_X962_GF2m_OID, 0x14 }; /* unsupported by freebl */ 587 588 /* SECG characterisitic two curve OIDs */ 589 CONST_OID secgECsect113r1[] = { SECG_OID, 0x04 }; /* unsupported by freebl */ 590 CONST_OID secgECsect113r2[] = { SECG_OID, 0x05 }; /* unsupported by freebl */ 591 CONST_OID secgECsect131r1[] = { SECG_OID, 0x16 }; /* unsupported by freebl */ 592 CONST_OID secgECsect131r2[] = { SECG_OID, 0x17 }; /* unsupported by freebl */ 593 CONST_OID secgECsect163k1[] = { SECG_OID, 0x01 }; /* unsupported by freebl */ 594 CONST_OID secgECsect163r1[] = { SECG_OID, 0x02 }; /* unsupported by freebl */ 595 CONST_OID secgECsect163r2[] = { SECG_OID, 0x0f }; /* unsupported by freebl */ 596 CONST_OID secgECsect193r1[] = { SECG_OID, 0x18 }; /* unsupported by freebl */ 597 CONST_OID secgECsect193r2[] = { SECG_OID, 0x19 }; /* unsupported by freebl */ 598 CONST_OID secgECsect233k1[] = { SECG_OID, 0x1a }; /* unsupported by freebl */ 599 CONST_OID secgECsect233r1[] = { SECG_OID, 0x1b }; /* unsupported by freebl */ 600 CONST_OID secgECsect239k1[] = { SECG_OID, 0x03 }; /* unsupported by freebl */ 601 CONST_OID secgECsect283k1[] = { SECG_OID, 0x10 }; /* unsupported by freebl */ 602 CONST_OID secgECsect283r1[] = { SECG_OID, 0x11 }; /* unsupported by freebl */ 603 CONST_OID secgECsect409k1[] = { SECG_OID, 0x24 }; /* unsupported by freebl */ 604 CONST_OID secgECsect409r1[] = { SECG_OID, 0x25 }; /* unsupported by freebl */ 605 CONST_OID secgECsect571k1[] = { SECG_OID, 0x26 }; /* unsupported by freebl */ 606 CONST_OID secgECsect571r1[] = { SECG_OID, 0x27 }; /* unsupported by freebl */ 607 608 /* Diffie-Hellman key agreement algorithms */ 609 CONST_OID dhSinglePassstdDHsha1kdfscheme[] = { X9_63_SCHEME, 0x02 }; 610 CONST_OID dhSinglePassstdDHsha224kdfscheme[] = { SECG_SCHEME, 0x0B, 0x00 }; 611 CONST_OID dhSinglePassstdDHsha256kdfscheme[] = { SECG_SCHEME, 0x0B, 0x01 }; 612 CONST_OID dhSinglePassstdDHsha384kdfscheme[] = { SECG_SCHEME, 0x0B, 0x02 }; 613 CONST_OID dhSinglePassstdDHsha512kdfscheme[] = { SECG_SCHEME, 0x0B, 0x03 }; 614 CONST_OID dhSinglePasscofactorDHsha1kdfscheme[] = { X9_63_SCHEME, 0x03 }; 615 CONST_OID dhSinglePasscofactorDHsha224kdfscheme[] = { SECG_SCHEME, 0x0E, 0x00 }; 616 CONST_OID dhSinglePasscofactorDHsha256kdfscheme[] = { SECG_SCHEME, 0x0E, 0x01 }; 617 CONST_OID dhSinglePasscofactorDHsha384kdfscheme[] = { SECG_SCHEME, 0x0E, 0x02 }; 618 CONST_OID dhSinglePasscofactorDHsha512kdfscheme[] = { SECG_SCHEME, 0x0E, 0x03 }; 619 620 CONST_OID seed_CBC[] = { SEED_OID, 4 }; 621 622 CONST_OID evIncorporationLocality[] = { EV_NAME_ATTRIBUTE, 1 }; 623 CONST_OID evIncorporationState[] = { EV_NAME_ATTRIBUTE, 2 }; 624 CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 }; 625 626 /* https://tools.ietf.org/html/draft-josefsson-pkix-newcurves-01 627 * 1.3.6.1.4.1.11591.15.1 628 */ 629 CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01 }; 630 631 /* 632 https://oid-rep.orange-labs.fr/get/1.3.101.112 633 A.1. ASN.1 Object for Ed25519 634 id-Ed25519 OBJECT IDENTIFIER ::= { 1.3.101.112 } 635 Parameters are absent. Length is 7 bytes. 636 Binary encoding: 3005 0603 2B65 70 637 638 The same algorithm identifiers are used for identifying a public key, 639 a private key, and a signature (for the two EdDSA related OIDs). 640 Additional encoding information is provided below for each of these 641 locations. 642 */ 643 644 CONST_OID ed25519PublicKey[] = { 0x2B, 0x65, 0x70 }; 645 CONST_OID ed25519Signature[] = { 0x2B, 0x65, 0x70 }; 646 647 /*https://www.rfc-editor.org/rfc/rfc8410#section-3*/ 648 CONST_OID x25519PublicKey[] = { 0x2b, 0x65, 0x6e }; 649 650 /* 651 * ML-DSA OIDs 652 * https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration 653 */ 654 CONST_OID mlDsa44[] = { DSA2, 17 }; 655 CONST_OID mlDsa65[] = { DSA2, 18 }; 656 CONST_OID mlDsa87[] = { DSA2, 19 }; 657 658 #define OI(x) \ 659 { \ 660 siDEROID, (unsigned char *)x, sizeof x \ 661 } 662 #ifndef SECOID_NO_STRINGS 663 #define OD(oid, tag, desc, mech, ext) \ 664 { \ 665 OI(oid) \ 666 , tag, desc, mech, ext \ 667 } 668 #define ODE(tag, desc, mech, ext) \ 669 { \ 670 { siDEROID, NULL, 0 }, tag, desc, mech, ext \ 671 } 672 #else 673 #define OD(oid, tag, desc, mech, ext) \ 674 { \ 675 OI(oid) \ 676 , tag, 0, mech, ext \ 677 } 678 #define ODE(tag, desc, mech, ext) \ 679 { \ 680 { siDEROID, NULL, 0 }, tag, 0, mech, ext \ 681 } 682 #endif 683 684 #if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL) 685 #define FAKE_SUPPORTED_CERT_EXTENSION SUPPORTED_CERT_EXTENSION 686 #else 687 #define FAKE_SUPPORTED_CERT_EXTENSION UNSUPPORTED_CERT_EXTENSION 688 #endif 689 690 /* 691 * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h! 692 */ 693 const static SECOidData oids[SEC_OID_TOTAL] = { 694 { { siDEROID, NULL, 0 }, SEC_OID_UNKNOWN, "Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION }, 695 OD(md2, SEC_OID_MD2, "MD2", CKM_MD2, INVALID_CERT_EXTENSION), 696 OD(md4, SEC_OID_MD4, 697 "MD4", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 698 OD(md5, SEC_OID_MD5, "MD5", CKM_MD5, INVALID_CERT_EXTENSION), 699 OD(sha1, SEC_OID_SHA1, "SHA-1", CKM_SHA_1, INVALID_CERT_EXTENSION), 700 OD(rc2cbc, SEC_OID_RC2_CBC, 701 "RC2-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION), 702 OD(rc4, SEC_OID_RC4, "RC4", CKM_RC4, INVALID_CERT_EXTENSION), 703 OD(desede3cbc, SEC_OID_DES_EDE3_CBC, 704 "DES-EDE3-CBC", CKM_DES3_CBC, INVALID_CERT_EXTENSION), 705 OD(rc5cbcpad, SEC_OID_RC5_CBC_PAD, 706 "RC5-CBCPad", CKM_RC5_CBC, INVALID_CERT_EXTENSION), 707 OD(desecb, SEC_OID_DES_ECB, 708 "DES-ECB", CKM_DES_ECB, INVALID_CERT_EXTENSION), 709 OD(descbc, SEC_OID_DES_CBC, 710 "DES-CBC", CKM_DES_CBC, INVALID_CERT_EXTENSION), 711 OD(desofb, SEC_OID_DES_OFB, 712 "DES-OFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 713 OD(descfb, SEC_OID_DES_CFB, 714 "DES-CFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 715 OD(desmac, SEC_OID_DES_MAC, 716 "DES-MAC", CKM_DES_MAC, INVALID_CERT_EXTENSION), 717 OD(desede, SEC_OID_DES_EDE, 718 "DES-EDE", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 719 OD(isoSHAWithRSASignature, SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE, 720 "ISO SHA with RSA Signature", 721 CKM_SHA1_RSA_PKCS, INVALID_CERT_EXTENSION), 722 OD(pkcs1RSAEncryption, SEC_OID_PKCS1_RSA_ENCRYPTION, 723 "PKCS #1 RSA Encryption", CKM_RSA_PKCS, INVALID_CERT_EXTENSION), 724 725 /* the following Signing mechanisms should get new CKM_ values when 726 * values for CKM_RSA_WITH_MDX and CKM_RSA_WITH_SHA_1 get defined in 727 * PKCS #11. 728 */ 729 OD(pkcs1MD2WithRSAEncryption, SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, 730 "PKCS #1 MD2 With RSA Encryption", CKM_MD2_RSA_PKCS, 731 INVALID_CERT_EXTENSION), 732 OD(pkcs1MD4WithRSAEncryption, SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION, 733 "PKCS #1 MD4 With RSA Encryption", 734 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 735 OD(pkcs1MD5WithRSAEncryption, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, 736 "PKCS #1 MD5 With RSA Encryption", CKM_MD5_RSA_PKCS, 737 INVALID_CERT_EXTENSION), 738 OD(pkcs1SHA1WithRSAEncryption, SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, 739 "PKCS #1 SHA-1 With RSA Encryption", CKM_SHA1_RSA_PKCS, 740 INVALID_CERT_EXTENSION), 741 742 OD(pkcs5PbeWithMD2AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC, 743 "PKCS #5 Password Based Encryption with MD2 and DES-CBC", 744 CKM_PBE_MD2_DES_CBC, INVALID_CERT_EXTENSION), 745 OD(pkcs5PbeWithMD5AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC, 746 "PKCS #5 Password Based Encryption with MD5 and DES-CBC", 747 CKM_PBE_MD5_DES_CBC, INVALID_CERT_EXTENSION), 748 OD(pkcs5PbeWithSha1AndDEScbc, SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC, 749 "PKCS #5 Password Based Encryption with SHA-1 and DES-CBC", 750 CKM_NSS_PBE_SHA1_DES_CBC, INVALID_CERT_EXTENSION), 751 OD(pkcs7, SEC_OID_PKCS7, 752 "PKCS #7", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 753 OD(pkcs7Data, SEC_OID_PKCS7_DATA, 754 "PKCS #7 Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 755 OD(pkcs7SignedData, SEC_OID_PKCS7_SIGNED_DATA, 756 "PKCS #7 Signed Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 757 OD(pkcs7EnvelopedData, SEC_OID_PKCS7_ENVELOPED_DATA, 758 "PKCS #7 Enveloped Data", 759 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 760 OD(pkcs7SignedEnvelopedData, SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA, 761 "PKCS #7 Signed And Enveloped Data", 762 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 763 OD(pkcs7DigestedData, SEC_OID_PKCS7_DIGESTED_DATA, 764 "PKCS #7 Digested Data", 765 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 766 OD(pkcs7EncryptedData, SEC_OID_PKCS7_ENCRYPTED_DATA, 767 "PKCS #7 Encrypted Data", 768 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 769 OD(pkcs9EmailAddress, SEC_OID_PKCS9_EMAIL_ADDRESS, 770 "PKCS #9 Email Address", 771 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 772 OD(pkcs9UnstructuredName, SEC_OID_PKCS9_UNSTRUCTURED_NAME, 773 "PKCS #9 Unstructured Name", 774 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 775 OD(pkcs9ContentType, SEC_OID_PKCS9_CONTENT_TYPE, 776 "PKCS #9 Content Type", 777 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 778 OD(pkcs9MessageDigest, SEC_OID_PKCS9_MESSAGE_DIGEST, 779 "PKCS #9 Message Digest", 780 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 781 OD(pkcs9SigningTime, SEC_OID_PKCS9_SIGNING_TIME, 782 "PKCS #9 Signing Time", 783 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 784 OD(pkcs9CounterSignature, SEC_OID_PKCS9_COUNTER_SIGNATURE, 785 "PKCS #9 Counter Signature", 786 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 787 OD(pkcs9ChallengePassword, SEC_OID_PKCS9_CHALLENGE_PASSWORD, 788 "PKCS #9 Challenge Password", 789 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 790 OD(pkcs9UnstructuredAddress, SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS, 791 "PKCS #9 Unstructured Address", 792 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 793 OD(pkcs9ExtendedCertificateAttributes, 794 SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES, 795 "PKCS #9 Extended Certificate Attributes", 796 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 797 OD(pkcs9SMIMECapabilities, SEC_OID_PKCS9_SMIME_CAPABILITIES, 798 "PKCS #9 S/MIME Capabilities", 799 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 800 OD(x520CommonName, SEC_OID_AVA_COMMON_NAME, 801 "X520 Common Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 802 OD(x520CountryName, SEC_OID_AVA_COUNTRY_NAME, 803 "X520 Country Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 804 OD(x520LocalityName, SEC_OID_AVA_LOCALITY, 805 "X520 Locality Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 806 OD(x520StateOrProvinceName, SEC_OID_AVA_STATE_OR_PROVINCE, 807 "X520 State Or Province Name", 808 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 809 OD(x520OrgName, SEC_OID_AVA_ORGANIZATION_NAME, 810 "X520 Organization Name", 811 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 812 OD(x520OrgUnitName, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, 813 "X520 Organizational Unit Name", 814 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 815 OD(x520DnQualifier, SEC_OID_AVA_DN_QUALIFIER, 816 "X520 DN Qualifier", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 817 OD(rfc2247DomainComponent, SEC_OID_AVA_DC, 818 "RFC 2247 Domain Component", 819 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 820 821 OD(nsTypeGIF, SEC_OID_NS_TYPE_GIF, 822 "GIF", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 823 OD(nsTypeJPEG, SEC_OID_NS_TYPE_JPEG, 824 "JPEG", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 825 OD(nsTypeURL, SEC_OID_NS_TYPE_URL, 826 "URL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 827 OD(nsTypeHTML, SEC_OID_NS_TYPE_HTML, 828 "HTML", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 829 OD(nsTypeCertSeq, SEC_OID_NS_TYPE_CERT_SEQUENCE, 830 "Certificate Sequence", 831 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 832 OD(missiCertKEADSSOld, SEC_OID_MISSI_KEA_DSS_OLD, 833 "MISSI KEA and DSS Algorithm (Old)", 834 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 835 OD(missiCertDSSOld, SEC_OID_MISSI_DSS_OLD, 836 "MISSI DSS Algorithm (Old)", 837 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 838 OD(missiCertKEADSS, SEC_OID_MISSI_KEA_DSS, 839 "MISSI KEA and DSS Algorithm", 840 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 841 OD(missiCertDSS, SEC_OID_MISSI_DSS, 842 "MISSI DSS Algorithm", 843 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 844 OD(missiCertKEA, SEC_OID_MISSI_KEA, 845 "MISSI KEA Algorithm", 846 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 847 OD(missiCertAltKEA, SEC_OID_MISSI_ALT_KEA, 848 "MISSI Alternate KEA Algorithm", 849 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 850 851 /* Netscape private extensions */ 852 OD(nsCertExtNetscapeOK, SEC_OID_NS_CERT_EXT_NETSCAPE_OK, 853 "Netscape says this cert is OK", 854 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 855 OD(nsCertExtIssuerLogo, SEC_OID_NS_CERT_EXT_ISSUER_LOGO, 856 "Certificate Issuer Logo", 857 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 858 OD(nsCertExtSubjectLogo, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO, 859 "Certificate Subject Logo", 860 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 861 OD(nsExtCertType, SEC_OID_NS_CERT_EXT_CERT_TYPE, 862 "Certificate Type", 863 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 864 OD(nsExtBaseURL, SEC_OID_NS_CERT_EXT_BASE_URL, 865 "Certificate Extension Base URL", 866 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 867 OD(nsExtRevocationURL, SEC_OID_NS_CERT_EXT_REVOCATION_URL, 868 "Certificate Revocation URL", 869 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 870 OD(nsExtCARevocationURL, SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL, 871 "Certificate Authority Revocation URL", 872 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 873 OD(nsExtCACRLURL, SEC_OID_NS_CERT_EXT_CA_CRL_URL, 874 "Certificate Authority CRL Download URL", 875 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 876 OD(nsExtCACertURL, SEC_OID_NS_CERT_EXT_CA_CERT_URL, 877 "Certificate Authority Certificate Download URL", 878 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 879 OD(nsExtCertRenewalURL, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL, 880 "Certificate Renewal URL", 881 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 882 OD(nsExtCAPolicyURL, SEC_OID_NS_CERT_EXT_CA_POLICY_URL, 883 "Certificate Authority Policy URL", 884 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 885 OD(nsExtHomepageURL, SEC_OID_NS_CERT_EXT_HOMEPAGE_URL, 886 "Certificate Homepage URL", 887 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 888 OD(nsExtEntityLogo, SEC_OID_NS_CERT_EXT_ENTITY_LOGO, 889 "Certificate Entity Logo", 890 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 891 OD(nsExtUserPicture, SEC_OID_NS_CERT_EXT_USER_PICTURE, 892 "Certificate User Picture", 893 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 894 OD(nsExtSSLServerName, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME, 895 "Certificate SSL Server Name", 896 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 897 OD(nsExtComment, SEC_OID_NS_CERT_EXT_COMMENT, 898 "Certificate Comment", 899 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 900 OD(nsExtLostPasswordURL, SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL, 901 "Lost Password URL", 902 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 903 OD(nsExtCertRenewalTime, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME, 904 "Certificate Renewal Time", 905 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 906 OD(nsKeyUsageGovtApproved, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED, 907 "Strong Crypto Export Approved", 908 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 909 910 /* x.509 v3 certificate extensions */ 911 OD(x509SubjectDirectoryAttr, SEC_OID_X509_SUBJECT_DIRECTORY_ATTR, 912 "Certificate Subject Directory Attributes", 913 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 914 OD(x509SubjectKeyID, SEC_OID_X509_SUBJECT_KEY_ID, 915 "Certificate Subject Key ID", 916 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 917 OD(x509KeyUsage, SEC_OID_X509_KEY_USAGE, 918 "Certificate Key Usage", 919 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 920 OD(x509PrivateKeyUsagePeriod, SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD, 921 "Certificate Private Key Usage Period", 922 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 923 OD(x509SubjectAltName, SEC_OID_X509_SUBJECT_ALT_NAME, 924 "Certificate Subject Alt Name", 925 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 926 OD(x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME, 927 "Certificate Issuer Alt Name", 928 CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION), 929 OD(x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS, 930 "Certificate Basic Constraints", 931 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 932 OD(x509NameConstraints, SEC_OID_X509_NAME_CONSTRAINTS, 933 "Certificate Name Constraints", 934 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 935 OD(x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS, 936 "CRL Distribution Points", 937 CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION), 938 OD(x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES, 939 "Certificate Policies", 940 CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION), 941 OD(x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS, 942 "Certificate Policy Mappings", 943 CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION), 944 OD(x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS, 945 "Certificate Policy Constraints", 946 CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION), 947 OD(x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID, 948 "Certificate Authority Key Identifier", 949 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 950 OD(x509ExtKeyUsage, SEC_OID_X509_EXT_KEY_USAGE, 951 "Extended Key Usage", 952 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 953 OD(x509AuthInfoAccess, SEC_OID_X509_AUTH_INFO_ACCESS, 954 "Authority Information Access", 955 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 956 957 /* x.509 v3 CRL extensions */ 958 OD(x509CRLNumber, SEC_OID_X509_CRL_NUMBER, 959 "CRL Number", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 960 OD(x509ReasonCode, SEC_OID_X509_REASON_CODE, 961 "CRL reason code", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 962 OD(x509InvalidDate, SEC_OID_X509_INVALID_DATE, 963 "Invalid Date", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 964 965 OD(x500RSAEncryption, SEC_OID_X500_RSA_ENCRYPTION, 966 "X500 RSA Encryption", CKM_RSA_X_509, INVALID_CERT_EXTENSION), 967 968 /* added for alg 1485 */ 969 OD(rfc1274Uid, SEC_OID_RFC1274_UID, 970 "RFC1274 User Id", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 971 OD(rfc1274Mail, SEC_OID_RFC1274_MAIL, 972 "RFC1274 E-mail Address", 973 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 974 975 /* pkcs 12 additions */ 976 OD(pkcs12, SEC_OID_PKCS12, 977 "PKCS #12", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 978 OD(pkcs12ModeIDs, SEC_OID_PKCS12_MODE_IDS, 979 "PKCS #12 Mode IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 980 OD(pkcs12ESPVKIDs, SEC_OID_PKCS12_ESPVK_IDS, 981 "PKCS #12 ESPVK IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 982 OD(pkcs12BagIDs, SEC_OID_PKCS12_BAG_IDS, 983 "PKCS #12 Bag IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 984 OD(pkcs12CertBagIDs, SEC_OID_PKCS12_CERT_BAG_IDS, 985 "PKCS #12 Cert Bag IDs", 986 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 987 OD(pkcs12OIDs, SEC_OID_PKCS12_OIDS, 988 "PKCS #12 OIDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 989 OD(pkcs12PBEIDs, SEC_OID_PKCS12_PBE_IDS, 990 "PKCS #12 PBE IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 991 OD(pkcs12SignatureIDs, SEC_OID_PKCS12_SIGNATURE_IDS, 992 "PKCS #12 Signature IDs", 993 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 994 OD(pkcs12EnvelopingIDs, SEC_OID_PKCS12_ENVELOPING_IDS, 995 "PKCS #12 Enveloping IDs", 996 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 997 OD(pkcs12PKCS8KeyShrouding, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING, 998 "PKCS #12 Key Shrouding", 999 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1000 OD(pkcs12KeyBagID, SEC_OID_PKCS12_KEY_BAG_ID, 1001 "PKCS #12 Key Bag ID", 1002 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1003 OD(pkcs12CertAndCRLBagID, SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID, 1004 "PKCS #12 Cert And CRL Bag ID", 1005 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1006 OD(pkcs12SecretBagID, SEC_OID_PKCS12_SECRET_BAG_ID, 1007 "PKCS #12 Secret Bag ID", 1008 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1009 OD(pkcs12X509CertCRLBag, SEC_OID_PKCS12_X509_CERT_CRL_BAG, 1010 "PKCS #12 X509 Cert CRL Bag", 1011 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1012 OD(pkcs12SDSICertBag, SEC_OID_PKCS12_SDSI_CERT_BAG, 1013 "PKCS #12 SDSI Cert Bag", 1014 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1015 OD(pkcs12PBEWithSha1And128BitRC4, 1016 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4, 1017 "PKCS #12 PBE With SHA-1 and 128 Bit RC4", 1018 CKM_NSS_PBE_SHA1_128_BIT_RC4, INVALID_CERT_EXTENSION), 1019 OD(pkcs12PBEWithSha1And40BitRC4, 1020 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4, 1021 "PKCS #12 PBE With SHA-1 and 40 Bit RC4", 1022 CKM_NSS_PBE_SHA1_40_BIT_RC4, INVALID_CERT_EXTENSION), 1023 OD(pkcs12PBEWithSha1AndTripleDESCBC, 1024 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC, 1025 "PKCS #12 PBE With SHA-1 and Triple DES-CBC", 1026 CKM_NSS_PBE_SHA1_TRIPLE_DES_CBC, INVALID_CERT_EXTENSION), 1027 OD(pkcs12PBEWithSha1And128BitRC2CBC, 1028 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC, 1029 "PKCS #12 PBE With SHA-1 and 128 Bit RC2 CBC", 1030 CKM_NSS_PBE_SHA1_128_BIT_RC2_CBC, INVALID_CERT_EXTENSION), 1031 OD(pkcs12PBEWithSha1And40BitRC2CBC, 1032 SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC, 1033 "PKCS #12 PBE With SHA-1 and 40 Bit RC2 CBC", 1034 CKM_NSS_PBE_SHA1_40_BIT_RC2_CBC, INVALID_CERT_EXTENSION), 1035 OD(pkcs12RSAEncryptionWith128BitRC4, 1036 SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4, 1037 "PKCS #12 RSA Encryption with 128 Bit RC4", 1038 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1039 OD(pkcs12RSAEncryptionWith40BitRC4, 1040 SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4, 1041 "PKCS #12 RSA Encryption with 40 Bit RC4", 1042 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1043 OD(pkcs12RSAEncryptionWithTripleDES, 1044 SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES, 1045 "PKCS #12 RSA Encryption with Triple DES", 1046 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1047 OD(pkcs12RSASignatureWithSHA1Digest, 1048 SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST, 1049 "PKCS #12 RSA Encryption with Triple DES", 1050 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1051 1052 /* DSA signatures */ 1053 OD(ansix9DSASignature, SEC_OID_ANSIX9_DSA_SIGNATURE, 1054 "ANSI X9.57 DSA Signature", CKM_DSA, INVALID_CERT_EXTENSION), 1055 OD(ansix9DSASignaturewithSHA1Digest, 1056 SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, 1057 "ANSI X9.57 DSA Signature with SHA-1 Digest", 1058 CKM_DSA_SHA1, INVALID_CERT_EXTENSION), 1059 OD(bogusDSASignaturewithSHA1Digest, 1060 SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST, 1061 "FORTEZZA DSA Signature with SHA-1 Digest", 1062 CKM_DSA_SHA1, INVALID_CERT_EXTENSION), 1063 1064 /* verisign oids */ 1065 OD(verisignUserNotices, SEC_OID_VERISIGN_USER_NOTICES, 1066 "Verisign User Notices", 1067 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1068 1069 /* pkix oids */ 1070 OD(pkixCPSPointerQualifier, SEC_OID_PKIX_CPS_POINTER_QUALIFIER, 1071 "PKIX CPS Pointer Qualifier", 1072 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1073 OD(pkixUserNoticeQualifier, SEC_OID_PKIX_USER_NOTICE_QUALIFIER, 1074 "PKIX User Notice Qualifier", 1075 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1076 1077 OD(pkixOCSP, SEC_OID_PKIX_OCSP, 1078 "PKIX Online Certificate Status Protocol", 1079 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1080 OD(pkixOCSPBasicResponse, SEC_OID_PKIX_OCSP_BASIC_RESPONSE, 1081 "OCSP Basic Response", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1082 OD(pkixOCSPNonce, SEC_OID_PKIX_OCSP_NONCE, 1083 "OCSP Nonce Extension", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1084 OD(pkixOCSPCRL, SEC_OID_PKIX_OCSP_CRL, 1085 "OCSP CRL Reference Extension", 1086 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1087 OD(pkixOCSPResponse, SEC_OID_PKIX_OCSP_RESPONSE, 1088 "OCSP Response Types Extension", 1089 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1090 OD(pkixOCSPNoCheck, SEC_OID_PKIX_OCSP_NO_CHECK, 1091 "OCSP No Check Extension", 1092 CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION), 1093 OD(pkixOCSPArchiveCutoff, SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF, 1094 "OCSP Archive Cutoff Extension", 1095 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1096 OD(pkixOCSPServiceLocator, SEC_OID_PKIX_OCSP_SERVICE_LOCATOR, 1097 "OCSP Service Locator Extension", 1098 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1099 1100 OD(pkixRegCtrlRegToken, SEC_OID_PKIX_REGCTRL_REGTOKEN, 1101 "PKIX CRMF Registration Control, Registration Token", 1102 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1103 OD(pkixRegCtrlAuthenticator, SEC_OID_PKIX_REGCTRL_AUTHENTICATOR, 1104 "PKIX CRMF Registration Control, Registration Authenticator", 1105 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1106 OD(pkixRegCtrlPKIPubInfo, SEC_OID_PKIX_REGCTRL_PKIPUBINFO, 1107 "PKIX CRMF Registration Control, PKI Publication Info", 1108 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1109 OD(pkixRegCtrlPKIArchOptions, 1110 SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS, 1111 "PKIX CRMF Registration Control, PKI Archive Options", 1112 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1113 OD(pkixRegCtrlOldCertID, SEC_OID_PKIX_REGCTRL_OLD_CERT_ID, 1114 "PKIX CRMF Registration Control, Old Certificate ID", 1115 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1116 OD(pkixRegCtrlProtEncKey, SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY, 1117 "PKIX CRMF Registration Control, Protocol Encryption Key", 1118 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1119 OD(pkixRegInfoUTF8Pairs, SEC_OID_PKIX_REGINFO_UTF8_PAIRS, 1120 "PKIX CRMF Registration Info, UTF8 Pairs", 1121 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1122 OD(pkixRegInfoCertReq, SEC_OID_PKIX_REGINFO_CERT_REQUEST, 1123 "PKIX CRMF Registration Info, Certificate Request", 1124 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1125 OD(pkixExtendedKeyUsageServerAuth, 1126 SEC_OID_EXT_KEY_USAGE_SERVER_AUTH, 1127 "TLS Web Server Authentication Certificate", 1128 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1129 OD(pkixExtendedKeyUsageClientAuth, 1130 SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH, 1131 "TLS Web Client Authentication Certificate", 1132 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1133 OD(pkixExtendedKeyUsageCodeSign, SEC_OID_EXT_KEY_USAGE_CODE_SIGN, 1134 "Code Signing Certificate", 1135 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1136 OD(pkixExtendedKeyUsageEMailProtect, 1137 SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT, 1138 "E-Mail Protection Certificate", 1139 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1140 OD(pkixExtendedKeyUsageTimeStamp, 1141 SEC_OID_EXT_KEY_USAGE_TIME_STAMP, 1142 "Time Stamping Certifcate", 1143 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1144 OD(pkixOCSPResponderExtendedKeyUsage, SEC_OID_OCSP_RESPONDER, 1145 "OCSP Responder Certificate", 1146 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1147 1148 /* Netscape Algorithm OIDs */ 1149 1150 OD(netscapeSMimeKEA, SEC_OID_NETSCAPE_SMIME_KEA, 1151 "Netscape S/MIME KEA", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1152 1153 /* Skipjack OID -- ### mwelch temporary */ 1154 OD(skipjackCBC, SEC_OID_FORTEZZA_SKIPJACK, 1155 "Skipjack CBC64", CKM_SKIPJACK_CBC64, INVALID_CERT_EXTENSION), 1156 1157 /* pkcs12 v2 oids */ 1158 OD(pkcs12V2PBEWithSha1And128BitRC4, 1159 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4, 1160 "PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4", 1161 CKM_PBE_SHA1_RC4_128, INVALID_CERT_EXTENSION), 1162 OD(pkcs12V2PBEWithSha1And40BitRC4, 1163 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4, 1164 "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4", 1165 CKM_PBE_SHA1_RC4_40, INVALID_CERT_EXTENSION), 1166 OD(pkcs12V2PBEWithSha1And3KeyTripleDEScbc, 1167 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC, 1168 "PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC", 1169 CKM_PBE_SHA1_DES3_EDE_CBC, INVALID_CERT_EXTENSION), 1170 OD(pkcs12V2PBEWithSha1And2KeyTripleDEScbc, 1171 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC, 1172 "PKCS #12 V2 PBE With SHA-1 And 2KEY Triple DES-CBC", 1173 CKM_PBE_SHA1_DES2_EDE_CBC, INVALID_CERT_EXTENSION), 1174 OD(pkcs12V2PBEWithSha1And128BitRC2cbc, 1175 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC, 1176 "PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC", 1177 CKM_PBE_SHA1_RC2_128_CBC, INVALID_CERT_EXTENSION), 1178 OD(pkcs12V2PBEWithSha1And40BitRC2cbc, 1179 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC, 1180 "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC", 1181 CKM_PBE_SHA1_RC2_40_CBC, INVALID_CERT_EXTENSION), 1182 OD(pkcs12SafeContentsID, SEC_OID_PKCS12_SAFE_CONTENTS_ID, 1183 "PKCS #12 Safe Contents ID", 1184 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1185 OD(pkcs12PKCS8ShroudedKeyBagID, 1186 SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID, 1187 "PKCS #12 Safe Contents ID", 1188 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1189 OD(pkcs12V1KeyBag, SEC_OID_PKCS12_V1_KEY_BAG_ID, 1190 "PKCS #12 V1 Key Bag", 1191 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1192 OD(pkcs12V1PKCS8ShroudedKeyBag, 1193 SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID, 1194 "PKCS #12 V1 PKCS8 Shrouded Key Bag", 1195 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1196 OD(pkcs12V1CertBag, SEC_OID_PKCS12_V1_CERT_BAG_ID, 1197 "PKCS #12 V1 Cert Bag", 1198 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1199 OD(pkcs12V1CRLBag, SEC_OID_PKCS12_V1_CRL_BAG_ID, 1200 "PKCS #12 V1 CRL Bag", 1201 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1202 OD(pkcs12V1SecretBag, SEC_OID_PKCS12_V1_SECRET_BAG_ID, 1203 "PKCS #12 V1 Secret Bag", 1204 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1205 OD(pkcs12V1SafeContentsBag, SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID, 1206 "PKCS #12 V1 Safe Contents Bag", 1207 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1208 1209 OD(pkcs9X509Certificate, SEC_OID_PKCS9_X509_CERT, 1210 "PKCS #9 X509 Certificate", 1211 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1212 OD(pkcs9SDSICertificate, SEC_OID_PKCS9_SDSI_CERT, 1213 "PKCS #9 SDSI Certificate", 1214 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1215 OD(pkcs9X509CRL, SEC_OID_PKCS9_X509_CRL, 1216 "PKCS #9 X509 CRL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1217 OD(pkcs9FriendlyName, SEC_OID_PKCS9_FRIENDLY_NAME, 1218 "PKCS #9 Friendly Name", 1219 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1220 OD(pkcs9LocalKeyID, SEC_OID_PKCS9_LOCAL_KEY_ID, 1221 "PKCS #9 Local Key ID", 1222 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1223 OD(pkcs12KeyUsageAttr, SEC_OID_BOGUS_KEY_USAGE, 1224 "Bogus Key Usage", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1225 OD(dhPublicKey, SEC_OID_X942_DIFFIE_HELMAN_KEY, 1226 "Diffie-Helman Public Key", CKM_DH_PKCS_DERIVE, 1227 INVALID_CERT_EXTENSION), 1228 OD(netscapeNickname, SEC_OID_NETSCAPE_NICKNAME, 1229 "Netscape Nickname", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1230 1231 /* Cert Server specific OIDs */ 1232 OD(netscapeRecoveryRequest, SEC_OID_NETSCAPE_RECOVERY_REQUEST, 1233 "Recovery Request OID", 1234 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1235 1236 OD(nsExtAIACertRenewal, SEC_OID_CERT_RENEWAL_LOCATOR, 1237 "Certificate Renewal Locator OID", CKM_INVALID_MECHANISM, 1238 INVALID_CERT_EXTENSION), 1239 1240 OD(nsExtCertScopeOfUse, SEC_OID_NS_CERT_EXT_SCOPE_OF_USE, 1241 "Certificate Scope-of-Use Extension", CKM_INVALID_MECHANISM, 1242 SUPPORTED_CERT_EXTENSION), 1243 1244 /* CMS stuff */ 1245 OD(cmsESDH, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, 1246 "Ephemeral-Static Diffie-Hellman", CKM_INVALID_MECHANISM /* XXX */, 1247 INVALID_CERT_EXTENSION), 1248 OD(cms3DESwrap, SEC_OID_CMS_3DES_KEY_WRAP, 1249 "CMS Triple DES Key Wrap", CKM_INVALID_MECHANISM /* XXX */, 1250 INVALID_CERT_EXTENSION), 1251 OD(cmsRC2wrap, SEC_OID_CMS_RC2_KEY_WRAP, 1252 "CMS RC2 Key Wrap", CKM_INVALID_MECHANISM /* XXX */, 1253 INVALID_CERT_EXTENSION), 1254 OD(smimeEncryptionKeyPreference, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, 1255 "S/MIME Encryption Key Preference", 1256 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1257 1258 /* AES algorithm OIDs */ 1259 OD(aes128_ECB, SEC_OID_AES_128_ECB, 1260 "AES-128-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION), 1261 OD(aes128_CBC, SEC_OID_AES_128_CBC, 1262 "AES-128-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION), 1263 OD(aes192_ECB, SEC_OID_AES_192_ECB, 1264 "AES-192-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION), 1265 OD(aes192_CBC, SEC_OID_AES_192_CBC, 1266 "AES-192-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION), 1267 OD(aes256_ECB, SEC_OID_AES_256_ECB, 1268 "AES-256-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION), 1269 OD(aes256_CBC, SEC_OID_AES_256_CBC, 1270 "AES-256-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION), 1271 1272 /* More bogus DSA OIDs */ 1273 OD(sdn702DSASignature, SEC_OID_SDN702_DSA_SIGNATURE, 1274 "SDN.702 DSA Signature", CKM_DSA_SHA1, INVALID_CERT_EXTENSION), 1275 1276 OD(ms_smimeEncryptionKeyPreference, 1277 SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, 1278 "Microsoft S/MIME Encryption Key Preference", 1279 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1280 1281 OD(sha256, SEC_OID_SHA256, "SHA-256", CKM_SHA256, INVALID_CERT_EXTENSION), 1282 OD(sha384, SEC_OID_SHA384, "SHA-384", CKM_SHA384, INVALID_CERT_EXTENSION), 1283 OD(sha512, SEC_OID_SHA512, "SHA-512", CKM_SHA512, INVALID_CERT_EXTENSION), 1284 1285 OD(pkcs1SHA256WithRSAEncryption, SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION, 1286 "PKCS #1 SHA-256 With RSA Encryption", CKM_SHA256_RSA_PKCS, 1287 INVALID_CERT_EXTENSION), 1288 OD(pkcs1SHA384WithRSAEncryption, SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION, 1289 "PKCS #1 SHA-384 With RSA Encryption", CKM_SHA384_RSA_PKCS, 1290 INVALID_CERT_EXTENSION), 1291 OD(pkcs1SHA512WithRSAEncryption, SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION, 1292 "PKCS #1 SHA-512 With RSA Encryption", CKM_SHA512_RSA_PKCS, 1293 INVALID_CERT_EXTENSION), 1294 1295 OD(aes128_KEY_WRAP, SEC_OID_AES_128_KEY_WRAP, 1296 "AES-128 Key Wrap", CKM_AES_KEY_WRAP, INVALID_CERT_EXTENSION), 1297 OD(aes192_KEY_WRAP, SEC_OID_AES_192_KEY_WRAP, 1298 "AES-192 Key Wrap", CKM_AES_KEY_WRAP, INVALID_CERT_EXTENSION), 1299 OD(aes256_KEY_WRAP, SEC_OID_AES_256_KEY_WRAP, 1300 "AES-256 Key Wrap", CKM_AES_KEY_WRAP, INVALID_CERT_EXTENSION), 1301 1302 /* Elliptic Curve Cryptography (ECC) OIDs */ 1303 OD(ansix962ECPublicKey, SEC_OID_ANSIX962_EC_PUBLIC_KEY, 1304 "X9.62 elliptic curve public key", CKM_ECDH1_DERIVE, 1305 INVALID_CERT_EXTENSION), 1306 OD(ansix962SignaturewithSHA1Digest, 1307 SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE, 1308 "X9.62 ECDSA signature with SHA-1", CKM_ECDSA_SHA1, 1309 INVALID_CERT_EXTENSION), 1310 1311 /* Named curves */ 1312 /* NOTE: Only P256, P384, P521, and 25519 are supported by softoken. 1313 * Using other curves requires an appropriate token. */ 1314 1315 /* ANSI X9.62 named elliptic curves (prime field) */ 1316 OD(ansiX962prime192v1, SEC_OID_ANSIX962_EC_PRIME192V1, 1317 "ANSI X9.62 elliptic curve prime192v1 (aka secp192r1, NIST P-192)", 1318 CKM_INVALID_MECHANISM, 1319 INVALID_CERT_EXTENSION), 1320 OD(ansiX962prime192v2, SEC_OID_ANSIX962_EC_PRIME192V2, 1321 "ANSI X9.62 elliptic curve prime192v2", 1322 CKM_INVALID_MECHANISM, 1323 INVALID_CERT_EXTENSION), 1324 OD(ansiX962prime192v3, SEC_OID_ANSIX962_EC_PRIME192V3, 1325 "ANSI X9.62 elliptic curve prime192v3", 1326 CKM_INVALID_MECHANISM, 1327 INVALID_CERT_EXTENSION), 1328 OD(ansiX962prime239v1, SEC_OID_ANSIX962_EC_PRIME239V1, 1329 "ANSI X9.62 elliptic curve prime239v1", 1330 CKM_INVALID_MECHANISM, 1331 INVALID_CERT_EXTENSION), 1332 OD(ansiX962prime239v2, SEC_OID_ANSIX962_EC_PRIME239V2, 1333 "ANSI X9.62 elliptic curve prime239v2", 1334 CKM_INVALID_MECHANISM, 1335 INVALID_CERT_EXTENSION), 1336 OD(ansiX962prime239v3, SEC_OID_ANSIX962_EC_PRIME239V3, 1337 "ANSI X9.62 elliptic curve prime239v3", 1338 CKM_INVALID_MECHANISM, 1339 INVALID_CERT_EXTENSION), 1340 OD(ansiX962prime256v1, SEC_OID_ANSIX962_EC_PRIME256V1, 1341 "ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)", 1342 CKM_INVALID_MECHANISM, 1343 INVALID_CERT_EXTENSION), 1344 1345 /* SECG named elliptic curves (prime field) */ 1346 OD(secgECsecp112r1, SEC_OID_SECG_EC_SECP112R1, 1347 "SECG elliptic curve secp112r1", 1348 CKM_INVALID_MECHANISM, 1349 INVALID_CERT_EXTENSION), 1350 OD(secgECsecp112r2, SEC_OID_SECG_EC_SECP112R2, 1351 "SECG elliptic curve secp112r2", 1352 CKM_INVALID_MECHANISM, 1353 INVALID_CERT_EXTENSION), 1354 OD(secgECsecp128r1, SEC_OID_SECG_EC_SECP128R1, 1355 "SECG elliptic curve secp128r1", 1356 CKM_INVALID_MECHANISM, 1357 INVALID_CERT_EXTENSION), 1358 OD(secgECsecp128r2, SEC_OID_SECG_EC_SECP128R2, 1359 "SECG elliptic curve secp128r2", 1360 CKM_INVALID_MECHANISM, 1361 INVALID_CERT_EXTENSION), 1362 OD(secgECsecp160k1, SEC_OID_SECG_EC_SECP160K1, 1363 "SECG elliptic curve secp160k1", 1364 CKM_INVALID_MECHANISM, 1365 INVALID_CERT_EXTENSION), 1366 OD(secgECsecp160r1, SEC_OID_SECG_EC_SECP160R1, 1367 "SECG elliptic curve secp160r1", 1368 CKM_INVALID_MECHANISM, 1369 INVALID_CERT_EXTENSION), 1370 OD(secgECsecp160r2, SEC_OID_SECG_EC_SECP160R2, 1371 "SECG elliptic curve secp160r2", 1372 CKM_INVALID_MECHANISM, 1373 INVALID_CERT_EXTENSION), 1374 OD(secgECsecp192k1, SEC_OID_SECG_EC_SECP192K1, 1375 "SECG elliptic curve secp192k1", 1376 CKM_INVALID_MECHANISM, 1377 INVALID_CERT_EXTENSION), 1378 OD(secgECsecp224k1, SEC_OID_SECG_EC_SECP224K1, 1379 "SECG elliptic curve secp224k1", 1380 CKM_INVALID_MECHANISM, 1381 INVALID_CERT_EXTENSION), 1382 OD(secgECsecp224r1, SEC_OID_SECG_EC_SECP224R1, 1383 "SECG elliptic curve secp224r1 (aka NIST P-224)", 1384 CKM_INVALID_MECHANISM, 1385 INVALID_CERT_EXTENSION), 1386 OD(secgECsecp256k1, SEC_OID_SECG_EC_SECP256K1, 1387 "SECG elliptic curve secp256k1", 1388 CKM_INVALID_MECHANISM, 1389 INVALID_CERT_EXTENSION), 1390 OD(secgECsecp384r1, SEC_OID_SECG_EC_SECP384R1, 1391 "SECG elliptic curve secp384r1 (aka NIST P-384)", 1392 CKM_INVALID_MECHANISM, 1393 INVALID_CERT_EXTENSION), 1394 OD(secgECsecp521r1, SEC_OID_SECG_EC_SECP521R1, 1395 "SECG elliptic curve secp521r1 (aka NIST P-521)", 1396 CKM_INVALID_MECHANISM, 1397 INVALID_CERT_EXTENSION), 1398 1399 /* ANSI X9.62 named elliptic curves (characteristic two field) */ 1400 OD(ansiX962c2pnb163v1, SEC_OID_ANSIX962_EC_C2PNB163V1, 1401 "ANSI X9.62 elliptic curve c2pnb163v1", 1402 CKM_INVALID_MECHANISM, 1403 INVALID_CERT_EXTENSION), 1404 OD(ansiX962c2pnb163v2, SEC_OID_ANSIX962_EC_C2PNB163V2, 1405 "ANSI X9.62 elliptic curve c2pnb163v2", 1406 CKM_INVALID_MECHANISM, 1407 INVALID_CERT_EXTENSION), 1408 OD(ansiX962c2pnb163v3, SEC_OID_ANSIX962_EC_C2PNB163V3, 1409 "ANSI X9.62 elliptic curve c2pnb163v3", 1410 CKM_INVALID_MECHANISM, 1411 INVALID_CERT_EXTENSION), 1412 OD(ansiX962c2pnb176v1, SEC_OID_ANSIX962_EC_C2PNB176V1, 1413 "ANSI X9.62 elliptic curve c2pnb176v1", 1414 CKM_INVALID_MECHANISM, 1415 INVALID_CERT_EXTENSION), 1416 OD(ansiX962c2tnb191v1, SEC_OID_ANSIX962_EC_C2TNB191V1, 1417 "ANSI X9.62 elliptic curve c2tnb191v1", 1418 CKM_INVALID_MECHANISM, 1419 INVALID_CERT_EXTENSION), 1420 OD(ansiX962c2tnb191v2, SEC_OID_ANSIX962_EC_C2TNB191V2, 1421 "ANSI X9.62 elliptic curve c2tnb191v2", 1422 CKM_INVALID_MECHANISM, 1423 INVALID_CERT_EXTENSION), 1424 OD(ansiX962c2tnb191v3, SEC_OID_ANSIX962_EC_C2TNB191V3, 1425 "ANSI X9.62 elliptic curve c2tnb191v3", 1426 CKM_INVALID_MECHANISM, 1427 INVALID_CERT_EXTENSION), 1428 OD(ansiX962c2onb191v4, SEC_OID_ANSIX962_EC_C2ONB191V4, 1429 "ANSI X9.62 elliptic curve c2onb191v4", 1430 CKM_INVALID_MECHANISM, 1431 INVALID_CERT_EXTENSION), 1432 OD(ansiX962c2onb191v5, SEC_OID_ANSIX962_EC_C2ONB191V5, 1433 "ANSI X9.62 elliptic curve c2onb191v5", 1434 CKM_INVALID_MECHANISM, 1435 INVALID_CERT_EXTENSION), 1436 OD(ansiX962c2pnb208w1, SEC_OID_ANSIX962_EC_C2PNB208W1, 1437 "ANSI X9.62 elliptic curve c2pnb208w1", 1438 CKM_INVALID_MECHANISM, 1439 INVALID_CERT_EXTENSION), 1440 OD(ansiX962c2tnb239v1, SEC_OID_ANSIX962_EC_C2TNB239V1, 1441 "ANSI X9.62 elliptic curve c2tnb239v1", 1442 CKM_INVALID_MECHANISM, 1443 INVALID_CERT_EXTENSION), 1444 OD(ansiX962c2tnb239v2, SEC_OID_ANSIX962_EC_C2TNB239V2, 1445 "ANSI X9.62 elliptic curve c2tnb239v2", 1446 CKM_INVALID_MECHANISM, 1447 INVALID_CERT_EXTENSION), 1448 OD(ansiX962c2tnb239v3, SEC_OID_ANSIX962_EC_C2TNB239V3, 1449 "ANSI X9.62 elliptic curve c2tnb239v3", 1450 CKM_INVALID_MECHANISM, 1451 INVALID_CERT_EXTENSION), 1452 OD(ansiX962c2onb239v4, SEC_OID_ANSIX962_EC_C2ONB239V4, 1453 "ANSI X9.62 elliptic curve c2onb239v4", 1454 CKM_INVALID_MECHANISM, 1455 INVALID_CERT_EXTENSION), 1456 OD(ansiX962c2onb239v5, SEC_OID_ANSIX962_EC_C2ONB239V5, 1457 "ANSI X9.62 elliptic curve c2onb239v5", 1458 CKM_INVALID_MECHANISM, 1459 INVALID_CERT_EXTENSION), 1460 OD(ansiX962c2pnb272w1, SEC_OID_ANSIX962_EC_C2PNB272W1, 1461 "ANSI X9.62 elliptic curve c2pnb272w1", 1462 CKM_INVALID_MECHANISM, 1463 INVALID_CERT_EXTENSION), 1464 OD(ansiX962c2pnb304w1, SEC_OID_ANSIX962_EC_C2PNB304W1, 1465 "ANSI X9.62 elliptic curve c2pnb304w1", 1466 CKM_INVALID_MECHANISM, 1467 INVALID_CERT_EXTENSION), 1468 OD(ansiX962c2tnb359v1, SEC_OID_ANSIX962_EC_C2TNB359V1, 1469 "ANSI X9.62 elliptic curve c2tnb359v1", 1470 CKM_INVALID_MECHANISM, 1471 INVALID_CERT_EXTENSION), 1472 OD(ansiX962c2pnb368w1, SEC_OID_ANSIX962_EC_C2PNB368W1, 1473 "ANSI X9.62 elliptic curve c2pnb368w1", 1474 CKM_INVALID_MECHANISM, 1475 INVALID_CERT_EXTENSION), 1476 OD(ansiX962c2tnb431r1, SEC_OID_ANSIX962_EC_C2TNB431R1, 1477 "ANSI X9.62 elliptic curve c2tnb431r1", 1478 CKM_INVALID_MECHANISM, 1479 INVALID_CERT_EXTENSION), 1480 1481 /* SECG named elliptic curves (characterisitic two field) */ 1482 OD(secgECsect113r1, SEC_OID_SECG_EC_SECT113R1, 1483 "SECG elliptic curve sect113r1", 1484 CKM_INVALID_MECHANISM, 1485 INVALID_CERT_EXTENSION), 1486 OD(secgECsect113r2, SEC_OID_SECG_EC_SECT113R2, 1487 "SECG elliptic curve sect113r2", 1488 CKM_INVALID_MECHANISM, 1489 INVALID_CERT_EXTENSION), 1490 OD(secgECsect131r1, SEC_OID_SECG_EC_SECT131R1, 1491 "SECG elliptic curve sect131r1", 1492 CKM_INVALID_MECHANISM, 1493 INVALID_CERT_EXTENSION), 1494 OD(secgECsect131r2, SEC_OID_SECG_EC_SECT131R2, 1495 "SECG elliptic curve sect131r2", 1496 CKM_INVALID_MECHANISM, 1497 INVALID_CERT_EXTENSION), 1498 OD(secgECsect163k1, SEC_OID_SECG_EC_SECT163K1, 1499 "SECG elliptic curve sect163k1 (aka NIST K-163)", 1500 CKM_INVALID_MECHANISM, 1501 INVALID_CERT_EXTENSION), 1502 OD(secgECsect163r1, SEC_OID_SECG_EC_SECT163R1, 1503 "SECG elliptic curve sect163r1", 1504 CKM_INVALID_MECHANISM, 1505 INVALID_CERT_EXTENSION), 1506 OD(secgECsect163r2, SEC_OID_SECG_EC_SECT163R2, 1507 "SECG elliptic curve sect163r2 (aka NIST B-163)", 1508 CKM_INVALID_MECHANISM, 1509 INVALID_CERT_EXTENSION), 1510 OD(secgECsect193r1, SEC_OID_SECG_EC_SECT193R1, 1511 "SECG elliptic curve sect193r1", 1512 CKM_INVALID_MECHANISM, 1513 INVALID_CERT_EXTENSION), 1514 OD(secgECsect193r2, SEC_OID_SECG_EC_SECT193R2, 1515 "SECG elliptic curve sect193r2", 1516 CKM_INVALID_MECHANISM, 1517 INVALID_CERT_EXTENSION), 1518 OD(secgECsect233k1, SEC_OID_SECG_EC_SECT233K1, 1519 "SECG elliptic curve sect233k1 (aka NIST K-233)", 1520 CKM_INVALID_MECHANISM, 1521 INVALID_CERT_EXTENSION), 1522 OD(secgECsect233r1, SEC_OID_SECG_EC_SECT233R1, 1523 "SECG elliptic curve sect233r1 (aka NIST B-233)", 1524 CKM_INVALID_MECHANISM, 1525 INVALID_CERT_EXTENSION), 1526 OD(secgECsect239k1, SEC_OID_SECG_EC_SECT239K1, 1527 "SECG elliptic curve sect239k1", 1528 CKM_INVALID_MECHANISM, 1529 INVALID_CERT_EXTENSION), 1530 OD(secgECsect283k1, SEC_OID_SECG_EC_SECT283K1, 1531 "SECG elliptic curve sect283k1 (aka NIST K-283)", 1532 CKM_INVALID_MECHANISM, 1533 INVALID_CERT_EXTENSION), 1534 OD(secgECsect283r1, SEC_OID_SECG_EC_SECT283R1, 1535 "SECG elliptic curve sect283r1 (aka NIST B-283)", 1536 CKM_INVALID_MECHANISM, 1537 INVALID_CERT_EXTENSION), 1538 OD(secgECsect409k1, SEC_OID_SECG_EC_SECT409K1, 1539 "SECG elliptic curve sect409k1 (aka NIST K-409)", 1540 CKM_INVALID_MECHANISM, 1541 INVALID_CERT_EXTENSION), 1542 OD(secgECsect409r1, SEC_OID_SECG_EC_SECT409R1, 1543 "SECG elliptic curve sect409r1 (aka NIST B-409)", 1544 CKM_INVALID_MECHANISM, 1545 INVALID_CERT_EXTENSION), 1546 OD(secgECsect571k1, SEC_OID_SECG_EC_SECT571K1, 1547 "SECG elliptic curve sect571k1 (aka NIST K-571)", 1548 CKM_INVALID_MECHANISM, 1549 INVALID_CERT_EXTENSION), 1550 OD(secgECsect571r1, SEC_OID_SECG_EC_SECT571R1, 1551 "SECG elliptic curve sect571r1 (aka NIST B-571)", 1552 CKM_INVALID_MECHANISM, 1553 INVALID_CERT_EXTENSION), 1554 1555 OD(netscapeAOLScreenname, SEC_OID_NETSCAPE_AOLSCREENNAME, 1556 "AOL Screenname", CKM_INVALID_MECHANISM, 1557 INVALID_CERT_EXTENSION), 1558 1559 OD(x520SurName, SEC_OID_AVA_SURNAME, 1560 "X520 Title", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1561 OD(x520SerialNumber, SEC_OID_AVA_SERIAL_NUMBER, 1562 "X520 Serial Number", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1563 OD(x520StreetAddress, SEC_OID_AVA_STREET_ADDRESS, 1564 "X520 Street Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1565 OD(x520Title, SEC_OID_AVA_TITLE, 1566 "X520 Title", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1567 OD(x520PostalAddress, SEC_OID_AVA_POSTAL_ADDRESS, 1568 "X520 Postal Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1569 OD(x520PostalCode, SEC_OID_AVA_POSTAL_CODE, 1570 "X520 Postal Code", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1571 OD(x520PostOfficeBox, SEC_OID_AVA_POST_OFFICE_BOX, 1572 "X520 Post Office Box", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1573 OD(x520GivenName, SEC_OID_AVA_GIVEN_NAME, 1574 "X520 Given Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1575 OD(x520Initials, SEC_OID_AVA_INITIALS, 1576 "X520 Initials", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1577 OD(x520GenerationQualifier, SEC_OID_AVA_GENERATION_QUALIFIER, 1578 "X520 Generation Qualifier", 1579 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1580 OD(x520HouseIdentifier, SEC_OID_AVA_HOUSE_IDENTIFIER, 1581 "X520 House Identifier", 1582 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1583 OD(x520Pseudonym, SEC_OID_AVA_PSEUDONYM, 1584 "X520 Pseudonym", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1585 1586 /* More OIDs */ 1587 OD(pkixCAIssuers, SEC_OID_PKIX_CA_ISSUERS, 1588 "PKIX CA issuers access method", 1589 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1590 OD(pkcs9ExtensionRequest, SEC_OID_PKCS9_EXTENSION_REQUEST, 1591 "PKCS #9 Extension Request", 1592 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1593 1594 /* more ECC Signature Oids */ 1595 OD(ansix962SignatureRecommended, 1596 SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST, 1597 "X9.62 ECDSA signature with recommended digest", CKM_INVALID_MECHANISM, 1598 INVALID_CERT_EXTENSION), 1599 OD(ansix962SignatureSpecified, 1600 SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, 1601 "X9.62 ECDSA signature with specified digest", CKM_ECDSA, 1602 INVALID_CERT_EXTENSION), 1603 OD(ansix962SignaturewithSHA224Digest, 1604 SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE, 1605 "X9.62 ECDSA signature with SHA224", CKM_ECDSA_SHA224, 1606 INVALID_CERT_EXTENSION), 1607 OD(ansix962SignaturewithSHA256Digest, 1608 SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, 1609 "X9.62 ECDSA signature with SHA256", CKM_ECDSA_SHA256, 1610 INVALID_CERT_EXTENSION), 1611 OD(ansix962SignaturewithSHA384Digest, 1612 SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, 1613 "X9.62 ECDSA signature with SHA384", CKM_ECDSA_SHA384, 1614 INVALID_CERT_EXTENSION), 1615 OD(ansix962SignaturewithSHA512Digest, 1616 SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, 1617 "X9.62 ECDSA signature with SHA512", CKM_ECDSA_SHA512, 1618 INVALID_CERT_EXTENSION), 1619 1620 /* More id-ce and id-pe OIDs from RFC 3280 */ 1621 OD(x509HoldInstructionCode, SEC_OID_X509_HOLD_INSTRUCTION_CODE, 1622 "CRL Hold Instruction Code", CKM_INVALID_MECHANISM, 1623 UNSUPPORTED_CERT_EXTENSION), 1624 OD(x509DeltaCRLIndicator, SEC_OID_X509_DELTA_CRL_INDICATOR, 1625 "Delta CRL Indicator", CKM_INVALID_MECHANISM, 1626 FAKE_SUPPORTED_CERT_EXTENSION), 1627 OD(x509IssuingDistributionPoint, SEC_OID_X509_ISSUING_DISTRIBUTION_POINT, 1628 "Issuing Distribution Point", CKM_INVALID_MECHANISM, 1629 FAKE_SUPPORTED_CERT_EXTENSION), 1630 OD(x509CertIssuer, SEC_OID_X509_CERT_ISSUER, 1631 "Certificate Issuer Extension", CKM_INVALID_MECHANISM, 1632 FAKE_SUPPORTED_CERT_EXTENSION), 1633 OD(x509FreshestCRL, SEC_OID_X509_FRESHEST_CRL, 1634 "Freshest CRL", CKM_INVALID_MECHANISM, 1635 UNSUPPORTED_CERT_EXTENSION), 1636 OD(x509InhibitAnyPolicy, SEC_OID_X509_INHIBIT_ANY_POLICY, 1637 "Inhibit Any Policy", CKM_INVALID_MECHANISM, 1638 FAKE_SUPPORTED_CERT_EXTENSION), 1639 OD(x509SubjectInfoAccess, SEC_OID_X509_SUBJECT_INFO_ACCESS, 1640 "Subject Info Access", CKM_INVALID_MECHANISM, 1641 UNSUPPORTED_CERT_EXTENSION), 1642 1643 /* Camellia algorithm OIDs */ 1644 OD(camellia128_CBC, SEC_OID_CAMELLIA_128_CBC, 1645 "CAMELLIA-128-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION), 1646 OD(camellia192_CBC, SEC_OID_CAMELLIA_192_CBC, 1647 "CAMELLIA-192-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION), 1648 OD(camellia256_CBC, SEC_OID_CAMELLIA_256_CBC, 1649 "CAMELLIA-256-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION), 1650 1651 /* PKCS 5 v2 OIDS */ 1652 OD(pkcs5Pbkdf2, SEC_OID_PKCS5_PBKDF2, 1653 "PKCS #5 Password Based Key Derive Function v2 ", 1654 CKM_PKCS5_PBKD2, INVALID_CERT_EXTENSION), 1655 OD(pkcs5Pbes2, SEC_OID_PKCS5_PBES2, 1656 "PKCS #5 Password Based Encryption v2 ", 1657 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1658 OD(pkcs5Pbmac1, SEC_OID_PKCS5_PBMAC1, 1659 "PKCS #5 Password Based Authentication v1 ", 1660 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1661 OD(hmac_sha1, SEC_OID_HMAC_SHA1, "HMAC SHA-1", 1662 CKM_SHA_1_HMAC, INVALID_CERT_EXTENSION), 1663 OD(hmac_sha224, SEC_OID_HMAC_SHA224, "HMAC SHA-224", 1664 CKM_SHA224_HMAC, INVALID_CERT_EXTENSION), 1665 OD(hmac_sha256, SEC_OID_HMAC_SHA256, "HMAC SHA-256", 1666 CKM_SHA256_HMAC, INVALID_CERT_EXTENSION), 1667 OD(hmac_sha384, SEC_OID_HMAC_SHA384, "HMAC SHA-384", 1668 CKM_SHA384_HMAC, INVALID_CERT_EXTENSION), 1669 OD(hmac_sha512, SEC_OID_HMAC_SHA512, "HMAC SHA-512", 1670 CKM_SHA512_HMAC, INVALID_CERT_EXTENSION), 1671 1672 /* SIA extension OIDs */ 1673 OD(x509SIATimeStamping, SEC_OID_PKIX_TIMESTAMPING, 1674 "SIA Time Stamping", CKM_INVALID_MECHANISM, 1675 INVALID_CERT_EXTENSION), 1676 OD(x509SIACaRepository, SEC_OID_PKIX_CA_REPOSITORY, 1677 "SIA CA Repository", CKM_INVALID_MECHANISM, 1678 INVALID_CERT_EXTENSION), 1679 1680 OD(isoSHA1WithRSASignature, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE, 1681 "ISO SHA-1 with RSA Signature", 1682 CKM_SHA1_RSA_PKCS, INVALID_CERT_EXTENSION), 1683 1684 /* SEED algorithm OIDs */ 1685 OD(seed_CBC, SEC_OID_SEED_CBC, 1686 "SEED-CBC", CKM_SEED_CBC, INVALID_CERT_EXTENSION), 1687 1688 OD(x509CertificatePoliciesAnyPolicy, SEC_OID_X509_ANY_POLICY, 1689 "Certificate Policies AnyPolicy", 1690 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1691 1692 OD(pkcs1RSAOAEPEncryption, SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION, 1693 "PKCS #1 RSA-OAEP Encryption", CKM_RSA_PKCS_OAEP, 1694 INVALID_CERT_EXTENSION), 1695 1696 OD(pkcs1MGF1, SEC_OID_PKCS1_MGF1, 1697 "PKCS #1 MGF1 Mask Generation Function", CKM_INVALID_MECHANISM, 1698 INVALID_CERT_EXTENSION), 1699 1700 OD(pkcs1PSpecified, SEC_OID_PKCS1_PSPECIFIED, 1701 "PKCS #1 RSA-OAEP Explicitly Specified Encoding Parameters", 1702 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1703 1704 OD(pkcs1RSAPSSSignature, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 1705 "PKCS #1 RSA-PSS Signature", CKM_RSA_PKCS_PSS, 1706 INVALID_CERT_EXTENSION), 1707 1708 OD(pkcs1SHA224WithRSAEncryption, SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION, 1709 "PKCS #1 SHA-224 With RSA Encryption", CKM_SHA224_RSA_PKCS, 1710 INVALID_CERT_EXTENSION), 1711 1712 OD(sha224, SEC_OID_SHA224, "SHA-224", CKM_SHA224, INVALID_CERT_EXTENSION), 1713 1714 OD(evIncorporationLocality, SEC_OID_EV_INCORPORATION_LOCALITY, 1715 "Jurisdiction of Incorporation Locality Name", 1716 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1717 OD(evIncorporationState, SEC_OID_EV_INCORPORATION_STATE, 1718 "Jurisdiction of Incorporation State Name", 1719 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1720 OD(evIncorporationCountry, SEC_OID_EV_INCORPORATION_COUNTRY, 1721 "Jurisdiction of Incorporation Country Name", 1722 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1723 OD(x520BusinessCategory, SEC_OID_BUSINESS_CATEGORY, 1724 "Business Category", 1725 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1726 1727 OD(nistDSASignaturewithSHA224Digest, 1728 SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST, 1729 "DSA with SHA-224 Signature", 1730 CKM_DSA_SHA224, INVALID_CERT_EXTENSION), 1731 OD(nistDSASignaturewithSHA256Digest, 1732 SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST, 1733 "DSA with SHA-256 Signature", 1734 CKM_DSA_SHA256, INVALID_CERT_EXTENSION), 1735 OD(msExtendedKeyUsageTrustListSigning, 1736 SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING, 1737 "Microsoft Trust List Signing", 1738 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1739 OD(x520Name, SEC_OID_AVA_NAME, 1740 "X520 Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1741 1742 OD(aes128_GCM, SEC_OID_AES_128_GCM, 1743 "AES-128-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION), 1744 OD(aes192_GCM, SEC_OID_AES_192_GCM, 1745 "AES-192-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION), 1746 OD(aes256_GCM, SEC_OID_AES_256_GCM, 1747 "AES-256-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION), 1748 OD(idea_CBC, SEC_OID_IDEA_CBC, 1749 "IDEA_CBC", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1750 1751 ODE(SEC_OID_RC2_40_CBC, 1752 "RC2-40-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION), 1753 ODE(SEC_OID_DES_40_CBC, 1754 "DES-40-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION), 1755 ODE(SEC_OID_RC4_40, 1756 "RC4-40", CKM_RC4, INVALID_CERT_EXTENSION), 1757 ODE(SEC_OID_RC4_56, 1758 "RC4-56", CKM_RC4, INVALID_CERT_EXTENSION), 1759 ODE(SEC_OID_NULL_CIPHER, 1760 "NULL cipher", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1761 ODE(SEC_OID_HMAC_MD5, 1762 "HMAC-MD5", CKM_MD5_HMAC, INVALID_CERT_EXTENSION), 1763 ODE(SEC_OID_TLS_RSA, 1764 "TLS RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1765 ODE(SEC_OID_TLS_DHE_RSA, 1766 "TLS DHE-RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1767 ODE(SEC_OID_TLS_DHE_DSS, 1768 "TLS DHE-DSS key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1769 ODE(SEC_OID_TLS_DH_RSA, 1770 "TLS DH-RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1771 ODE(SEC_OID_TLS_DH_DSS, 1772 "TLS DH-DSS key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1773 ODE(SEC_OID_TLS_DH_ANON, 1774 "TLS DH-ANON key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1775 ODE(SEC_OID_TLS_ECDHE_ECDSA, 1776 "TLS ECDHE-ECDSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1777 ODE(SEC_OID_TLS_ECDHE_RSA, 1778 "TLS ECDHE-RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1779 ODE(SEC_OID_TLS_ECDH_ECDSA, 1780 "TLS ECDH-ECDSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1781 ODE(SEC_OID_TLS_ECDH_RSA, 1782 "TLS ECDH-RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1783 ODE(SEC_OID_TLS_ECDH_ANON, 1784 "TLS ECDH-ANON key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1785 ODE(SEC_OID_TLS_RSA_EXPORT, 1786 "TLS RSA-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1787 ODE(SEC_OID_TLS_DHE_RSA_EXPORT, 1788 "TLS DHE-RSA-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1789 ODE(SEC_OID_TLS_DHE_DSS_EXPORT, 1790 "TLS DHE-DSS-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1791 ODE(SEC_OID_TLS_DH_RSA_EXPORT, 1792 "TLS DH-RSA-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1793 ODE(SEC_OID_TLS_DH_DSS_EXPORT, 1794 "TLS DH-DSS-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1795 ODE(SEC_OID_TLS_DH_ANON_EXPORT, 1796 "TLS DH-ANON-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1797 ODE(SEC_OID_APPLY_SSL_POLICY, 1798 "Apply SSL policy (pseudo-OID)", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1799 ODE(SEC_OID_CHACHA20_POLY1305, 1800 "ChaCha20-Poly1305", CKM_CHACHA20_POLY1305, INVALID_CERT_EXTENSION), 1801 1802 ODE(SEC_OID_TLS_ECDHE_PSK, 1803 "TLS ECHDE-PSK key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1804 ODE(SEC_OID_TLS_DHE_PSK, 1805 "TLS DHE-PSK key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1806 1807 ODE(SEC_OID_TLS_FFDHE_2048, 1808 "TLS FFDHE 2048-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1809 ODE(SEC_OID_TLS_FFDHE_3072, 1810 "TLS FFDHE 3072-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1811 ODE(SEC_OID_TLS_FFDHE_4096, 1812 "TLS FFDHE 4096-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1813 ODE(SEC_OID_TLS_FFDHE_6144, 1814 "TLS FFDHE 6144-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1815 ODE(SEC_OID_TLS_FFDHE_8192, 1816 "TLS FFDHE 8192-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1817 ODE(SEC_OID_TLS_DHE_CUSTOM, 1818 "TLS DHE custom group key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1819 OD(curve25519, SEC_OID_CURVE25519, 1820 "Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1821 ODE(SEC_OID_TLS13_KEA_ANY, 1822 "TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1823 1824 OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE, 1825 "Any Extended Key Usage", 1826 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1827 OD(pkixExtendedKeyUsageIPsecIKE, 1828 SEC_OID_EXT_KEY_USAGE_IPSEC_IKE, 1829 "IPsec IKE Certificate", 1830 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1831 OD(ipsecIKEEnd, 1832 SEC_OID_IPSEC_IKE_END, 1833 "IPsec IKE End", 1834 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1835 OD(ipsecIKEIntermediate, 1836 SEC_OID_IPSEC_IKE_INTERMEDIATE, 1837 "IPsec IKE Intermediate", 1838 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1839 OD(pkixExtendedKeyUsageIPsecEnd, 1840 SEC_OID_EXT_KEY_USAGE_IPSEC_END, 1841 "IPsec Tunnel", 1842 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1843 OD(pkixExtendedKeyUsageIPsecTunnel, 1844 SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL, 1845 "IPsec Tunnel", 1846 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1847 OD(pkixExtendedKeyUsageIPsecUser, 1848 SEC_OID_EXT_KEY_USAGE_IPSEC_USER, 1849 "IPsec User", 1850 CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1851 1852 OD(sha3_224, SEC_OID_SHA3_224, "SHA3-224", CKM_SHA3_224, INVALID_CERT_EXTENSION), 1853 OD(sha3_256, SEC_OID_SHA3_256, "SHA3-256", CKM_SHA3_256, INVALID_CERT_EXTENSION), 1854 OD(sha3_384, SEC_OID_SHA3_384, "SHA3-384", CKM_SHA3_384, INVALID_CERT_EXTENSION), 1855 OD(sha3_512, SEC_OID_SHA3_512, "SHA3-512", CKM_SHA3_512, INVALID_CERT_EXTENSION), 1856 1857 OD(hmac_sha3_224, SEC_OID_HMAC_SHA3_224, "HMAC SHA3-224", CKM_SHA3_224_HMAC, INVALID_CERT_EXTENSION), 1858 OD(hmac_sha3_256, SEC_OID_HMAC_SHA3_256, "HMAC SHA3-256", CKM_SHA3_256_HMAC, INVALID_CERT_EXTENSION), 1859 OD(hmac_sha3_384, SEC_OID_HMAC_SHA3_384, "HMAC SHA3-384", CKM_SHA3_384_HMAC, INVALID_CERT_EXTENSION), 1860 OD(hmac_sha3_512, SEC_OID_HMAC_SHA3_512, "HMAC SHA3-512", CKM_SHA3_512_HMAC, INVALID_CERT_EXTENSION), 1861 1862 ODE(SEC_OID_XYBER768D00, 1863 "X25519+Kyber768 key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1864 1865 OD(ed25519Signature, SEC_OID_ED25519_SIGNATURE, "X9.62 EDDSA signature", CKM_EDDSA, 1866 INVALID_CERT_EXTENSION), 1867 1868 OD(ed25519PublicKey, SEC_OID_ED25519_PUBLIC_KEY, 1869 "X9.62 elliptic edwards curve public key", CKM_EC_EDWARDS_KEY_PAIR_GEN, INVALID_CERT_EXTENSION), 1870 1871 OD(dhSinglePassstdDHsha1kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME, 1872 "Eliptic Curve Diffie-Hellman Single Pass Standard with SHA1 KDF", CKM_ECDH1_DERIVE, 1873 INVALID_CERT_EXTENSION), 1874 OD(dhSinglePassstdDHsha224kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME, 1875 "Eliptic Curve Diffie-Hellman Single Pass Standard with SHA224 KDF", CKM_ECDH1_DERIVE, 1876 INVALID_CERT_EXTENSION), 1877 OD(dhSinglePassstdDHsha256kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME, 1878 "Eliptic Curve Diffie-Hellman Single Pass Standard with SHA256 KDF", CKM_ECDH1_DERIVE, 1879 INVALID_CERT_EXTENSION), 1880 OD(dhSinglePassstdDHsha384kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME, 1881 "Eliptic Curve Diffie-Hellman Single Pass Standard with SHA384 KDF", CKM_ECDH1_DERIVE, 1882 INVALID_CERT_EXTENSION), 1883 OD(dhSinglePassstdDHsha512kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA512KDF_SCHEME, 1884 "Eliptic Curve Diffie-Hellman Single Pass Standard with SHA512 KDF", CKM_ECDH1_DERIVE, 1885 INVALID_CERT_EXTENSION), 1886 OD(dhSinglePasscofactorDHsha1kdfscheme, SEC_OID_DHSINGLEPASS_COFACTORDH_SHA1KDF_SCHEME, 1887 "Eliptic Curve Diffie-Hellman Single Pass Cofactor with SHA1 KDF", CKM_ECDH1_COFACTOR_DERIVE, 1888 INVALID_CERT_EXTENSION), 1889 OD(dhSinglePasscofactorDHsha224kdfscheme, SEC_OID_DHSINGLEPASS_COFACTORDH_SHA224KDF_SCHEME, 1890 "Eliptic Curve Diffie-Hellman Single Pass Cofactor with SHA224 KDF", CKM_ECDH1_COFACTOR_DERIVE, 1891 INVALID_CERT_EXTENSION), 1892 OD(dhSinglePasscofactorDHsha256kdfscheme, SEC_OID_DHSINGLEPASS_COFACTORDH_SHA256KDF_SCHEME, 1893 "Eliptic Curve Diffie-Hellman Single Pass Cofactor with SHA256 KDF", CKM_ECDH1_COFACTOR_DERIVE, 1894 INVALID_CERT_EXTENSION), 1895 OD(dhSinglePasscofactorDHsha384kdfscheme, SEC_OID_DHSINGLEPASS_COFACTORDH_SHA384KDF_SCHEME, 1896 "Eliptic Curve Diffie-Hellman Single Pass Cofactor with SHA384 KDF", CKM_ECDH1_COFACTOR_DERIVE, 1897 INVALID_CERT_EXTENSION), 1898 OD(dhSinglePasscofactorDHsha512kdfscheme, SEC_OID_DHSINGLEPASS_COFACTORDH_SHA512KDF_SCHEME, 1899 "Eliptic Curve Diffie-Hellman Single Pass Cofactor with SHA512 KDF", CKM_ECDH1_COFACTOR_DERIVE, 1900 INVALID_CERT_EXTENSION), 1901 ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION), 1902 ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION), 1903 ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION), 1904 OD(x25519PublicKey, SEC_OID_X25519, 1905 "X25519 key exchange", CKM_EC_MONTGOMERY_KEY_PAIR_GEN, INVALID_CERT_EXTENSION), 1906 1907 ODE(SEC_OID_MLKEM768X25519, 1908 "X25519+ML-KEM-768 Hybrid key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1909 ODE(SEC_OID_TLS_REQUIRE_EMS, 1910 "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1911 1912 OD(mlDsa44, SEC_OID_ML_DSA_44, "ML-DSA-44", CKM_ML_DSA, INVALID_CERT_EXTENSION), 1913 OD(mlDsa65, SEC_OID_ML_DSA_65, "ML-DSA-65", CKM_ML_DSA, INVALID_CERT_EXTENSION), 1914 OD(mlDsa87, SEC_OID_ML_DSA_87, "ML-DSA-87", CKM_ML_DSA, INVALID_CERT_EXTENSION), 1915 ODE(SEC_OID_SECP256R1MLKEM768, 1916 "SECP256R1+ML-KEM-768 Hybrid key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1917 ODE(SEC_OID_SECP384R1MLKEM1024, 1918 "SECP384R1+ML-KEM-1024 Hybrid key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), 1919 1920 }; 1921 1922 /* PRIVATE EXTENDED SECOID Table 1923 * This table is private. Its structure is opaque to the outside. 1924 * It is indexed by the same SECOidTag as the oids table above. 1925 * Every member of this struct must have accessor functions (set, get) 1926 * and those functions must operate by value, not by reference. 1927 * The addresses of the contents of this table must not be exposed 1928 * by the accessor functions. 1929 */ 1930 typedef struct privXOidStr { 1931 PRUint32 notPolicyFlags; /* ones complement of policy flags */ 1932 } privXOid; 1933 1934 static privXOid xOids[SEC_OID_TOTAL]; 1935 1936 /* 1937 * now the dynamic table. The dynamic table gets build at init time. 1938 * and conceivably gets modified if the user loads new crypto modules. 1939 * All this static data, and the allocated data to which it points, 1940 * is protected by a global reader/writer lock. 1941 * The c language guarantees that global and static data that is not 1942 * explicitly initialized will be initialized with zeros. If we 1943 * initialize it with zeros, the data goes into the initialized data 1944 * secment, and increases the size of the library. By leaving it 1945 * uninitialized, it is allocated in BSS, and does NOT increase the 1946 * library size. 1947 */ 1948 1949 typedef struct dynXOidStr { 1950 SECOidData data; 1951 privXOid priv; 1952 } dynXOid; 1953 1954 static NSSRWLock *dynOidLock; 1955 static PLArenaPool *dynOidPool; 1956 static PLHashTable *dynOidHash; 1957 static dynXOid **dynOidTable; /* not in the pool */ 1958 static int dynOidEntriesAllocated; 1959 static int dynOidEntriesUsed; 1960 1961 /* Creates NSSRWLock and dynOidPool at initialization time. 1962 */ 1963 static SECStatus 1964 secoid_InitDynOidData(void) 1965 { 1966 SECStatus rv = SECSuccess; 1967 1968 dynOidLock = NSSRWLock_New(1, "dynamic OID data"); 1969 if (!dynOidLock) { 1970 return SECFailure; /* Error code should already be set. */ 1971 } 1972 dynOidPool = PORT_NewArena(2048); 1973 if (!dynOidPool) { 1974 rv = SECFailure /* Error code should already be set. */; 1975 } 1976 return rv; 1977 } 1978 1979 /* Add oidData to hash table. Caller holds write lock dynOidLock. */ 1980 static SECStatus 1981 secoid_HashDynamicOiddata(const SECOidData *oid) 1982 { 1983 PLHashEntry *entry; 1984 1985 if (!dynOidHash) { 1986 dynOidHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare, 1987 PL_CompareValues, NULL, NULL); 1988 if (!dynOidHash) { 1989 return SECFailure; 1990 } 1991 } 1992 1993 entry = PL_HashTableAdd(dynOidHash, &oid->oid, (void *)oid); 1994 return entry ? SECSuccess : SECFailure; 1995 } 1996 1997 /* 1998 * Lookup a Dynamic OID. Dynamic OID's still change slowly, so it's 1999 * cheaper to rehash the table when it changes than it is to do the loop 2000 * each time. 2001 */ 2002 static SECOidData * 2003 secoid_FindDynamic(const SECItem *key) 2004 { 2005 SECOidData *ret = NULL; 2006 2007 NSSRWLock_LockRead(dynOidLock); 2008 if (dynOidHash) { 2009 ret = (SECOidData *)PL_HashTableLookup(dynOidHash, key); 2010 } 2011 NSSRWLock_UnlockRead(dynOidLock); 2012 if (ret == NULL) { 2013 PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID); 2014 } 2015 return ret; 2016 } 2017 2018 static dynXOid * 2019 secoid_FindDynamicByTag(SECOidTag tagnum) 2020 { 2021 dynXOid *dxo = NULL; 2022 int tagNumDiff; 2023 2024 if (tagnum < SEC_OID_TOTAL) { 2025 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2026 return NULL; 2027 } 2028 tagNumDiff = tagnum - SEC_OID_TOTAL; 2029 2030 NSSRWLock_LockRead(dynOidLock); 2031 if (dynOidTable != NULL && 2032 tagNumDiff < dynOidEntriesUsed) { 2033 dxo = dynOidTable[tagNumDiff]; 2034 } 2035 NSSRWLock_UnlockRead(dynOidLock); 2036 if (dxo == NULL) { 2037 PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID); 2038 } 2039 return dxo; 2040 } 2041 2042 /* 2043 * This routine is thread safe now. 2044 */ 2045 SECOidTag 2046 SECOID_AddEntry(const SECOidData *src) 2047 { 2048 dynXOid *ddst; 2049 SECOidData *dst; 2050 dynXOid **table; 2051 SECOidTag ret = SEC_OID_UNKNOWN; 2052 SECStatus rv; 2053 int used; 2054 2055 if (!src || !src->oid.data || !src->oid.len || 2056 !src->desc || !strlen(src->desc)) { 2057 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2058 return ret; 2059 } 2060 if (src->supportedExtension != INVALID_CERT_EXTENSION && 2061 src->supportedExtension != UNSUPPORTED_CERT_EXTENSION && 2062 src->supportedExtension != SUPPORTED_CERT_EXTENSION) { 2063 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2064 return ret; 2065 } 2066 2067 if (!dynOidPool || !dynOidLock) { 2068 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); 2069 return ret; 2070 } 2071 2072 NSSRWLock_LockWrite(dynOidLock); 2073 2074 /* We've just acquired the write lock, and now we call FindOIDTag 2075 ** which will acquire and release the read lock. NSSRWLock has been 2076 ** designed to allow this very case without deadlock. This approach 2077 ** makes the test for the presence of the OID, and the subsequent 2078 ** addition of the OID to the table a single atomic write operation. 2079 */ 2080 ret = SECOID_FindOIDTag(&src->oid); 2081 if (ret != SEC_OID_UNKNOWN) { 2082 /* we could return an error here, but I chose not to do that. 2083 ** This way, if we add an OID to the shared library's built in 2084 ** list of OIDs in some future release, and that OID is the same 2085 ** as some OID that a program has been adding, the program will 2086 ** not suddenly stop working. 2087 */ 2088 goto done; 2089 } 2090 2091 table = dynOidTable; 2092 used = dynOidEntriesUsed; 2093 2094 if (used + 1 > dynOidEntriesAllocated) { 2095 dynXOid **newTable; 2096 int newTableEntries = dynOidEntriesAllocated + 16; 2097 2098 newTable = (dynXOid **)PORT_Realloc(table, 2099 newTableEntries * sizeof(dynXOid *)); 2100 if (newTable == NULL) { 2101 goto done; 2102 } 2103 dynOidTable = table = newTable; 2104 dynOidEntriesAllocated = newTableEntries; 2105 } 2106 2107 /* copy oid structure */ 2108 ddst = PORT_ArenaZNew(dynOidPool, dynXOid); 2109 if (!ddst) { 2110 goto done; 2111 } 2112 dst = &ddst->data; 2113 rv = SECITEM_CopyItem(dynOidPool, &dst->oid, &src->oid); 2114 if (rv != SECSuccess) { 2115 goto done; 2116 } 2117 dst->desc = PORT_ArenaStrdup(dynOidPool, src->desc); 2118 if (!dst->desc) { 2119 goto done; 2120 } 2121 dst->offset = (SECOidTag)(used + SEC_OID_TOTAL); 2122 dst->mechanism = src->mechanism; 2123 dst->supportedExtension = src->supportedExtension; 2124 /* disable S/MIME for new oids by default */ 2125 ddst->priv.notPolicyFlags = NSS_USE_ALG_IN_SMIME; 2126 2127 rv = secoid_HashDynamicOiddata(dst); 2128 if (rv == SECSuccess) { 2129 table[used++] = ddst; 2130 dynOidEntriesUsed = used; 2131 ret = dst->offset; 2132 } 2133 done: 2134 NSSRWLock_UnlockWrite(dynOidLock); 2135 return ret; 2136 } 2137 2138 /* normal static table processing */ 2139 static PLHashTable *oidhash = NULL; 2140 static PLHashTable *oidmechhash = NULL; 2141 2142 static PLHashNumber 2143 secoid_HashNumber(const void *key) 2144 { 2145 return (PLHashNumber)((char *)key - (char *)NULL); 2146 } 2147 2148 #define DEF_FLAGS (NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_SSL_KX | \ 2149 NSS_USE_ALG_IN_SMIME | NSS_USE_ALG_IN_PKCS12) 2150 static void 2151 handleHashAlgSupport(char *envVal) 2152 { 2153 char *myVal = PORT_Strdup(envVal); /* Get a copy we can alter */ 2154 char *arg = myVal; 2155 2156 while (arg && *arg) { 2157 char *nextArg = PL_strpbrk(arg, ";"); 2158 PRUint32 notEnable; 2159 2160 if (nextArg) { 2161 while (*nextArg == ';') { 2162 *nextArg++ = '\0'; 2163 } 2164 } 2165 notEnable = (*arg == '-') ? (DEF_FLAGS) : 0; 2166 if ((*arg == '+' || *arg == '-') && *++arg) { 2167 int i; 2168 2169 for (i = 1; i < SEC_OID_TOTAL; i++) { 2170 if (oids[i].desc && strstr(arg, oids[i].desc)) { 2171 xOids[i].notPolicyFlags = notEnable | 2172 (xOids[i].notPolicyFlags & ~(DEF_FLAGS)); 2173 } 2174 } 2175 } 2176 arg = nextArg; 2177 } 2178 PORT_Free(myVal); /* can handle NULL argument OK */ 2179 } 2180 2181 SECStatus 2182 SECOID_Init(void) 2183 { 2184 PLHashEntry *entry; 2185 const SECOidData *oid; 2186 SECOidTag i; 2187 char *envVal; 2188 2189 #define NSS_VERSION_VARIABLE __nss_util_version 2190 #include "verref.h" 2191 2192 if (oidhash) { 2193 return SECSuccess; /* already initialized */ 2194 } 2195 2196 /* xyber768d00 must be enabled explicitly */ 2197 xOids[SEC_OID_XYBER768D00].notPolicyFlags = NSS_USE_ALG_IN_SSL_KX; 2198 2199 if (!PR_GetEnvSecure("NSS_ALLOW_WEAK_SIGNATURE_ALG")) { 2200 /* initialize any policy flags that are disabled by default */ 2201 xOids[SEC_OID_MD2].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; 2202 xOids[SEC_OID_MD4].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; 2203 xOids[SEC_OID_MD5].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; 2204 xOids[SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION].notPolicyFlags = ~0; 2205 xOids[SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION].notPolicyFlags = ~0; 2206 xOids[SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION].notPolicyFlags = ~0; 2207 xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; 2208 xOids[SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC].notPolicyFlags = ~NSS_USE_ALG_IN_PKCS12_DECRYPT; 2209 } 2210 2211 /* turn off NSS_USE_POLICY_IN_SSL by default */ 2212 xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL; 2213 /* turn off TLS REQUIRE EMS by default */ 2214 xOids[SEC_OID_TLS_REQUIRE_EMS].notPolicyFlags = ~0; 2215 2216 envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT"); 2217 if (envVal) 2218 handleHashAlgSupport(envVal); 2219 2220 if (secoid_InitDynOidData() != SECSuccess) { 2221 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2222 PORT_Assert(0); /* this function should never fail */ 2223 return SECFailure; 2224 } 2225 2226 oidhash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare, 2227 PL_CompareValues, NULL, NULL); 2228 oidmechhash = PL_NewHashTable(0, secoid_HashNumber, PL_CompareValues, 2229 PL_CompareValues, NULL, NULL); 2230 2231 if (!oidhash || !oidmechhash) { 2232 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2233 PORT_Assert(0); /*This function should never fail. */ 2234 return (SECFailure); 2235 } 2236 2237 for (i = 0; i < SEC_OID_TOTAL; i++) { 2238 oid = &oids[i]; 2239 PORT_Assert(oid->offset == i); 2240 entry = PL_HashTableAdd(oidhash, &oid->oid, (void *)oid); 2241 2242 if (entry == NULL) { 2243 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2244 PORT_Assert(0); /*This function should never fail. */ 2245 return (SECFailure); 2246 } 2247 2248 if (oid->mechanism != CKM_INVALID_MECHANISM) { 2249 entry = PL_HashTableAdd(oidmechhash, 2250 (void *)(uintptr_t)oid->mechanism, (void *)oid); 2251 if (entry == NULL) { 2252 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2253 PORT_Assert(0); /* This function should never fail. */ 2254 return (SECFailure); 2255 } 2256 } 2257 } 2258 2259 PORT_Assert(i == SEC_OID_TOTAL); 2260 /* finally, clear S/MIME from the policy oids. If no one turns on any 2261 * S/MIME policies after this, then S/MIME will enable the traditional 2262 * algs when it initializes */ 2263 (void)NSS_SetAlgorithmPolicyAll(0, NSS_USE_ALG_IN_SMIME); 2264 2265 return (SECSuccess); 2266 } 2267 2268 SECOidData * 2269 SECOID_FindOIDByMechanism(unsigned long mechanism) 2270 { 2271 SECOidData *ret; 2272 2273 PR_ASSERT(oidmechhash != NULL); 2274 if (oidmechhash == NULL && SECOID_Init() != SECSuccess) { 2275 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2276 return NULL; 2277 } 2278 2279 ret = PL_HashTableLookupConst(oidmechhash, (void *)(uintptr_t)mechanism); 2280 if (ret == NULL) { 2281 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2282 } 2283 2284 return (ret); 2285 } 2286 2287 SECOidData * 2288 SECOID_FindOID(const SECItem *oid) 2289 { 2290 SECOidData *ret; 2291 2292 PR_ASSERT(oidhash != NULL); 2293 if (oidhash == NULL && SECOID_Init() != SECSuccess) { 2294 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2295 return NULL; 2296 } 2297 2298 if ((oid == NULL) || (oid->data == NULL)) { 2299 PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID); 2300 return NULL; 2301 } 2302 2303 ret = PL_HashTableLookupConst(oidhash, oid); 2304 if (ret == NULL) { 2305 ret = secoid_FindDynamic(oid); 2306 if (ret == NULL) { 2307 PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID); 2308 } 2309 } 2310 return (ret); 2311 } 2312 2313 SECOidTag 2314 SECOID_FindOIDTag(const SECItem *oid) 2315 { 2316 SECOidData *oiddata; 2317 2318 oiddata = SECOID_FindOID(oid); 2319 if (oiddata == NULL) { 2320 return SEC_OID_UNKNOWN; 2321 } 2322 2323 return oiddata->offset; 2324 } 2325 2326 /* This really should return const. */ 2327 SECOidData * 2328 SECOID_FindOIDByTag(SECOidTag tagnum) 2329 { 2330 if (tagnum >= SEC_OID_TOTAL) { 2331 return (SECOidData *)secoid_FindDynamicByTag(tagnum); 2332 } 2333 2334 PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL); 2335 return (SECOidData *)(&oids[tagnum]); 2336 } 2337 2338 PRBool 2339 SECOID_KnownCertExtenOID(SECItem *extenOid) 2340 { 2341 SECOidData *oidData; 2342 2343 oidData = SECOID_FindOID(extenOid); 2344 if (oidData == (SECOidData *)NULL) 2345 return (PR_FALSE); 2346 return ((oidData->supportedExtension == SUPPORTED_CERT_EXTENSION) ? PR_TRUE : PR_FALSE); 2347 } 2348 2349 const char * 2350 SECOID_FindOIDTagDescription(SECOidTag tagnum) 2351 { 2352 const SECOidData *oidData = SECOID_FindOIDByTag(tagnum); 2353 return oidData ? oidData->desc : 0; 2354 } 2355 2356 /* 2357 * find an oidtag from a descriptive string. Our tools 2358 * have implemented this several times, so it's time to make 2359 * it available to everyone. 2360 */ 2361 SECOidTag 2362 SECOID_FindOIDTagFromDescripton(const char *cipherString, size_t len, 2363 PRBool isCipher) 2364 { 2365 SECOidTag tag; 2366 SECOidData *oid; 2367 2368 if (len == (size_t)-1) { 2369 len = PORT_Strlen(cipherString); 2370 } 2371 /* future enhancement: accept dotted oid spec? */ 2372 for (tag = 1; (oid = SECOID_FindOIDByTag(tag)) != NULL; tag++) { 2373 /* only interested in oids that we actually understand */ 2374 if (isCipher && oid->mechanism == CKM_INVALID_MECHANISM) { 2375 continue; 2376 } 2377 if (PORT_Strncasecmp(oid->desc, cipherString, len) != 0) { 2378 continue; 2379 } 2380 return tag; 2381 } 2382 return SEC_OID_UNKNOWN; 2383 } 2384 2385 /* return the total tags, including dymamic tags. NOTE: there is 2386 * a race between getting this value and adding new tags, but that 2387 * race is only a race against seeing the newly added tags, total 2388 * tags only ever grows, so it's safe to use the output of this in 2389 * loops. */ 2390 SECOidTag 2391 SECOID_GetTotalTags(void) 2392 { 2393 SECOidTag total; 2394 2395 /* get the lock to make sure we don't catch and inconsistant value 2396 * for dynOidEntriesUsed. */ 2397 NSSRWLock_LockRead(dynOidLock); 2398 total = SEC_OID_TOTAL + dynOidEntriesUsed; 2399 NSSRWLock_UnlockRead(dynOidLock); 2400 return total; 2401 } 2402 2403 /* --------- opaque extended OID table accessor functions ---------------*/ 2404 /* 2405 * Any of these functions may return SECSuccess or SECFailure with the error 2406 * code set to SEC_ERROR_UNKNOWN_OBJECT_TYPE if the SECOidTag is out of range. 2407 */ 2408 2409 static privXOid * 2410 secoid_FindXOidByTag(SECOidTag tagnum) 2411 { 2412 if (tagnum >= SEC_OID_TOTAL) { 2413 dynXOid *dxo = secoid_FindDynamicByTag(tagnum); 2414 return (dxo ? &dxo->priv : NULL); 2415 } 2416 2417 PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL); 2418 return &xOids[tagnum]; 2419 } 2420 2421 /* The Get function outputs the 32-bit value associated with the SECOidTag. 2422 * Flags bits are the NSS_USE_ALG_ #defines in "secoidt.h". 2423 * Default value for any algorithm is 0xffffffff (enabled for all purposes). 2424 * No value is output if function returns SECFailure. 2425 */ 2426 SECStatus 2427 NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue) 2428 { 2429 privXOid *pxo = secoid_FindXOidByTag(tag); 2430 if (!pxo) 2431 return SECFailure; 2432 if (!pValue) { 2433 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2434 return SECFailure; 2435 } 2436 *pValue = ~(pxo->notPolicyFlags); 2437 return SECSuccess; 2438 } 2439 2440 static PRBool nss_policy_locked = PR_FALSE; 2441 2442 /* The Set function modifies the stored value according to the following 2443 * algorithm: 2444 * policy[tag] = (policy[tag] & ~clearBits) | setBits; 2445 */ 2446 SECStatus 2447 NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits) 2448 { 2449 privXOid *pxo = secoid_FindXOidByTag(tag); 2450 PRUint32 policyFlags; 2451 if (!pxo) 2452 return SECFailure; 2453 2454 if (nss_policy_locked) { 2455 PORT_SetError(SEC_ERROR_POLICY_LOCKED); 2456 return SECFailure; 2457 } 2458 /* The stored policy flags are the ones complement of the flags as 2459 * seen by the user. This is not atomic, but these changes should 2460 * be done rarely, e.g. at initialization time. 2461 */ 2462 policyFlags = ~(pxo->notPolicyFlags); 2463 policyFlags = (policyFlags & ~clearBits) | setBits; 2464 pxo->notPolicyFlags = ~policyFlags; 2465 return SECSuccess; 2466 } 2467 2468 /* set or clear a particular policy algorithm for all oids */ 2469 SECStatus 2470 NSS_SetAlgorithmPolicyAll(PRUint32 setBits, PRUint32 clearBits) 2471 { 2472 SECOidTag tag; 2473 /* call this once,not once per loop */ 2474 SECOidTag lastTag = SECOID_GetTotalTags(); 2475 2476 for (tag = SEC_OID_UNKNOWN; tag < lastTag; tag++) { 2477 SECStatus rv = NSS_SetAlgorithmPolicy(tag, setBits, clearBits); 2478 /* there are only 2 reasons SetAlgorithmPolicy can fail: 2479 * 1) we passed an invalid tag, or 2) policy is locked. 2480 * The first case should not happen because we are only looping 2481 * through known good tags. In the second case, we will always fail, 2482 * so there is no point continuing our loop */ 2483 if (rv != SECSuccess) { 2484 return rv; 2485 } 2486 } 2487 return SECSuccess; 2488 } 2489 2490 /* return all the tags whose valueBits match the mask. */ 2491 SECStatus 2492 NSS_GetAlgorithmPolicyAll(PRUint32 maskBits, PRUint32 valueBits, 2493 SECOidTag **outTags, int *outTagCount) 2494 { 2495 SECOidTag *tags; 2496 SECOidTag tag; 2497 /* call this once,not once per loop */ 2498 SECOidTag lastTag = SECOID_GetTotalTags(); 2499 int tagCount, tableSize; 2500 2501 tags = *outTags = NULL; 2502 tableSize = tagCount = *outTagCount = 0; 2503 2504 for (tag = SEC_OID_UNKNOWN; tag < lastTag; tag++) { 2505 PRUint32 policy; 2506 SECStatus rv = NSS_GetAlgorithmPolicy(tag, &policy); 2507 if (rv != SECSuccess) { 2508 goto loser; 2509 } 2510 if ((policy & maskBits) == valueBits) { 2511 /* add found tag to the table, grow it if necessary */ 2512 if (tagCount >= tableSize) { 2513 int newTableSize = tableSize + 16; 2514 SECOidTag *newTags; 2515 newTags = (SECOidTag *)PORT_Realloc(tags, 2516 newTableSize * 2517 sizeof(SECOidTag)); 2518 if (newTags == NULL) { 2519 goto loser; 2520 } 2521 tags = newTags; 2522 tableSize = newTableSize; 2523 } 2524 tags[tagCount++] = tag; 2525 } 2526 } 2527 *outTags = tags; 2528 *outTagCount = tagCount; 2529 return SECSuccess; 2530 loser: 2531 if (tags) { 2532 PORT_Free(tags); 2533 } 2534 /* failing function already called PORT_SetError() */ 2535 return SECFailure; 2536 } 2537 2538 /* Get the state of nss_policy_locked */ 2539 PRBool 2540 NSS_IsPolicyLocked(void) 2541 { 2542 return nss_policy_locked; 2543 } 2544 2545 /* Once the policy is locked, it can't be unlocked */ 2546 void 2547 NSS_LockPolicy(void) 2548 { 2549 nss_policy_locked = PR_TRUE; 2550 } 2551 2552 /* --------- END OF opaque extended OID table accessor functions ---------*/ 2553 2554 /* for now, this is only used in a single place, so it can remain static */ 2555 static PRBool parentForkedAfterC_Initialize; 2556 2557 #define SKIP_AFTER_FORK(x) \ 2558 if (!parentForkedAfterC_Initialize) \ 2559 x 2560 2561 /* 2562 * free up the oid tables. 2563 */ 2564 SECStatus 2565 SECOID_Shutdown(void) 2566 { 2567 if (oidhash) { 2568 PL_HashTableDestroy(oidhash); 2569 oidhash = NULL; 2570 } 2571 if (oidmechhash) { 2572 PL_HashTableDestroy(oidmechhash); 2573 oidmechhash = NULL; 2574 } 2575 /* Have to handle the case where the lock was created, but 2576 ** the pool wasn't. 2577 ** I'm not going to attempt to create the lock, just to protect 2578 ** the destruction of data that probably isn't initialized anyway. 2579 */ 2580 if (dynOidLock) { 2581 SKIP_AFTER_FORK(NSSRWLock_LockWrite(dynOidLock)); 2582 if (dynOidHash) { 2583 PL_HashTableDestroy(dynOidHash); 2584 dynOidHash = NULL; 2585 } 2586 if (dynOidPool) { 2587 PORT_FreeArena(dynOidPool, PR_FALSE); 2588 dynOidPool = NULL; 2589 } 2590 if (dynOidTable) { 2591 PORT_Free(dynOidTable); 2592 dynOidTable = NULL; 2593 } 2594 dynOidEntriesAllocated = 0; 2595 dynOidEntriesUsed = 0; 2596 2597 SKIP_AFTER_FORK(NSSRWLock_UnlockWrite(dynOidLock)); 2598 SKIP_AFTER_FORK(NSSRWLock_Destroy(dynOidLock)); 2599 dynOidLock = NULL; 2600 } else { 2601 /* Since dynOidLock doesn't exist, then all the data it protects 2602 ** should be uninitialized. We'll check that (in DEBUG builds), 2603 ** and then make sure it is so, in case NSS is reinitialized. 2604 */ 2605 PORT_Assert(!dynOidHash && !dynOidPool && !dynOidTable && 2606 !dynOidEntriesAllocated && !dynOidEntriesUsed); 2607 dynOidHash = NULL; 2608 dynOidPool = NULL; 2609 dynOidTable = NULL; 2610 dynOidEntriesAllocated = 0; 2611 dynOidEntriesUsed = 0; 2612 } 2613 /* we are trashing the old policy state now, also reenable changing 2614 * the policy as well */ 2615 nss_policy_locked = PR_FALSE; 2616 memset(xOids, 0, sizeof xOids); 2617 return SECSuccess; 2618 } 2619 2620 void 2621 UTIL_SetForkState(PRBool forked) 2622 { 2623 parentForkedAfterC_Initialize = forked; 2624 } 2625 2626 const char * 2627 NSSUTIL_GetVersion(void) 2628 { 2629 return NSSUTIL_VERSION; 2630 }